From ceaacafb186aeccbd13f110a7bac7fe8abe7c0ab Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Sat, 22 Jun 2024 00:46:30 +0530
Subject: [PATCH 1/5] Added PSS to contrib/baseline and restricted as kustomize
 components

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .../security/PSS/static/baseline/kustomization.yaml    | 10 ++++++++++
 .../PSS/static/baseline/patches/istio-labels.yaml      |  6 ++++++
 .../PSS/static/baseline/patches/kubeflow-labels.yaml   |  6 ++++++
 .../security/PSS/static/restricted/kustomization.yaml  | 10 ++++++++++
 .../PSS/static/restricted/patches/istio-labels.yaml    |  6 ++++++
 .../PSS/static/restricted/patches/kubeflow-labels.yaml |  6 ++++++
 6 files changed, 44 insertions(+)
 create mode 100644 contrib/security/PSS/static/baseline/kustomization.yaml
 create mode 100644 contrib/security/PSS/static/baseline/patches/istio-labels.yaml
 create mode 100644 contrib/security/PSS/static/baseline/patches/kubeflow-labels.yaml
 create mode 100644 contrib/security/PSS/static/restricted/kustomization.yaml
 create mode 100644 contrib/security/PSS/static/restricted/patches/istio-labels.yaml
 create mode 100644 contrib/security/PSS/static/restricted/patches/kubeflow-labels.yaml

diff --git a/contrib/security/PSS/static/baseline/kustomization.yaml b/contrib/security/PSS/static/baseline/kustomization.yaml
new file mode 100644
index 0000000000..c5c011e0b3
--- /dev/null
+++ b/contrib/security/PSS/static/baseline/kustomization.yaml
@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+- ../../../../../common/kubeflow-namespace/base
+- ../../../../../common/istio-1-22/istio-namespace/base
+
+patches:
+- path: patches/kubeflow-labels.yaml
+- path: patches/istio-labels.yaml
diff --git a/contrib/security/PSS/static/baseline/patches/istio-labels.yaml b/contrib/security/PSS/static/baseline/patches/istio-labels.yaml
new file mode 100644
index 0000000000..5821914881
--- /dev/null
+++ b/contrib/security/PSS/static/baseline/patches/istio-labels.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: istio-system
+  labels:
+    pod-security.kubernetes.io/enforce: baseline
\ No newline at end of file
diff --git a/contrib/security/PSS/static/baseline/patches/kubeflow-labels.yaml b/contrib/security/PSS/static/baseline/patches/kubeflow-labels.yaml
new file mode 100644
index 0000000000..b7325ac8b4
--- /dev/null
+++ b/contrib/security/PSS/static/baseline/patches/kubeflow-labels.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kubeflow
+  labels:
+    pod-security.kubernetes.io/enforce: baseline
\ No newline at end of file
diff --git a/contrib/security/PSS/static/restricted/kustomization.yaml b/contrib/security/PSS/static/restricted/kustomization.yaml
new file mode 100644
index 0000000000..949f1aa1c1
--- /dev/null
+++ b/contrib/security/PSS/static/restricted/kustomization.yaml
@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+- ../../../../../common/kubeflow-namespace/base
+- ../../../../../common/istio-1-22/istio-namespace/base
+
+patches:
+- path: patches/kubeflow-labels.yaml
+- path: patches/istio-labels.yaml
\ No newline at end of file
diff --git a/contrib/security/PSS/static/restricted/patches/istio-labels.yaml b/contrib/security/PSS/static/restricted/patches/istio-labels.yaml
new file mode 100644
index 0000000000..eda6c6b59f
--- /dev/null
+++ b/contrib/security/PSS/static/restricted/patches/istio-labels.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: istio-system
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
\ No newline at end of file
diff --git a/contrib/security/PSS/static/restricted/patches/kubeflow-labels.yaml b/contrib/security/PSS/static/restricted/patches/kubeflow-labels.yaml
new file mode 100644
index 0000000000..0aacfd6aa9
--- /dev/null
+++ b/contrib/security/PSS/static/restricted/patches/kubeflow-labels.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kubeflow
+  labels:
+    pod-security.kubernetes.io/enforce: restricted
\ No newline at end of file

From dde8820f354736cfab875e47a02089ed23fbb20c Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Mon, 24 Jun 2024 12:47:06 +0530
Subject: [PATCH 2/5] Added kustomize PSS components to example

