From eef577f13dad167f77a9e4fbd0c4921f527896e0 Mon Sep 17 00:00:00 2001 From: Carmen Rata Date: Wed, 15 Jun 2022 12:42:01 -0400 Subject: [PATCH] Update application namespaces PSA labels This commit updates the per-mode version of Pod Security Admission labels to "latest" for application namespaces such as cert-manager. Pod Security Admission labels on namespaces are needed for pod security admission controller to know how restrictive each namespace is. Pinning to a specific Kubernetes version, for example v1.23, allows the behavior to remain consistent as policy changes happen over Kubernetes releases. Keeping the version "latest" as the default, allows more flexibility when supporting multiple kubernetes versions. This commit also updates the application namespaces label default levels to "privileged" from "baseline". This will cause no-harm if users do not wish to use "beta" PSA feature enabled by default in Kubernetes v1.23+. Test Plan: PASS: In an installed system verify that the pod security admission labels of the cert-manager namespace has been updated with the per-mode version "latest". PASS: Created namespaces where policies are applied via labels. Privileged pods fail to get created in namespaces that are not configured with privileged policy level. PASS: Privileged pods get created in namespaces with no security policy labels. Story: 2009833 Task: 45632 Signed-off-by: Carmen Rata Change-Id: I76d44873ac447bbc0e2d90643fedf38bef8ebd1a --- .../68-pod-security-admission-controller-labels.py | 6 ++---- sysinv/sysinv/sysinv/sysinv/helm/common.py | 8 ++++---- sysinv/sysinv/sysinv/sysinv/helm/lifecycle_utils.py | 4 +--- 3 files changed, 7 insertions(+), 11 deletions(-) diff --git a/controllerconfig/controllerconfig/upgrade-scripts/68-pod-security-admission-controller-labels.py b/controllerconfig/controllerconfig/upgrade-scripts/68-pod-security-admission-controller-labels.py index e390057a42..41ec62aa6a 100644 --- a/controllerconfig/controllerconfig/upgrade-scripts/68-pod-security-admission-controller-labels.py +++ b/controllerconfig/controllerconfig/upgrade-scripts/68-pod-security-admission-controller-labels.py @@ -53,12 +53,10 @@ def add_pod_security_admission_controller_labels(): # we add pod security admission controller labels to namespaces that # we create namespace = line.replace("namespace/", "") - if namespace not in common.PRIVILEGED_NS \ - and namespace not in common.BASELINE_NS: + if namespace not in common.PRIVILEGED_NS: continue - security_version = 'v1.23' - security_level = 'baseline' + security_version = 'latest' if namespace in common.PRIVILEGED_NS: security_level = 'privileged' diff --git a/sysinv/sysinv/sysinv/sysinv/helm/common.py b/sysinv/sysinv/sysinv/sysinv/helm/common.py index 09edd640c4..dc1bf5a8a8 100644 --- a/sysinv/sysinv/sysinv/sysinv/helm/common.py +++ b/sysinv/sysinv/sysinv/sysinv/helm/common.py @@ -42,11 +42,11 @@ HELM_NS_DEPLOYMENT = 'deployment' HELM_NS_ARMADA = 'armada' # namespace groups for pod security admission controller -PRIVILEGED_NS = [HELM_NS_KUBE_SYSTEM, HELM_NS_NOTIFICATION] -BASELINE_NS = [HELM_NS_CEPH, HELM_NS_NFS, HELM_NS_OPENSTACK, HELM_NS_HELM_TOOLKIT, +PRIVILEGED_NS = [HELM_NS_CEPH, HELM_NS_NFS, HELM_NS_OPENSTACK, HELM_NS_HELM_TOOLKIT, HELM_NS_MONITOR, HELM_NS_RBD_PROVISIONER, HELM_NS_STORAGE_PROVISIONER, - HELM_NS_CERT_MANAGER, HELM_NS_VAULT, HELM_NS_DEPLOYMENT, HELM_NS_ARMADA] -POD_SECURITY_VERSION = 'v1.23' + HELM_NS_CERT_MANAGER, HELM_NS_VAULT, HELM_NS_DEPLOYMENT, HELM_NS_ARMADA, + HELM_NS_KUBE_SYSTEM, HELM_NS_NOTIFICATION] +POD_SECURITY_VERSION = 'latest' # Services # Matches configassistant.py value => Should change to STARLINGX diff --git a/sysinv/sysinv/sysinv/sysinv/helm/lifecycle_utils.py b/sysinv/sysinv/sysinv/sysinv/helm/lifecycle_utils.py index fb3133b533..1905cca03c 100644 --- a/sysinv/sysinv/sysinv/sysinv/helm/lifecycle_utils.py +++ b/sysinv/sysinv/sysinv/sysinv/helm/lifecycle_utils.py @@ -219,9 +219,7 @@ def add_pod_security_admission_controller_labels(app_op, app, hook_info): for ns in namespaces: - security_level = 'baseline' - if ns in common.PRIVILEGED_NS: - security_level = 'privileged' + security_level = 'privileged' body = { "metadata": {