From 2e2b4e65569e3ad6fbe6564d66798046de5bf83b Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Mon, 17 Oct 2022 15:47:34 +0200
Subject: [PATCH] feat(apps): Make all Namespace baseline security setup
This patch enforces the Kubernetes baseline security from the new Pod
security standards (PSS) for all apps namespaces. While not considered ideal,
it'll help to improve security and also provide warnings where to adjust
existing workloads to fit the restricted PSS.
References:
https://kubernetes.io/docs/concepts/security/pod-security-standards/
---
apps/base/forecastle/namespace.yaml | 6 +++---
apps/base/gitlab-runner/namespace.yaml | 7 ++++++-
apps/base/goharbor/namespace.yaml | 7 ++++++-
apps/base/iot/namespace.yaml | 6 +++---
apps/base/keycloak/namespace.yaml | 7 +++++++
apps/base/mail/namespace.yaml | 7 +++++++
apps/base/matrix/namespace.yaml | 7 ++++++-
apps/base/nextcloud/namespace.yaml | 7 ++++++-
apps/base/renovate/namespace.yaml | 12 ++++++------
apps/k8s01/dns/namespace.yaml | 7 ++++++-
apps/k8s01/hcloud-dynfw/namespace.yaml | 7 ++++++-
apps/k8s01/nas/namespace.yaml | 7 ++++++-
clusters/k8s01/flux-system/gotk-components.yaml | 2 +-
13 files changed, 69 insertions(+), 20 deletions(-)
diff --git a/apps/base/forecastle/namespace.yaml b/apps/base/forecastle/namespace.yaml
index d44f877d7..9bc83d706 100644
--- a/apps/base/forecastle/namespace.yaml
+++ b/apps/base/forecastle/namespace.yaml
@@ -6,9 +6,9 @@ metadata:
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/warn: restricted
- pod-security.kubernetes.io/audit-version: latest
- pod-security.kubernetes.io/enforce-version: latest
- pod-security.kubernetes.io/warn-version: latest
+ pod-security.kubernetes.io/audit-version: 1.23
+ pod-security.kubernetes.io/enforce-version: 1.23
+ pod-security.kubernetes.io/warn-version: 1.23
---
apiVersion: v1
kind: ServiceAccount
diff --git a/apps/base/gitlab-runner/namespace.yaml b/apps/base/gitlab-runner/namespace.yaml
index a0ad4cacd..839878693 100644
--- a/apps/base/gitlab-runner/namespace.yaml
+++ b/apps/base/gitlab-runner/namespace.yaml
@@ -3,7 +3,12 @@ kind: Namespace
metadata:
name: gitlab-runner
labels:
- name: gitlab-runner
+ pod-security.kubernetes.io/audit: restricted
+ pod-security.kubernetes.io/enforce: baseline
+ pod-security.kubernetes.io/warn: restricted
+ pod-security.kubernetes.io/audit-version: 1.23
+ pod-security.kubernetes.io/enforce-version: 1.23
+ pod-security.kubernetes.io/warn-version: 1.23
---
apiVersion: v1
kind: ServiceAccount
diff --git a/apps/base/goharbor/namespace.yaml b/apps/base/goharbor/namespace.yaml
index 7134d5dd1..294a1d410 100644
--- a/apps/base/goharbor/namespace.yaml
+++ b/apps/base/goharbor/namespace.yaml
@@ -3,7 +3,12 @@ kind: Namespace
metadata:
name: goharbor
labels:
- name: goharbor
+ pod-security.kubernetes.io/audit: restricted
+ pod-security.kubernetes.io/enforce: baseline
+ pod-security.kubernetes.io/warn: restricted
+ pod-security.kubernetes.io/audit-version: 1.23
+ pod-security.kubernetes.io/enforce-version: 1.23
+ pod-security.kubernetes.io/warn-version: 1.23
---
apiVersion: v1
