eef577f13d
This commit updates the per-mode version of Pod Security Admission labels to "latest" for application namespaces such as cert-manager. Pod Security Admission labels on namespaces are needed for pod security admission controller to know how restrictive each namespace is. Pinning to a specific Kubernetes version, for example v1.23, allows the behavior to remain consistent as policy changes happen over Kubernetes releases. Keeping the version "latest" as the default, allows more flexibility when supporting multiple kubernetes versions. This commit also updates the application namespaces label default levels to "privileged" from "baseline". This will cause no-harm if users do not wish to use "beta" PSA feature enabled by default in Kubernetes v1.23+. Test Plan: PASS: In an installed system verify that the pod security admission labels of the cert-manager namespace has been updated with the per-mode version "latest". PASS: Created namespaces where policies are applied via labels. Privileged pods fail to get created in namespaces that are not configured with privileged policy level. PASS: Privileged pods get created in namespaces with no security policy labels. Story: 2009833 Task: 45632 Signed-off-by: Carmen Rata <carmen.rata@windriver.com> Change-Id: I76d44873ac447bbc0e2d90643fedf38bef8ebd1a |
||
---|---|---|
api-ref/source | ||
config-gate | ||
controllerconfig | ||
devstack | ||
doc | ||
releasenotes | ||
storageconfig | ||
sysinv | ||
tmp/patch-scripts/EXAMPLE_SYSINV/scripts | ||
tools/docker/images | ||
tsconfig | ||
workerconfig | ||
.gitignore | ||
.gitreview | ||
.yamllint | ||
.zuul.yaml | ||
CONTRIBUTORS.wrs | ||
LICENSE | ||
README.rst | ||
bindep.txt | ||
centos_build_layer.cfg | ||
centos_dev_wheels.inc | ||
centos_helm.inc | ||
centos_iso_image.inc | ||
centos_pkg_dirs | ||
centos_pkg_dirs_containers | ||
centos_stable_wheels.inc | ||
debian_build_layer.cfg | ||
debian_iso_image.inc | ||
debian_pkg_dirs | ||
debian_stable_wheels.inc | ||
test-requirements.txt | ||
tox.ini |
README.rst
stx-config
StarlingX Configuration Management