Skip to content

Commit

Permalink
Add labels for created namespace during velero installation to adopt …
Browse files Browse the repository at this point in the history
…k8s v1.25's PSS and PSA.

Signed-off-by: Xun Jiang <[email protected]>
  • Loading branch information
Xun Jiang committed Feb 21, 2023
1 parent 2f97356 commit 145a91f
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 1 deletion.
1 change: 1 addition & 0 deletions changelogs/unreleased/5887-blackpiglet
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Add labels for velero installed namespace to support PSA.
7 changes: 6 additions & 1 deletion pkg/install/resources.go
Original file line number Diff line number Diff line change
Expand Up @@ -136,13 +136,18 @@ func ClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding {
}

func Namespace(namespace string) *corev1.Namespace {
return &corev1.Namespace{
ns := &corev1.Namespace{
ObjectMeta: objectMeta("", namespace),
TypeMeta: metav1.TypeMeta{
Kind: "Namespace",
APIVersion: corev1.SchemeGroupVersion.String(),
},
}

ns.Labels["pod-security.kubernetes.io/enforce"] = "privileged"
ns.Labels["pod-security.kubernetes.io/enforce-version"] = "latest"

return ns
}

func BackupStorageLocation(namespace, provider, bucket, prefix string, config map[string]string, caCert []byte) *velerov1api.BackupStorageLocation {
Expand Down
5 changes: 5 additions & 0 deletions pkg/install/resources_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,11 @@ func TestResources(t *testing.T) {
ns := Namespace("velero")

assert.Equal(t, "velero", ns.Name)
// For k8s version v1.25 and later, need to add the following labels to make
// velero installation namespace has privileged version to work with
// PSA(Pod Security Admission) and PSS(Pod Security Standards).
assert.Equal(t, ns.Labels["pod-security.kubernetes.io/enforce"], "privileged")
assert.Equal(t, ns.Labels["pod-security.kubernetes.io/enforce-version"], "latest")

crb := ClusterRoleBinding(DefaultVeleroNamespace)
// The CRB is a cluster-scoped resource
Expand Down

0 comments on commit 145a91f

Please sign in to comment.