From ceaacafb186aeccbd13f110a7bac7fe8abe7c0ab Mon Sep 17 00:00:00 2001 From: biswajit-9776 Date: Sat, 22 Jun 2024 00:46:30 +0530 Subject: [PATCH] Added PSS to contrib/baseline and restricted as kustomize components Signed-off-by: biswajit-9776 --- .../security/PSS/static/baseline/kustomization.yaml | 10 ++++++++++ .../PSS/static/baseline/patches/istio-labels.yaml | 6 ++++++ .../PSS/static/baseline/patches/kubeflow-labels.yaml | 6 ++++++ .../security/PSS/static/restricted/kustomization.yaml | 10 ++++++++++ .../PSS/static/restricted/patches/istio-labels.yaml | 6 ++++++ .../PSS/static/restricted/patches/kubeflow-labels.yaml | 6 ++++++ 6 files changed, 44 insertions(+) create mode 100644 contrib/security/PSS/static/baseline/kustomization.yaml create mode 100644 contrib/security/PSS/static/baseline/patches/istio-labels.yaml create mode 100644 contrib/security/PSS/static/baseline/patches/kubeflow-labels.yaml create mode 100644 contrib/security/PSS/static/restricted/kustomization.yaml create mode 100644 contrib/security/PSS/static/restricted/patches/istio-labels.yaml create mode 100644 contrib/security/PSS/static/restricted/patches/kubeflow-labels.yaml diff --git a/contrib/security/PSS/static/baseline/kustomization.yaml b/contrib/security/PSS/static/baseline/kustomization.yaml new file mode 100644 index 0000000000..c5c011e0b3 --- /dev/null +++ b/contrib/security/PSS/static/baseline/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component + +resources: +- ../../../../../common/kubeflow-namespace/base +- ../../../../../common/istio-1-22/istio-namespace/base + +patches: +- path: patches/kubeflow-labels.yaml +- path: patches/istio-labels.yaml diff --git a/contrib/security/PSS/static/baseline/patches/istio-labels.yaml b/contrib/security/PSS/static/baseline/patches/istio-labels.yaml new file mode 100644 index 0000000000..5821914881 --- /dev/null +++ b/contrib/security/PSS/static/baseline/patches/istio-labels.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: istio-system + labels: + pod-security.kubernetes.io/enforce: baseline \ No newline at end of file diff --git a/contrib/security/PSS/static/baseline/patches/kubeflow-labels.yaml b/contrib/security/PSS/static/baseline/patches/kubeflow-labels.yaml new file mode 100644 index 0000000000..b7325ac8b4 --- /dev/null +++ b/contrib/security/PSS/static/baseline/patches/kubeflow-labels.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: kubeflow + labels: + pod-security.kubernetes.io/enforce: baseline \ No newline at end of file diff --git a/contrib/security/PSS/static/restricted/kustomization.yaml b/contrib/security/PSS/static/restricted/kustomization.yaml new file mode 100644 index 0000000000..949f1aa1c1 --- /dev/null +++ b/contrib/security/PSS/static/restricted/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component + +resources: +- ../../../../../common/kubeflow-namespace/base +- ../../../../../common/istio-1-22/istio-namespace/base + +patches: +- path: patches/kubeflow-labels.yaml +- path: patches/istio-labels.yaml \ No newline at end of file diff --git a/contrib/security/PSS/static/restricted/patches/istio-labels.yaml b/contrib/security/PSS/static/restricted/patches/istio-labels.yaml new file mode 100644 index 0000000000..eda6c6b59f --- /dev/null +++ b/contrib/security/PSS/static/restricted/patches/istio-labels.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: istio-system + labels: + pod-security.kubernetes.io/enforce: restricted \ No newline at end of file diff --git a/contrib/security/PSS/static/restricted/patches/kubeflow-labels.yaml b/contrib/security/PSS/static/restricted/patches/kubeflow-labels.yaml new file mode 100644 index 0000000000..0aacfd6aa9 --- /dev/null +++ b/contrib/security/PSS/static/restricted/patches/kubeflow-labels.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: kubeflow + labels: + pod-security.kubernetes.io/enforce: restricted \ No newline at end of file