From 7a7079b8daf7b72960fd5146755a64793f46717e Mon Sep 17 00:00:00 2001 From: biswajit-9776 <115724497+biswajit-9776@users.noreply.github.com> Date: Mon, 24 Jun 2024 19:10:09 +0530 Subject: [PATCH] Added PSS to contrib/baseline and contrib/restricted as kustomize components (#2757) * Added PSS to contrib/baseline and restricted as kustomize components Signed-off-by: biswajit-9776 * Added kustomize PSS components to example Signed-off-by: biswajit-9776 * Fixed spelling Signed-off-by: biswajit-9776 * Added link to PSS official documentation Signed-off-by: biswajit-9776 * Fixed indentation Signed-off-by: biswajit-9776 --------- Signed-off-by: biswajit-9776 --- contrib/security/PSS/static/baseline/kustomization.yaml | 6 ++++++ .../security/PSS/static/baseline/patches/istio-labels.yaml | 6 ++++++ .../PSS/static/baseline/patches/kubeflow-labels.yaml | 6 ++++++ contrib/security/PSS/static/restricted/kustomization.yaml | 6 ++++++ .../PSS/static/restricted/patches/istio-labels.yaml | 6 ++++++ .../PSS/static/restricted/patches/kubeflow-labels.yaml | 6 ++++++ example/kustomization.yaml | 7 +++++++ 7 files changed, 43 insertions(+) create mode 100644 contrib/security/PSS/static/baseline/kustomization.yaml create mode 100644 contrib/security/PSS/static/baseline/patches/istio-labels.yaml create mode 100644 contrib/security/PSS/static/baseline/patches/kubeflow-labels.yaml create mode 100644 contrib/security/PSS/static/restricted/kustomization.yaml create mode 100644 contrib/security/PSS/static/restricted/patches/istio-labels.yaml create mode 100644 contrib/security/PSS/static/restricted/patches/kubeflow-labels.yaml diff --git a/contrib/security/PSS/static/baseline/kustomization.yaml b/contrib/security/PSS/static/baseline/kustomization.yaml new file mode 100644 index 0000000000..0b0db4660a --- /dev/null +++ b/contrib/security/PSS/static/baseline/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component + +patches: +- path: patches/kubeflow-labels.yaml +- path: patches/istio-labels.yaml diff --git a/contrib/security/PSS/static/baseline/patches/istio-labels.yaml b/contrib/security/PSS/static/baseline/patches/istio-labels.yaml new file mode 100644 index 0000000000..5821914881 --- /dev/null +++ b/contrib/security/PSS/static/baseline/patches/istio-labels.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: istio-system + labels: + pod-security.kubernetes.io/enforce: baseline \ No newline at end of file diff --git a/contrib/security/PSS/static/baseline/patches/kubeflow-labels.yaml b/contrib/security/PSS/static/baseline/patches/kubeflow-labels.yaml new file mode 100644 index 0000000000..b7325ac8b4 --- /dev/null +++ b/contrib/security/PSS/static/baseline/patches/kubeflow-labels.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: kubeflow + labels: + pod-security.kubernetes.io/enforce: baseline \ No newline at end of file diff --git a/contrib/security/PSS/static/restricted/kustomization.yaml b/contrib/security/PSS/static/restricted/kustomization.yaml new file mode 100644 index 0000000000..bc566efe95 --- /dev/null +++ b/contrib/security/PSS/static/restricted/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component + +patches: +- path: patches/kubeflow-labels.yaml +- path: patches/istio-labels.yaml \ No newline at end of file diff --git a/contrib/security/PSS/static/restricted/patches/istio-labels.yaml b/contrib/security/PSS/static/restricted/patches/istio-labels.yaml new file mode 100644 index 0000000000..eda6c6b59f --- /dev/null +++ b/contrib/security/PSS/static/restricted/patches/istio-labels.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: istio-system + labels: + pod-security.kubernetes.io/enforce: restricted \ No newline at end of file diff --git a/contrib/security/PSS/static/restricted/patches/kubeflow-labels.yaml b/contrib/security/PSS/static/restricted/patches/kubeflow-labels.yaml new file mode 100644 index 0000000000..0aacfd6aa9 --- /dev/null +++ b/contrib/security/PSS/static/restricted/patches/kubeflow-labels.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: kubeflow + labels: + pod-security.kubernetes.io/enforce: restricted \ No newline at end of file diff --git a/example/kustomization.yaml b/example/kustomization.yaml index d14af99612..e6a347652f 100644 --- a/example/kustomization.yaml +++ b/example/kustomization.yaml @@ -88,3 +88,10 @@ resources: # KServe - ../contrib/kserve/kserve - ../contrib/kserve/models-web-app/overlays/kubeflow + +# Pod Security Standards +# https://kubernetes.io/docs/concepts/security/pod-security-standards/ +# Uncomment to enable baseline level standards +# - ../contrib/security/PSS/static/baseline +# Uncomment to enable restricted level standards +# - ../contrib/security/PSS/static/restricted \ No newline at end of file