commit 2dc9cdbb7b6958929df47cc58d870be377dcbb76
author Gabriel Cuba <gcuba@whitestack.com> Wed May 17 01:32:50 2023 -0500
committer garciadeblas <gerardo.garciadeblas@telefonica.com> Tue May 30 17:34:08 2023 +0200
tree 559f20b057a7a6bbd564551626db58f0cd218423
parent eb585dd5e2711d50fe2fc5ec34a2a67af9fd9f60

Feature 10948: Set pod security label to helm EE namespaces

Change-Id: I1604e5af66df0c5329694fb930a2450a05832cfd
Signed-off-by: Gabriel Cuba <gcuba@whitestack.com>

osm_lcm/data_utils/lcm_config.py

diff --git a/osm_lcm/data_utils/lcm_config.py b/osm_lcm/data_utils/lcm_config.py
index 711d76a..4384021 100644
--- a/osm_lcm/data_utils/lcm_config.py
+++ b/osm_lcm/data_utils/lcm_config.py
@@ -122,6 +122,7 @@
     eegrpcinittimeout: int = None
     eegrpctimeout: int = None
     eegrpc_tls_enforce: bool = False
+    eegrpc_pod_admission_policy: str = "baseline"
     loglevel: str = "DEBUG"
     logfile: str = None
     ca_store: str = "/etc/ssl/certs/osm-ca.crt"

osm_lcm/lcm_helm_conn.py

diff --git a/osm_lcm/lcm_helm_conn.py b/osm_lcm/lcm_helm_conn.py
index 30eba46..d7db639 100644
--- a/osm_lcm/lcm_helm_conn.py
+++ b/osm_lcm/lcm_helm_conn.py
@@ -432,6 +432,9 @@
         await self._k8sclusterhelm3.create_namespace(
             namespace=name,
             cluster_uuid=system_cluster_uuid,
+            labels={
+                "pod-security.kubernetes.io/enforce": self.vca_config.eegrpc_pod_admission_policy
+            },
         )
         await self._k8sclusterhelm3.setup_default_rbac(
             name="ee-role",