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 contrib/security/PSS/static/baseline/kustomization.yaml   | 4 ----
 contrib/security/PSS/static/restricted/kustomization.yaml | 4 ----
 example/kustomization.yaml                                | 6 ++++++
 3 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/contrib/security/PSS/static/baseline/kustomization.yaml b/contrib/security/PSS/static/baseline/kustomization.yaml
index c5c011e0b3..0b0db4660a 100644
--- a/contrib/security/PSS/static/baseline/kustomization.yaml
+++ b/contrib/security/PSS/static/baseline/kustomization.yaml
@@ -1,10 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1alpha1
 kind: Component
 
-resources:
-- ../../../../../common/kubeflow-namespace/base
-- ../../../../../common/istio-1-22/istio-namespace/base
-
 patches:
 - path: patches/kubeflow-labels.yaml
 - path: patches/istio-labels.yaml
diff --git a/contrib/security/PSS/static/restricted/kustomization.yaml b/contrib/security/PSS/static/restricted/kustomization.yaml
index 949f1aa1c1..bc566efe95 100644
--- a/contrib/security/PSS/static/restricted/kustomization.yaml
+++ b/contrib/security/PSS/static/restricted/kustomization.yaml
@@ -1,10 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1alpha1
 kind: Component
 
-resources:
-- ../../../../../common/kubeflow-namespace/base
-- ../../../../../common/istio-1-22/istio-namespace/base
-
 patches:
 - path: patches/kubeflow-labels.yaml
 - path: patches/istio-labels.yaml
\ No newline at end of file
diff --git a/example/kustomization.yaml b/example/kustomization.yaml
index d14af99612..420214bba1 100644
--- a/example/kustomization.yaml
+++ b/example/kustomization.yaml
@@ -88,3 +88,9 @@ resources:
 # KServe
 - ../contrib/kserve/kserve
 - ../contrib/kserve/models-web-app/overlays/kubeflow
+
+#Pod Security Standarards enabled
+#uncomment below to enable baseline level standards
+# - ../contrib/security/PSS/static/baseline
+#uncomment below to enable restricted level standards
+# - ../contrib/security/PSS/static/restricted
\ No newline at end of file

From d8e18a7e3f4fdedeff8bfe5948a7b88864c07848 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Mon, 24 Jun 2024 12:54:29 +0530
Subject: [PATCH 3/5] Fixed spelling

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 example/kustomization.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/example/kustomization.yaml b/example/kustomization.yaml
index 420214bba1..92c05420b7 100644
--- a/example/kustomization.yaml
+++ b/example/kustomization.yaml
@@ -89,7 +89,7 @@ resources:
 - ../contrib/kserve/kserve
 - ../contrib/kserve/models-web-app/overlays/kubeflow
 
-#Pod Security Standarards enabled
+#Pod Security Standards
 #uncomment below to enable baseline level standards
 # - ../contrib/security/PSS/static/baseline
 #uncomment below to enable restricted level standards

From 7c19f4fab8d430190859d34ba16603faa55bdb97 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Mon, 24 Jun 2024 13:09:21 +0530
Subject: [PATCH 4/5] Added link to PSS official documentation

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 example/kustomization.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/example/kustomization.yaml b/example/kustomization.yaml
index 92c05420b7..f3e2c61e90 100644
--- a/example/kustomization.yaml
+++ b/example/kustomization.yaml
@@ -89,7 +89,7 @@ resources:
 - ../contrib/kserve/kserve
 - ../contrib/kserve/models-web-app/overlays/kubeflow
 
-#Pod Security Standards
+#Pod Security Standards (https://kubernetes.io/docs/concepts/security/pod-security-standards/)
 #uncomment below to enable baseline level standards
 # - ../contrib/security/PSS/static/baseline
 #uncomment below to enable restricted level standards

From 8c845a55a4cc9e840df182b64376092fa7ab6825 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <biswajitpatt139@gmail.com>
Date: Mon, 24 Jun 2024 13:37:02 +0530
Subject: [PATCH 5/5] Fixed indentation

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 example/kustomization.yaml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/example/kustomization.yaml b/example/kustomization.yaml
index f3e2c61e90..e6a347652f 100644
--- a/example/kustomization.yaml
+++ b/example/kustomization.yaml
@@ -89,8 +89,9 @@ resources:
 - ../contrib/kserve/kserve
 - ../contrib/kserve/models-web-app/overlays/kubeflow
 
-#Pod Security Standards (https://kubernetes.io/docs/concepts/security/pod-security-standards/)
-#uncomment below to enable baseline level standards
+# Pod Security Standards
+# https://kubernetes.io/docs/concepts/security/pod-security-standards/
+# Uncomment to enable baseline level standards
 # - ../contrib/security/PSS/static/baseline
-#uncomment below to enable restricted level standards
+# Uncomment to enable restricted level standards
 # - ../contrib/security/PSS/static/restricted
\ No newline at end of file