docker/core/Enforce-baseline-Pod-Security-Standard-with-namespac.patch

   1 From cf7998dc92bd9d0bcc99ee2c9a21b6c41d1b2750 Mon Sep 17 00:00:00 2001
   2 From: =?UTF-8?q?C=C3=A9dric=20Ollivier?= <cedric.ollivier@orange.com>
   3 Date: Fri, 12 Jan 2024 21:16:54 +0100
   4 Subject: [PATCH] Enforce baseline Pod Security Standard with namespace labels
   5 MIME-Version: 1.0
   6 Content-Type: text/plain; charset=UTF-8
   7 Content-Transfer-Encoding: 8bit
   8
   9 It allows running the xrally_kubernetes testcases vs clusters where
  10 PodSecurityConfiguration enforces "restricted" [1].
  11
  12 Please note that Kubernetes.create_and_delete_pod_with_hostpath_volume
  13 even requests for privileged [2].
  14
  15 [1] https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/
  16 [2] https://kubernetes.io/docs/concepts/storage/volumes/#hostpath
  17
  18 Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
  19 ---
  20  xrally_kubernetes/service.py | 3 ++-
  21  1 file changed, 2 insertions(+), 1 deletion(-)
  22
  23 diff --git a/xrally_kubernetes/service.py b/xrally_kubernetes/service.py
  24 index d38f84b..4f97550 100644
  25 --- a/xrally_kubernetes/service.py
  26 +++ b/xrally_kubernetes/service.py
  27 @@ -238,7 +238,8 @@ class Kubernetes(service.Service):
  28              "metadata": {
  29                  "name": name,
  30                  "labels": {
  31 -                    "role": name
  32 +                    "role": name,
  33 +                    "pod-security.kubernetes.io/enforce": "baseline"
  34                  }
  35              }
  36          }
  37 --
  38 2.43.0
  39