feat(infrastructure): Use Pod Security Standards for infrastructure

This patch enables explicit pod security standards on all infrastructure
namespaces.

bootstrap/calico/namespace.yaml

@@ -7,3 +7,6 @@ metadata:
     pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/warn: privileged
+    pod-security.kubernetes.io/audit-version: 1.23
+    pod-security.kubernetes.io/enforce-version: 1.23
+    pod-security.kubernetes.io/warn-version: 1.23

infrastructure/cert-manager/namespace.yaml

@@ -3,5 +3,10 @@ kind: Namespace
 metadata:
   name: cert-manager
   labels:
-    name: cert-manager
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/audit-version: 1.23
+    pod-security.kubernetes.io/enforce-version: 1.23
+    pod-security.kubernetes.io/warn-version: 1.23
     kyverno.shivering-isles.com/class: "system"

infrastructure/drivers/namespace.yaml

@@ -3,5 +3,10 @@ kind: Namespace
 metadata:
   name: drivers-system
   labels:
-    name: drivers-system
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged
+    pod-security.kubernetes.io/audit-version: 1.23
+    pod-security.kubernetes.io/enforce-version: 1.23
+    pod-security.kubernetes.io/warn-version: 1.23
     kyverno.shivering-isles.com/class: "system"

infrastructure/k8up/namespace.yaml

@@ -3,5 +3,10 @@ kind: Namespace
 metadata:
   name: k8up-system
   labels:
-    name: k8up-system
-    kyverno.shivering-isles.com/class: "system" 
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/audit-version: 1.23
+    pod-security.kubernetes.io/enforce-version: 1.23
+    pod-security.kubernetes.io/warn-version: 1.23
+    kyverno.shivering-isles.com/class: "system"

infrastructure/kubenav/namespace.yaml

@@ -3,5 +3,10 @@ kind: Namespace
 metadata:
   name: kubenav-system
   labels:
-    name: kubenav-system
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/audit-version: 1.23
+    pod-security.kubernetes.io/enforce-version: 1.23
+    pod-security.kubernetes.io/warn-version: 1.23
     kyverno.shivering-isles.com/class: "system"

infrastructure/loki/namespace.yaml

@@ -7,3 +7,6 @@ metadata:
     pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/warn: privileged
+    pod-security.kubernetes.io/audit-version: 1.23
+    pod-security.kubernetes.io/enforce-version: 1.23
+    pod-security.kubernetes.io/warn-version: 1.23

infrastructure/longhorn/namespace.yaml

@@ -9,3 +9,6 @@ metadata:
     pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/warn: privileged
+    pod-security.kubernetes.io/audit-version: 1.23
+    pod-security.kubernetes.io/enforce-version: 1.23
+    pod-security.kubernetes.io/warn-version: 1.23

infrastructure/metallb/namespace.yaml

@@ -8,3 +8,6 @@ metadata:
     pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/warn: privileged
+    pod-security.kubernetes.io/audit-version: 1.23
+    pod-security.kubernetes.io/enforce-version: 1.23
+    pod-security.kubernetes.io/warn-version: 1.23

infrastructure/monitoring/namespace.yaml

@@ -9,3 +9,6 @@ metadata:
     pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/warn: privileged
+    pod-security.kubernetes.io/audit-version: 1.23
+    pod-security.kubernetes.io/enforce-version: 1.23
+    pod-security.kubernetes.io/warn-version: 1.23

infrastructure/nginx-system/namespace.yaml

@@ -3,6 +3,11 @@ kind: Namespace
 metadata:
   name: nginx-system
   labels:
-    name: nginx-system
-    kyverno.shivering-isles.com/class: "system" 
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/audit-version: 1.23
+    pod-security.kubernetes.io/enforce-version: 1.23
+    pod-security.kubernetes.io/warn-version: 1.23
+    kyverno.shivering-isles.com/class: "system"
     ingress.shivering-isles.com/network-access-required: "true"

infrastructure/node-features/namespace.yaml

@@ -8,3 +8,6 @@ metadata:
     pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/warn: privileged
+    pod-security.kubernetes.io/audit-version: 1.23
+    pod-security.kubernetes.io/enforce-version: 1.23
+    pod-security.kubernetes.io/warn-version: 1.23

infrastructure/postgres/namespace.yaml

@@ -3,6 +3,11 @@ kind: Namespace
 metadata:
   name: postgres-system
   labels:
-    name: postgres-system
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/audit-version: 1.23
+    pod-security.kubernetes.io/enforce-version: 1.23
+    pod-security.kubernetes.io/warn-version: 1.23
     kyverno.shivering-isles.com/class: "system"
     database.shivering-isles.com/network-access-required: "true"

infrastructure/starboard/namespace.yaml

@@ -3,5 +3,10 @@ kind: Namespace
 metadata:
   name: starboard-system
   labels:
-    name: starboard-system
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/audit-version: 1.23
+    pod-security.kubernetes.io/enforce-version: 1.23
+    pod-security.kubernetes.io/warn-version: 1.23
     kyverno.shivering-isles.com/class: "system"