From a60b84e26772d79752fd90a7e5d86c9dba5f205d Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Wed, 19 Oct 2022 21:51:20 +0200
Subject: [PATCH] feat(infrastructure): Use Pod Security Standards for
 infrastructure

This patch enables explicit pod security standards on all infrastructure
namespaces.
---
 bootstrap/calico/namespace.yaml             | 3 +++
 infrastructure/cert-manager/namespace.yaml  | 7 ++++++-
 infrastructure/drivers/namespace.yaml       | 7 ++++++-
 infrastructure/k8up/namespace.yaml          | 9 +++++++--
 infrastructure/kubenav/namespace.yaml       | 7 ++++++-
 infrastructure/loki/namespace.yaml          | 3 +++
 infrastructure/longhorn/namespace.yaml      | 3 +++
 infrastructure/metallb/namespace.yaml       | 3 +++
 infrastructure/monitoring/namespace.yaml    | 3 +++
 infrastructure/nginx-system/namespace.yaml  | 9 +++++++--
 infrastructure/node-features/namespace.yaml | 3 +++
 infrastructure/postgres/namespace.yaml      | 7 ++++++-
 infrastructure/starboard/namespace.yaml     | 7 ++++++-
 13 files changed, 62 insertions(+), 9 deletions(-)

diff --git a/bootstrap/calico/namespace.yaml b/bootstrap/calico/namespace.yaml
index 65f8e7962..63f92a7b7 100644
--- a/bootstrap/calico/namespace.yaml
+++ b/bootstrap/calico/namespace.yaml
@@ -7,3 +7,6 @@ metadata:
     pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/warn: privileged
+    pod-security.kubernetes.io/audit-version: 1.23
+    pod-security.kubernetes.io/enforce-version: 1.23
+    pod-security.kubernetes.io/warn-version: 1.23
diff --git a/infrastructure/cert-manager/namespace.yaml b/infrastructure/cert-manager/namespace.yaml
index 4555234ea..410ae3359 100644
--- a/infrastructure/cert-manager/namespace.yaml
+++ b/infrastructure/cert-manager/namespace.yaml
@@ -3,5 +3,10 @@ kind: Namespace
 metadata:
   name: cert-manager
   labels:
-    name: cert-manager
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/audit-version: 1.23
+    pod-security.kubernetes.io/enforce-version: 1.23
+    pod-security.kubernetes.io/warn-version: 1.23
     kyverno.shivering-isles.com/class: "system"
diff --git a/infrastructure/drivers/namespace.yaml b/infrastructure/drivers/namespace.yaml
index 09f50de0c..68fe0593c 100644
--- a/infrastructure/drivers/namespace.yaml
+++ b/infrastructure/drivers/namespace.yaml
@@ -3,5 +3,10 @@ kind: Namespace
 metadata:
   name: drivers-system
   labels:
-    name: drivers-system
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged
+    pod-security.kubernetes.io/audit-version: 1.23
+    pod-security.kubernetes.io/enforce-version: 1.23
+    pod-security.kubernetes.io/warn-version: 1.23
     kyverno.shivering-isles.com/class: "system"
diff --git a/infrastructure/k8up/namespace.yaml b/infrastructure/k8up/namespace.yaml
index 2d4e97947..dd4a043d7 100644
--- a/infrastructure/k8up/namespace.yaml
+++ b/infrastructure/k8up/namespace.yaml
@@ -3,5 +3,10 @@ kind: Namespace
 metadata:
   name: k8up-system
   labels:
-    name: k8up-system
-    kyverno.shivering-isles.com/class: "system" 
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/audit-version: 1.23
+    pod-security.kubernetes.io/enforce-version: 1.23
+    pod-security.kubernetes.io/warn-version: 1.23
+    kyverno.shivering-isles.com/class: "system"
diff --git a/infrastructure/kubenav/namespace.yaml b/infrastructure/kubenav/namespace.yaml
index 75ec10bb6..53162f1cb 100644
--- a/infrastructure/kubenav/namespace.yaml
+++ b/infrastructure/kubenav/namespace.yaml
@@ -3,5 +3,10 @@ kind: Namespace
 metadata:
   name: kubenav-system
   labels:
-    name: kubenav-system
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/audit-version: 1.23
+    pod-security.kubernetes.io/enforce-version: 1.23
+    pod-security.kubernetes.io/warn-version: 1.23
     kyverno.shivering-isles.com/class: "system"
diff --git a/infrastructure/loki/namespace.yaml b/infrastructure/loki/namespace.yaml
index d0ca51d76..bccd86da3 100644
--- a/infrastructure/loki/namespace.yaml
+++ b/infrastructure/loki/namespace.yaml
@@ -7,3 +7,6 @@ metadata:
     pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/warn: privileged
+    pod-security.kubernetes.io/audit-version: 1.23
+    pod-security.kubernetes.io/enforce-version: 1.23
+    pod-security.kubernetes.io/warn-version: 1.23
diff --git a/infrastructure/longhorn/namespace.yaml b/infrastructure/longhorn/namespace.yaml
index 12fdb4428..8a3d95c36 100644
--- a/infrastructure/longhorn/namespace.yaml
+++ b/infrastructure/longhorn/namespace.yaml
@@ -9,3 +9,6 @@ metadata:
     pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/warn: privileged
+    pod-security.kubernetes.io/audit-version: 1.23
+    pod-security.kubernetes.io/enforce-version: 1.23
+    pod-security.kubernetes.io/warn-version: 1.23
diff --git a/infrastructure/metallb/namespace.yaml b/infrastructure/metallb/namespace.yaml
index f7ad6ef9b..a1e350ddb 100644
--- a/infrastructure/metallb/namespace.yaml
+++ b/infrastructure/metallb/namespace.yaml
@@ -8,3 +8,6 @@ metadata:
     pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/warn: privileged
+    pod-security.kubernetes.io/audit-version: 1.23
+    pod-security.kubernetes.io/enforce-version: 1.23
+    pod-security.kubernetes.io/warn-version: 1.23
diff --git a/infrastructure/monitoring/namespace.yaml b/infrastructure/monitoring/namespace.yaml
index 6e28f37a1..fe3672421 100644
--- a/infrastructure/monitoring/namespace.yaml
+++ b/infrastructure/monitoring/namespace.yaml
@@ -9,3 +9,6 @@ metadata:
     pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/warn: privileged
+    pod-security.kubernetes.io/audit-version: 1.23
+    pod-security.kubernetes.io/enforce-version: 1.23
+    pod-security.kubernetes.io/warn-version: 1.23
diff --git a/infrastructure/nginx-system/namespace.yaml b/infrastructure/nginx-system/namespace.yaml
index b1078460e..c1db153e3 100644
--- a/infrastructure/nginx-system/namespace.yaml
+++ b/infrastructure/nginx-system/namespace.yaml
@@ -3,6 +3,11 @@ kind: Namespace
 metadata:
   name: nginx-system
   labels:
-    name: nginx-system
-    kyverno.shivering-isles.com/class: "system" 
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/audit-version: 1.23
+    pod-security.kubernetes.io/enforce-version: 1.23
+    pod-security.kubernetes.io/warn-version: 1.23
+    kyverno.shivering-isles.com/class: "system"
     ingress.shivering-isles.com/network-access-required: "true"
diff --git a/infrastructure/node-features/namespace.yaml b/infrastructure/node-features/namespace.yaml
index 78b38b95a..01eb6f9ec 100644
--- a/infrastructure/node-features/namespace.yaml
+++ b/infrastructure/node-features/namespace.yaml
@@ -8,3 +8,6 @@ metadata:
     pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/warn: privileged
+    pod-security.kubernetes.io/audit-version: 1.23
+    pod-security.kubernetes.io/enforce-version: 1.23
+    pod-security.kubernetes.io/warn-version: 1.23
diff --git a/infrastructure/postgres/namespace.yaml b/infrastructure/postgres/namespace.yaml
index f2b5639f2..dd7fa650b 100644
--- a/infrastructure/postgres/namespace.yaml
+++ b/infrastructure/postgres/namespace.yaml
@@ -3,6 +3,11 @@ kind: Namespace
 metadata:
   name: postgres-system
   labels:
-    name: postgres-system
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/audit-version: 1.23
+    pod-security.kubernetes.io/enforce-version: 1.23
+    pod-security.kubernetes.io/warn-version: 1.23
     kyverno.shivering-isles.com/class: "system"
     database.shivering-isles.com/network-access-required: "true"
diff --git a/infrastructure/starboard/namespace.yaml b/infrastructure/starboard/namespace.yaml
index b8e0b9013..4aec73b6d 100644
--- a/infrastructure/starboard/namespace.yaml
+++ b/infrastructure/starboard/namespace.yaml
@@ -3,5 +3,10 @@ kind: Namespace
 metadata:
   name: starboard-system
   labels:
-    name: starboard-system
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/audit-version: 1.23
+    pod-security.kubernetes.io/enforce-version: 1.23
+    pod-security.kubernetes.io/warn-version: 1.23
     kyverno.shivering-isles.com/class: "system"
-- 
GitLab