Added PSS to contrib/baseline and contrib/restricted as kustomize com…

…ponents (#2757) * Added PSS to contrib/baseline and restricted as kustomize components Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Added kustomize PSS components to example Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Fixed spelling Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Added link to PSS official documentation Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> * Fixed indentation Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com> --------- Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
kubeflow · Jun 24, 2024 · 7a7079b · 7a7079b
1 parent 1b42748
commit 7a7079b
Show file tree

Hide file tree

Showing 7 changed files with 43 additions and 0 deletions.
diff --git a/contrib/security/PSS/static/baseline/kustomization.yaml b/contrib/security/PSS/static/baseline/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patches:
+- path: patches/kubeflow-labels.yaml
+- path: patches/istio-labels.yaml
diff --git a/contrib/security/PSS/static/baseline/patches/istio-labels.yaml b/contrib/security/PSS/static/baseline/patches/istio-labels.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: istio-system
+  labels:
+    pod-security.kubernetes.io/enforce: baseline
diff --git a/contrib/security/PSS/static/baseline/patches/kubeflow-labels.yaml b/contrib/security/PSS/static/baseline/patches/kubeflow-labels.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kubeflow
+  labels:
+    pod-security.kubernetes.io/enforce: baseline
diff --git a/contrib/security/PSS/static/restricted/kustomization.yaml b/contrib/security/PSS/static/restricted/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patches:
+- path: patches/kubeflow-labels.yaml
+- path: patches/istio-labels.yaml
diff --git a/contrib/security/PSS/static/restricted/patches/istio-labels.yaml b/contrib/security/PSS/static/restricted/patches/istio-labels.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: istio-system
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
diff --git a/contrib/security/PSS/static/restricted/patches/kubeflow-labels.yaml b/contrib/security/PSS/static/restricted/patches/kubeflow-labels.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kubeflow
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
diff --git a/example/kustomization.yaml b/example/kustomization.yaml
@@ -88,3 +88,10 @@ resources:
 # KServe
 - ../contrib/kserve/kserve
 - ../contrib/kserve/models-web-app/overlays/kubeflow
+
+# Pod Security Standards
+# https://kubernetes.io/docs/concepts/security/pod-security-standards/
+# Uncomment to enable baseline level standards
+# - ../contrib/security/PSS/static/baseline
+# Uncomment to enable restricted level standards
+# - ../contrib/security/PSS/static/restricted