eef577f13d
This commit updates the per-mode version of Pod Security Admission
labels to "latest" for application namespaces such as cert-manager.
Pod Security Admission labels on namespaces are needed for pod
security admission controller to know how restrictive each
namespace is.
Pinning to a specific Kubernetes version, for example v1.23, allows
the behavior to remain consistent as policy changes happen over
Kubernetes releases. Keeping the version "latest" as the default,
allows more flexibility when supporting multiple kubernetes
versions.
This commit also updates the application namespaces label default
levels to "privileged" from "baseline". This will cause no-harm
if users do not wish to use "beta" PSA feature enabled by default
in Kubernetes v1.23+.
Test Plan:
PASS: In an installed system verify that the pod security admission
labels of the cert-manager namespace has been updated with the
per-mode version "latest".
PASS: Created namespaces where policies are applied via labels.
Privileged pods fail to get created in namespaces that are not
configured with privileged policy level.
PASS: Privileged pods get created in namespaces with no security
policy labels.
Story: 2009833
Task: 45632
Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
Change-Id: I76d44873ac447bbc0e2d90643fedf38bef8ebd1a
|
||
|---|---|---|
| .. | ||
| __init__.py | ||
| base.py | ||
| common.py | ||
| helm.py | ||
| kustomize_base.py | ||
| kustomize_generic.py | ||
| lifecycle_base.py | ||
| lifecycle_constants.py | ||
| lifecycle_generic.py | ||
| lifecycle_hook.py | ||
| lifecycle_utils.py | ||
| manifest_base.py | ||
| manifest_generic.py | ||
| utils.py | ||