Update application namespaces PSA labels

This commit updates the per-mode version of Pod Security Admission labels to "latest" for application namespaces such as cert-manager. Pod Security Admission labels on namespaces are needed for pod security admission controller to know how restrictive each namespace is. Pinning to a specific Kubernetes version, for example v1.23, allows the behavior to remain consistent as policy changes happen over Kubernetes releases. Keeping the version "latest" as the default, allows more flexibility when supporting multiple kubernetes versions. This commit also updates the application namespaces label default levels to "privileged" from "baseline". This will cause no-harm if users do not wish to use "beta" PSA feature enabled by default in Kubernetes v1.23+. Test Plan: PASS: In an installed system verify that the pod security admission labels of the cert-manager namespace has been updated with the per-mode version "latest". PASS: Created namespaces where policies are applied via labels. Privileged pods fail to get created in namespaces that are not configured with privileged policy level. PASS: Privileged pods get created in namespaces with no security policy labels. Story: 2009833 Task: 45632 Signed-off-by: Carmen Rata <carmen.rata@windriver.com> Change-Id: I76d44873ac447bbc0e2d90643fedf38bef8ebd1a
2022-06-15 12:42:01 -04:00 · 2022-06-15 12:42:01 -04:00 · eef577f13d
parent 4e46f2ac6a
commit eef577f13d
3 changed files with 7 additions and 11 deletions
--- a/controllerconfig/controllerconfig/upgrade-scripts/68-pod-security-admission-controller-labels.py
+++ b/controllerconfig/controllerconfig/upgrade-scripts/68-pod-security-admission-controller-labels.py
@ -53,12 +53,10 @@ def add_pod_security_admission_controller_labels():
        # we add pod security admission controller labels to namespaces that
        # we create
        namespace = line.replace("namespace/", "")
-        if namespace not in common.PRIVILEGED_NS \
-           and namespace not in common.BASELINE_NS:
+        if namespace not in common.PRIVILEGED_NS:
            continue

-        security_version = 'v1.23'
-        security_level = 'baseline'
+        security_version = 'latest'
        if namespace in common.PRIVILEGED_NS:
            security_level = 'privileged'

--- a/sysinv/sysinv/sysinv/sysinv/helm/common.py
+++ b/sysinv/sysinv/sysinv/sysinv/helm/common.py
@ -42,11 +42,11 @@ HELM_NS_DEPLOYMENT = 'deployment'
 HELM_NS_ARMADA = 'armada'

 # namespace groups for pod security admission controller
-PRIVILEGED_NS = [HELM_NS_KUBE_SYSTEM, HELM_NS_NOTIFICATION]
-BASELINE_NS = [HELM_NS_CEPH, HELM_NS_NFS, HELM_NS_OPENSTACK, HELM_NS_HELM_TOOLKIT,
+PRIVILEGED_NS = [HELM_NS_CEPH, HELM_NS_NFS, HELM_NS_OPENSTACK, HELM_NS_HELM_TOOLKIT,
               HELM_NS_MONITOR, HELM_NS_RBD_PROVISIONER, HELM_NS_STORAGE_PROVISIONER,
-               HELM_NS_CERT_MANAGER, HELM_NS_VAULT, HELM_NS_DEPLOYMENT, HELM_NS_ARMADA]
-POD_SECURITY_VERSION = 'v1.23'
+               HELM_NS_CERT_MANAGER, HELM_NS_VAULT, HELM_NS_DEPLOYMENT, HELM_NS_ARMADA,
+               HELM_NS_KUBE_SYSTEM, HELM_NS_NOTIFICATION]
+POD_SECURITY_VERSION = 'latest'

 # Services
 # Matches configassistant.py value => Should change to STARLINGX
--- a/sysinv/sysinv/sysinv/sysinv/helm/lifecycle_utils.py
+++ b/sysinv/sysinv/sysinv/sysinv/helm/lifecycle_utils.py
@ -219,9 +219,7 @@ def add_pod_security_admission_controller_labels(app_op, app, hook_info):

    for ns in namespaces:

-        security_level = 'baseline'
-        if ns in common.PRIVILEGED_NS:
-            security_level = 'privileged'
+        security_level = 'privileged'

        body = {
            "metadata": {