Skip to content

Commit b50e9e1

Browse files
saumeyasaumeya
authored
fix: ensure pod security label on namespace (#774)
* fix: ensure pod security label on namespace Signed-off-by: saumeya <saumeyakatyal@gmail.com> * fix: Signed-off-by: saumeya <saumeyakatyal@gmail.com> * review comments Signed-off-by: saumeya <saumeyakatyal@gmail.com> --------- Signed-off-by: saumeya <saumeyakatyal@gmail.com>
1 parent 45c82e3 commit b50e9e1

1 file changed

Lines changed: 39 additions & 0 deletions

File tree

controllers/gitopsservice_controller.go

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -230,6 +230,14 @@ func (r *ReconcileGitopsService) Reconcile(ctx context.Context, request reconcil
230230
} else {
231231
return reconcile.Result{}, err
232232
}
233+
} else {
234+
needUpdate, updateNameSpace := ensurePodSecurityLabels(namespaceRef)
235+
if needUpdate {
236+
err = r.Client.Update(context.TODO(), updateNameSpace)
237+
if err != nil {
238+
return reconcile.Result{}, err
239+
}
240+
}
233241
}
234242

235243
gitopsserviceNamespacedName := types.NamespacedName{
@@ -369,6 +377,15 @@ func (r *ReconcileGitopsService) reconcileDefaultArgoCDInstance(instance *pipeli
369377
return reconcile.Result{}, err
370378
}
371379
}
380+
381+
needUpdate, updateNameSpace := ensurePodSecurityLabels(argocdNS)
382+
if needUpdate {
383+
err = r.Client.Update(context.TODO(), updateNameSpace)
384+
if err != nil {
385+
return reconcile.Result{}, err
386+
}
387+
}
388+
372389
}
373390

374391
// Set GitopsService instance as the owner and controller
@@ -920,3 +937,25 @@ func policyRuleForBackendServiceClusterRole() []rbacv1.PolicyRule {
920937
},
921938
}
922939
}
940+
941+
func ensurePodSecurityLabels(namespace *corev1.Namespace) (bool, *corev1.Namespace) {
942+
943+
pssLabels := map[string]string{
944+
"pod-security.kubernetes.io/enforce": "restricted",
945+
"pod-security.kubernetes.io/enforce-version": "v1.29",
946+
"pod-security.kubernetes.io/audit": "restricted",
947+
"pod-security.kubernetes.io/audit-version": "latest",
948+
"pod-security.kubernetes.io/warn": "restricted",
949+
"pod-security.kubernetes.io/warn-version": "latest",
950+
}
951+
952+
changed := false
953+
for pssKey, pssVal := range pssLabels {
954+
if nsVal, exists := namespace.Labels[pssKey]; !exists || nsVal != pssVal {
955+
namespace.Labels[pssKey] = pssVal
956+
changed = true
957+
}
958+
959+
}
960+
return changed, namespace
961+
}

0 commit comments

Comments
 (0)