From: Gabriel Cuba <gcuba@whitestack.com>
Date: Wed, 17 May 2023 06:32:50 +0000 (-0500)
Subject: Feature 10948: Set pod security label to helm EE namespaces
X-Git-Tag: release-v14.0-start~3
X-Git-Url: https://osm.etsi.org/gitweb/?a=commitdiff_plain;ds=inline;h=2dc9cdbb7b6958929df47cc58d870be377dcbb76;p=osm%2FLCM.git

Feature 10948: Set pod security label to helm EE namespaces

Change-Id: I1604e5af66df0c5329694fb930a2450a05832cfd
Signed-off-by: Gabriel Cuba <gcuba@whitestack.com>
---

diff --git a/osm_lcm/data_utils/lcm_config.py b/osm_lcm/data_utils/lcm_config.py
index 711d76a..4384021 100644
--- a/osm_lcm/data_utils/lcm_config.py
+++ b/osm_lcm/data_utils/lcm_config.py
@@ -122,6 +122,7 @@ class VcaConfig(OsmConfigman):
     eegrpcinittimeout: int = None
     eegrpctimeout: int = None
     eegrpc_tls_enforce: bool = False
+    eegrpc_pod_admission_policy: str = "baseline"
     loglevel: str = "DEBUG"
     logfile: str = None
     ca_store: str = "/etc/ssl/certs/osm-ca.crt"
diff --git a/osm_lcm/lcm_helm_conn.py b/osm_lcm/lcm_helm_conn.py
index 30eba46..d7db639 100644
--- a/osm_lcm/lcm_helm_conn.py
+++ b/osm_lcm/lcm_helm_conn.py
@@ -432,6 +432,9 @@ class LCMHelmConn(N2VCConnector, LcmBase):
         await self._k8sclusterhelm3.create_namespace(
             namespace=name,
             cluster_uuid=system_cluster_uuid,
+            labels={
+                "pod-security.kubernetes.io/enforce": self.vca_config.eegrpc_pod_admission_policy
+            },
         )
         await self._k8sclusterhelm3.setup_default_rbac(
             name="ee-role",