aboutsummaryrefslogtreecommitdiffstats
path: root/docker/core/Enforce-baseline-Pod-Security-Standard-with-namespac.patch
diff options
context:
space:
mode:
authorCédric Ollivier <cedric.ollivier@orange.com>2024-01-12 22:19:36 +0100
committerCédric Ollivier <cedric.ollivier@orange.com>2024-01-12 22:22:18 +0100
commitdfc54261222a6a97cfa24c3d46970c7167e3020d (patch)
treee207d0922c477926c09808475dcdeda6e5e53ecc /docker/core/Enforce-baseline-Pod-Security-Standard-with-namespac.patch
parentbc0dee5ab12a178dc000ecd80427435bfc64d247 (diff)
Apply PR " Enforce baseline Pod Security Standard with namespace labels"
It's needed for any Cluster where PodSecurityConfiguration enforces "restricted" [1]. [1] https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/ Change-Id: I9df12654d09390353a898030314a3fda9074b0d5 Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com> (cherry picked from commit 05656f790feab78bb02b6ed0e3b11048eea39901)
Diffstat (limited to 'docker/core/Enforce-baseline-Pod-Security-Standard-with-namespac.patch')
-rw-r--r--docker/core/Enforce-baseline-Pod-Security-Standard-with-namespac.patch39
1 files changed, 39 insertions, 0 deletions
diff --git a/docker/core/Enforce-baseline-Pod-Security-Standard-with-namespac.patch b/docker/core/Enforce-baseline-Pod-Security-Standard-with-namespac.patch
new file mode 100644
index 00000000..1a4cc1d0
--- /dev/null
+++ b/docker/core/Enforce-baseline-Pod-Security-Standard-with-namespac.patch
@@ -0,0 +1,39 @@
+From cf7998dc92bd9d0bcc99ee2c9a21b6c41d1b2750 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A9dric=20Ollivier?= <cedric.ollivier@orange.com>
+Date: Fri, 12 Jan 2024 21:16:54 +0100
+Subject: [PATCH] Enforce baseline Pod Security Standard with namespace labels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+It allows running the xrally_kubernetes testcases vs clusters where
+PodSecurityConfiguration enforces "restricted" [1].
+
+Please note that Kubernetes.create_and_delete_pod_with_hostpath_volume
+even requests for privileged [2].
+
+[1] https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/
+[2] https://kubernetes.io/docs/concepts/storage/volumes/#hostpath
+
+Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
+---
+ xrally_kubernetes/service.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/xrally_kubernetes/service.py b/xrally_kubernetes/service.py
+index d38f84b..4f97550 100644
+--- a/xrally_kubernetes/service.py
++++ b/xrally_kubernetes/service.py
+@@ -238,7 +238,8 @@ class Kubernetes(service.Service):
+ "metadata": {
+ "name": name,
+ "labels": {
+- "role": name
++ "role": name,
++ "pod-security.kubernetes.io/enforce": "baseline"
+ }
+ }
+ }
+--
+2.43.0
+