From 09b6dbe27454f22f2f30af7e2b48509d7a797233 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Mon, 25 Jul 2022 13:09:48 +0200
Subject: [PATCH] chore: Prepare 1.24.x release with privileged labels

This patch prepares the switch to Kubernetes 1.24.x which switches to
PSS instead of PSP. Therefore it's a good start to prepare our most
important namespaces with the relevant labels to allow Pods to use
privileged runtime features.

References:
https://kubernetes.io/docs/concepts/security/pod-security-standards/
https://v1-23.docs.kubernetes.io/docs/concepts/security/pod-security-policy/
https://v1-23.docs.kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/
---
 bootstrap/calico/namespace.yaml             | 5 ++++-
 infrastructure/longhorn/namespace.yaml      | 3 +++
 infrastructure/metallb/namespace.yaml       | 5 ++++-
 infrastructure/monitoring/namespace.yaml    | 3 +++
 infrastructure/node-features/namespace.yaml | 3 +++
 5 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/bootstrap/calico/namespace.yaml b/bootstrap/calico/namespace.yaml
index 27cd9ea11..65f8e7962 100644
--- a/bootstrap/calico/namespace.yaml
+++ b/bootstrap/calico/namespace.yaml
@@ -3,4 +3,7 @@ kind: Namespace
 metadata:
   name: tigera-operator
   labels:
-    kyverno.shivering-isles.com/class: "system" 
+    kyverno.shivering-isles.com/class: "system"
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged
diff --git a/infrastructure/longhorn/namespace.yaml b/infrastructure/longhorn/namespace.yaml
index 6b1119d69..12fdb4428 100644
--- a/infrastructure/longhorn/namespace.yaml
+++ b/infrastructure/longhorn/namespace.yaml
@@ -6,3 +6,6 @@ metadata:
     name: longhorn-system
     kyverno.shivering-isles.com/class: "system"
     kustomize.toolkit.fluxcd.io/prune: disabled
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged
diff --git a/infrastructure/metallb/namespace.yaml b/infrastructure/metallb/namespace.yaml
index 57ae827fa..f7ad6ef9b 100644
--- a/infrastructure/metallb/namespace.yaml
+++ b/infrastructure/metallb/namespace.yaml
@@ -4,4 +4,7 @@ metadata:
   name: metallb-system
   labels:
     name: metallb-system
-    kyverno.shivering-isles.com/class: "system" 
+    kyverno.shivering-isles.com/class: "system"
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged
diff --git a/infrastructure/monitoring/namespace.yaml b/infrastructure/monitoring/namespace.yaml
index dfdc3f8b3..6e28f37a1 100644
--- a/infrastructure/monitoring/namespace.yaml
+++ b/infrastructure/monitoring/namespace.yaml
@@ -6,3 +6,6 @@ metadata:
     name: monitoring-system
     kyverno.shivering-isles.com/class: "system"
     monitoring.shivering-isles.com/network-access-required: "true"
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged
diff --git a/infrastructure/node-features/namespace.yaml b/infrastructure/node-features/namespace.yaml
index 2d112c5bb..78b38b95a 100644
--- a/infrastructure/node-features/namespace.yaml
+++ b/infrastructure/node-features/namespace.yaml
@@ -5,3 +5,6 @@ metadata:
   labels:
     name: node-features-system
     kyverno.shivering-isles.com/class: "system"
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged
-- 
GitLab