aa93e03b10
Pod security admission controller labels on namespaces are needed
for pod security admission controller to know how restrictive each
namespace is. This commit adds labels for pod security admission
controller to our namespaces. Pod security admission controller
is enabled by default on kubernetes 1.23. These labels do nothing
harmful or beneficial on the lower versions of kubernetes.
Test Plan:
PASS: Bootstrap system and ensure the pod security admission
controller labels are present on our namespaces (kube-system,
armada, deployment, and any namespaces created by applications
such as cert-manager)
PASS: Upgrade an old system and ensure the labels are added after
the upgrade is finished
PASS: Try to bring up privileged pods in a baseline namespace,
ensure it fails. This was done on a developer iso, since
we do not have kubernetes 1.23 ready yet. The same labels
were applied to the developer iso's namespaces.
PASS: Deploy a privileged pod in a baseline namespace in the
current kubernetes version. Ensure it is NOT rejected
Change-Id: Ib909eaacb6bba3b5c3327e2f9998a5ecdcb70e9b
Story: 2009833
Task: 44764
Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
|
||
|---|---|---|
| api-ref/source | ||
| config-gate | ||
| controllerconfig | ||
| devstack | ||
| doc | ||
| releasenotes | ||
| storageconfig | ||
| sysinv | ||
| tmp/patch-scripts/EXAMPLE_SYSINV/scripts | ||
| tools/docker/images | ||
| tsconfig | ||
| workerconfig | ||
| .gitignore | ||
| .gitreview | ||
| .yamllint | ||
| .zuul.yaml | ||
| CONTRIBUTORS.wrs | ||
| LICENSE | ||
| README.rst | ||
| bindep.txt | ||
| centos_build_layer.cfg | ||
| centos_dev_wheels.inc | ||
| centos_helm.inc | ||
| centos_iso_image.inc | ||
| centos_pkg_dirs | ||
| centos_pkg_dirs_containers | ||
| centos_stable_wheels.inc | ||
| debian_build_layer.cfg | ||
| debian_iso_image.inc | ||
| debian_pkg_dirs | ||
| test-requirements.txt | ||
| tox.ini | ||
README.rst
stx-config
StarlingX Configuration Management