kind: ServiceAccount
diff --git a/apps/base/iot/namespace.yaml b/apps/base/iot/namespace.yaml
index cca018635..5ac0d3fb9 100644
--- a/apps/base/iot/namespace.yaml
+++ b/apps/base/iot/namespace.yaml
@@ -6,9 +6,9 @@ metadata:
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/warn: restricted
- pod-security.kubernetes.io/audit-version: latest
- pod-security.kubernetes.io/enforce-version: latest
- pod-security.kubernetes.io/warn-version: latest
+ pod-security.kubernetes.io/audit-version: 1.23
+ pod-security.kubernetes.io/enforce-version: 1.23
+ pod-security.kubernetes.io/warn-version: 1.23
---
apiVersion: v1
kind: ServiceAccount
diff --git a/apps/base/keycloak/namespace.yaml b/apps/base/keycloak/namespace.yaml
index cd23ac328..81987e97b 100644
--- a/apps/base/keycloak/namespace.yaml
+++ b/apps/base/keycloak/namespace.yaml
@@ -2,6 +2,13 @@ apiVersion: v1
kind: Namespace
metadata:
name: keycloak
+ labels:
+ pod-security.kubernetes.io/audit: restricted
+ pod-security.kubernetes.io/enforce: baseline
+ pod-security.kubernetes.io/warn: restricted
+ pod-security.kubernetes.io/audit-version: 1.23
+ pod-security.kubernetes.io/enforce-version: 1.23
+ pod-security.kubernetes.io/warn-version: 1.23
---
apiVersion: v1
kind: ServiceAccount
diff --git a/apps/base/mail/namespace.yaml b/apps/base/mail/namespace.yaml
index a0a4c8db8..0f83674f6 100644
--- a/apps/base/mail/namespace.yaml
+++ b/apps/base/mail/namespace.yaml
@@ -2,6 +2,13 @@ apiVersion: v1
kind: Namespace
metadata:
name: mail
+ labels:
+ pod-security.kubernetes.io/audit: restricted
+ pod-security.kubernetes.io/enforce: baseline
+ pod-security.kubernetes.io/warn: restricted
+ pod-security.kubernetes.io/audit-version: 1.23
+ pod-security.kubernetes.io/enforce-version: 1.23
+ pod-security.kubernetes.io/warn-version: 1.23
---
apiVersion: v1
kind: ServiceAccount
diff --git a/apps/base/matrix/namespace.yaml b/apps/base/matrix/namespace.yaml
index 835044fb4..100984ff9 100644
--- a/apps/base/matrix/namespace.yaml
+++ b/apps/base/matrix/namespace.yaml
@@ -3,7 +3,12 @@ kind: Namespace
metadata:
name: matrix
labels:
- name: matrix
+ pod-security.kubernetes.io/audit: restricted
+ pod-security.kubernetes.io/enforce: baseline
+ pod-security.kubernetes.io/warn: restricted
+ pod-security.kubernetes.io/audit-version: 1.23
+ pod-security.kubernetes.io/enforce-version: 1.23
+ pod-security.kubernetes.io/warn-version: 1.23
---
apiVersion: v1
kind: ServiceAccount
diff --git a/apps/base/nextcloud/namespace.yaml b/apps/base/nextcloud/namespace.yaml
index 78e9fd1cb..f996b257d 100644
--- a/apps/base/nextcloud/namespace.yaml
+++ b/apps/base/nextcloud/namespace.yaml
@@ -3,7 +3,12 @@ kind: Namespace
metadata:
name: nextcloud
labels:
- name: nextcloud
+ pod-security.kubernetes.io/audit: restricted
+ pod-security.kubernetes.io/enforce: baseline
+ pod-security.kubernetes.io/warn: restricted
+ pod-security.kubernetes.io/audit-version: 1.23
+ pod-security.kubernetes.io/enforce-version: 1.23
+ pod-security.kubernetes.io/warn-version: 1.23
---
apiVersion: v1
kind: ServiceAccount
diff --git a/apps/base/renovate/namespace.yaml b/apps/base/renovate/namespace.yaml
