From 2dc9cdbb7b6958929df47cc58d870be377dcbb76 Mon Sep 17 00:00:00 2001 From: Gabriel Cuba Date: Wed, 17 May 2023 01:32:50 -0500 Subject: [PATCH] Feature 10948: Set pod security label to helm EE namespaces Change-Id: I1604e5af66df0c5329694fb930a2450a05832cfd Signed-off-by: Gabriel Cuba --- osm_lcm/data_utils/lcm_config.py | 1 + osm_lcm/lcm_helm_conn.py | 3 +++ 2 files changed, 4 insertions(+) diff --git a/osm_lcm/data_utils/lcm_config.py b/osm_lcm/data_utils/lcm_config.py index 711d76a..4384021 100644 --- a/osm_lcm/data_utils/lcm_config.py +++ b/osm_lcm/data_utils/lcm_config.py @@ -122,6 +122,7 @@ class VcaConfig(OsmConfigman): eegrpcinittimeout: int = None eegrpctimeout: int = None eegrpc_tls_enforce: bool = False + eegrpc_pod_admission_policy: str = "baseline" loglevel: str = "DEBUG" logfile: str = None ca_store: str = "/etc/ssl/certs/osm-ca.crt" diff --git a/osm_lcm/lcm_helm_conn.py b/osm_lcm/lcm_helm_conn.py index 30eba46..d7db639 100644 --- a/osm_lcm/lcm_helm_conn.py +++ b/osm_lcm/lcm_helm_conn.py @@ -432,6 +432,9 @@ class LCMHelmConn(N2VCConnector, LcmBase): await self._k8sclusterhelm3.create_namespace( namespace=name, cluster_uuid=system_cluster_uuid, + labels={ + "pod-security.kubernetes.io/enforce": self.vca_config.eegrpc_pod_admission_policy + }, ) await self._k8sclusterhelm3.setup_default_rbac( name="ee-role", -- 2.25.1