diff --git a/components/argocd/annotations/kustomization.yaml b/components/argocd/annotations/kustomization.yaml index b4facbd..e2a2f15 100644 --- a/components/argocd/annotations/kustomization.yaml +++ b/components/argocd/annotations/kustomization.yaml @@ -48,6 +48,77 @@ patches: - op: add path: /metadata/annotations/argocd.argoproj.io~1sync-wave value: "-35" + # --- FIND-009: PSA audit/warn restricted on remotely-sourced Namespaces --- + # These namespaces are created by openstack-k8s-operators/architecture where + # enforce: privileged is intentional for privileged workloads. Adding audit/warn: + # restricted here surfaces PSA violations in the OCP audit log without blocking + # deployments (OSPRH-32421 / FIND-009). Strategic merge patch: existing labels + # (enforce: privileged) are preserved. + - target: + kind: Namespace + name: openstack + patch: |- + apiVersion: v1 + kind: Namespace + metadata: + name: openstack + labels: + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/audit-version: latest + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: latest + - target: + kind: Namespace + name: openstack-operators + patch: |- + apiVersion: v1 + kind: Namespace + metadata: + name: openstack-operators + labels: + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/audit-version: latest + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: latest + - target: + kind: Namespace + name: metallb-system + patch: |- + apiVersion: v1 + kind: Namespace + metadata: + name: metallb-system + labels: + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/audit-version: latest + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: latest + - target: + kind: Namespace + name: openshift-nmstate + patch: |- + apiVersion: v1 + kind: Namespace + metadata: + name: openshift-nmstate + labels: + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/audit-version: latest + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: latest + - target: + kind: Namespace + name: cert-manager-operator + patch: |- + apiVersion: v1 + kind: Namespace + metadata: + name: cert-manager-operator + labels: + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/audit-version: latest + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: latest # --- Wave -20: Set up OperatorGroup and CatalogSource for Operator deployments --- - target: kind: OperatorGroup diff --git a/components/secrets/external-secrets-operator/redhat/external-secrets-namespace.yaml b/components/secrets/external-secrets-operator/redhat/external-secrets-namespace.yaml index 1dd2f93..ef7fe11 100644 --- a/components/secrets/external-secrets-operator/redhat/external-secrets-namespace.yaml +++ b/components/secrets/external-secrets-operator/redhat/external-secrets-namespace.yaml @@ -6,3 +6,10 @@ apiVersion: v1 kind: Namespace metadata: name: external-secrets + labels: + pod-security.kubernetes.io/enforce: baseline + pod-security.kubernetes.io/enforce-version: latest + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/audit-version: latest + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: latest diff --git a/components/secrets/external-secrets-operator/redhat/namespace.yaml b/components/secrets/external-secrets-operator/redhat/namespace.yaml index 595ddcb..1c3ac84 100644 --- a/components/secrets/external-secrets-operator/redhat/namespace.yaml +++ b/components/secrets/external-secrets-operator/redhat/namespace.yaml @@ -3,3 +3,10 @@ apiVersion: v1 kind: Namespace metadata: name: external-secrets-operator + labels: + pod-security.kubernetes.io/enforce: restricted + pod-security.kubernetes.io/enforce-version: latest + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/audit-version: latest + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: latest diff --git a/openshift-gitops.deploy/subscribe/namespace.yaml b/openshift-gitops.deploy/subscribe/namespace.yaml index 89b3803..e5156fe 100644 --- a/openshift-gitops.deploy/subscribe/namespace.yaml +++ b/openshift-gitops.deploy/subscribe/namespace.yaml @@ -5,10 +5,12 @@ metadata: labels: kubernetes.io/metadata.name: openshift-gitops-operator openshift.io/cluster-monitoring: "true" + pod-security.kubernetes.io/enforce: restricted + pod-security.kubernetes.io/enforce-version: latest pod-security.kubernetes.io/audit: restricted - pod-security.kubernetes.io/audit-version: v1.24 + pod-security.kubernetes.io/audit-version: latest pod-security.kubernetes.io/warn: restricted - pod-security.kubernetes.io/warn-version: v1.24 + pod-security.kubernetes.io/warn-version: latest security.openshift.io/scc.podSecurityLabelSync: "true" name: openshift-gitops-operator spec: