diff options
author | Cédric Ollivier <cedric.ollivier@orange.com> | 2024-01-12 22:19:36 +0100 |
---|---|---|
committer | Cédric Ollivier <cedric.ollivier@orange.com> | 2024-01-12 22:22:18 +0100 |
commit | dfc54261222a6a97cfa24c3d46970c7167e3020d (patch) | |
tree | e207d0922c477926c09808475dcdeda6e5e53ecc /docker/core/Enforce-baseline-Pod-Security-Standard-with-namespac.patch | |
parent | bc0dee5ab12a178dc000ecd80427435bfc64d247 (diff) |
Apply PR " Enforce baseline Pod Security Standard with namespace labels"
It's needed for any Cluster where PodSecurityConfiguration enforces "restricted" [1].
[1] https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/
Change-Id: I9df12654d09390353a898030314a3fda9074b0d5
Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
(cherry picked from commit 05656f790feab78bb02b6ed0e3b11048eea39901)
Diffstat (limited to 'docker/core/Enforce-baseline-Pod-Security-Standard-with-namespac.patch')
-rw-r--r-- | docker/core/Enforce-baseline-Pod-Security-Standard-with-namespac.patch | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/docker/core/Enforce-baseline-Pod-Security-Standard-with-namespac.patch b/docker/core/Enforce-baseline-Pod-Security-Standard-with-namespac.patch new file mode 100644 index 00000000..1a4cc1d0 --- /dev/null +++ b/docker/core/Enforce-baseline-Pod-Security-Standard-with-namespac.patch @@ -0,0 +1,39 @@ +From cf7998dc92bd9d0bcc99ee2c9a21b6c41d1b2750 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A9dric=20Ollivier?= <cedric.ollivier@orange.com> +Date: Fri, 12 Jan 2024 21:16:54 +0100 +Subject: [PATCH] Enforce baseline Pod Security Standard with namespace labels +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +It allows running the xrally_kubernetes testcases vs clusters where +PodSecurityConfiguration enforces "restricted" [1]. + +Please note that Kubernetes.create_and_delete_pod_with_hostpath_volume +even requests for privileged [2]. + +[1] https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/ +[2] https://kubernetes.io/docs/concepts/storage/volumes/#hostpath + +Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com> +--- + xrally_kubernetes/service.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/xrally_kubernetes/service.py b/xrally_kubernetes/service.py +index d38f84b..4f97550 100644 +--- a/xrally_kubernetes/service.py ++++ b/xrally_kubernetes/service.py +@@ -238,7 +238,8 @@ class Kubernetes(service.Service): + "metadata": { + "name": name, + "labels": { +- "role": name ++ "role": name, ++ "pod-security.kubernetes.io/enforce": "baseline" + } + } + } +-- +2.43.0 + |