index c4c9e233f..2b029c278 100644
--- a/apps/base/renovate/namespace.yaml
+++ b/apps/base/renovate/namespace.yaml
@@ -3,12 +3,12 @@ kind: Namespace
metadata:
name: renovate
labels:
- pod-security.kubernetes.io/audit: "restricted"
- pod-security.kubernetes.io/audit-version: "latest"
- pod-security.kubernetes.io/enforce: "restricted"
- pod-security.kubernetes.io/enforce-version: "latest"
- pod-security.kubernetes.io/warn: "restricted"
- pod-security.kubernetes.io/warn-version: "latest"
+ pod-security.kubernetes.io/audit: restricted
+ pod-security.kubernetes.io/enforce: baseline
+ pod-security.kubernetes.io/warn: restricted
+ pod-security.kubernetes.io/audit-version: 1.23
+ pod-security.kubernetes.io/enforce-version: 1.23
+ pod-security.kubernetes.io/warn-version: 1.23
---
apiVersion: v1
kind: ServiceAccount
diff --git a/apps/k8s01/dns/namespace.yaml b/apps/k8s01/dns/namespace.yaml
index fdd106b0c..f1c051be1 100644
--- a/apps/k8s01/dns/namespace.yaml
+++ b/apps/k8s01/dns/namespace.yaml
@@ -3,4 +3,9 @@ kind: Namespace
metadata:
name: dns
labels:
- name: dns
+ pod-security.kubernetes.io/audit: restricted
+ pod-security.kubernetes.io/enforce: baseline
+ pod-security.kubernetes.io/warn: restricted
+ pod-security.kubernetes.io/audit-version: 1.23
+ pod-security.kubernetes.io/enforce-version: 1.23
+ pod-security.kubernetes.io/warn-version: 1.23
diff --git a/apps/k8s01/hcloud-dynfw/namespace.yaml b/apps/k8s01/hcloud-dynfw/namespace.yaml
index 811901e78..473b68900 100644
--- a/apps/k8s01/hcloud-dynfw/namespace.yaml
+++ b/apps/k8s01/hcloud-dynfw/namespace.yaml
@@ -3,4 +3,9 @@ kind: Namespace
metadata:
name: hcloud-dynfw
labels:
- name: hcloud-dynfw
+ pod-security.kubernetes.io/audit: restricted
+ pod-security.kubernetes.io/enforce: baseline
+ pod-security.kubernetes.io/warn: restricted
+ pod-security.kubernetes.io/audit-version: 1.23
+ pod-security.kubernetes.io/enforce-version: 1.23
+ pod-security.kubernetes.io/warn-version: 1.23
diff --git a/apps/k8s01/nas/namespace.yaml b/apps/k8s01/nas/namespace.yaml
index 0a2fde392..42c732ad1 100644
--- a/apps/k8s01/nas/namespace.yaml
+++ b/apps/k8s01/nas/namespace.yaml
@@ -3,4 +3,9 @@ kind: Namespace
metadata:
name: nas
labels:
- name: nas
+ pod-security.kubernetes.io/audit: restricted
+ pod-security.kubernetes.io/enforce: baseline
+ pod-security.kubernetes.io/warn: restricted
+ pod-security.kubernetes.io/audit-version: 1.23
+ pod-security.kubernetes.io/enforce-version: 1.23
+ pod-security.kubernetes.io/warn-version: 1.23
diff --git a/clusters/k8s01/flux-system/gotk-components.yaml b/clusters/k8s01/flux-system/gotk-components.yaml
index 0f286ac78..269475b70 100644
--- a/clusters/k8s01/flux-system/gotk-components.yaml
+++ b/clusters/k8s01/flux-system/gotk-components.yaml
@@ -10,7 +10,7 @@ metadata:
app.kubernetes.io/part-of: flux
app.kubernetes.io/version: v0.35.0
pod-security.kubernetes.io/warn: restricted
- pod-security.kubernetes.io/warn-version: latest
+ pod-security.kubernetes.io/warn-version: 1.23
name: flux-system
---
apiVersion: apiextensions.k8s.io/v1
--
GitLab