PSA: add restricted labels to openshift-gitops namespace (#674)

ibihim · svghadi · iam-veeramalla · web-flow · commit 3d9d30de89f2 · 2024-05-30T13:01:38.000Z
* controllers: add psa labels to ns

* controllers: add SCC pinning to Pods

It is recommended to pin the SCC required for the Pods. It can occur
that a customer specifies a SCC that has a higher priority than
required-v2, which could lead to failing workloads in the namespace.

---------

Co-authored-by: Siddhesh Ghadi &lt;61187612+svghadi@users.noreply.github.com&gt;
Co-authored-by: Abhishek Veeramalla &lt;abhishek.veeramalla@gmail.com&gt;
diff --git a/controllers/gitopsservice_controller.go b/controllers/gitopsservice_controller.go
@@ -217,7 +217,7 @@ func (r *ReconcileGitopsService) Reconcile(ctx context.Context, request reconcil
 	}
 
 	// Create namespace if it doesn't already exist
-	namespaceRef := newNamespace(namespace)
+	namespaceRef := newRestrictedNamespace(namespace)
 	err = r.Client.Get(ctx, types.NamespacedName{Name: namespace}, &corev1.Namespace{})
 	if err != nil {
 		if errors.IsNotFound(err) {
@@ -300,7 +300,7 @@ func (r *ReconcileGitopsService) ensureDefaultArgoCDInstanceDoesntExist(instance
 		return err
 	}
 
-	argocdNS := newNamespace(defaultArgoCDInstance.Namespace)
+	argocdNS := newRestrictedNamespace(defaultArgoCDInstance.Namespace)
 	err = r.Client.Get(context.TODO(), types.NamespacedName{Name: argocdNS.Name}, &corev1.Namespace{})
 	if err != nil {
 
@@ -339,7 +339,7 @@ func (r *ReconcileGitopsService) reconcileDefaultArgoCDInstance(instance *pipeli
 	// The operator decides the namespace based on the version of the cluster it is installed in
 	// 4.6 Cluster: Backend in openshift-pipelines-app-delivery namespace and argocd in openshift-gitops namespace
 	// 4.7 Cluster: Both backend and argocd instance in openshift-gitops namespace
-	argocdNS := newNamespace(defaultArgoCDInstance.Namespace)
+	argocdNS := newRestrictedNamespace(defaultArgoCDInstance.Namespace)
 	err = r.Client.Get(context.TODO(), types.NamespacedName{Name: argocdNS.Name}, &corev1.Namespace{})
 	if err != nil {
 		if errors.IsNotFound(err) {
@@ -762,6 +762,10 @@ func newBackendDeployment(ns types.NamespacedName) *appsv1.Deployment {
 		ObjectMeta: metav1.ObjectMeta{
 			Labels: map[string]string{
 				"app.kubernetes.io/name": ns.Name,
+
+				// restricted-v2 pinning is recommended for openshift workloads
+				// This SCC mutates the Pod Spec to pass PSA's restricted policy.
+				"openshift.io/required-scc": "restricted-v2",
 			},
 		},
 		Spec: podSpec,
@@ -811,14 +815,26 @@ func newBackendService(ns types.NamespacedName) *corev1.Service {
 	return svc
 }
 
-func newNamespace(ns string) *corev1.Namespace {
+func newRestrictedNamespace(ns string) *corev1.Namespace {
 	objectMeta := metav1.ObjectMeta{
 		Name: ns,
 		Labels: map[string]string{
 			// Enable full-fledged support for integration with cluster monitoring.
 			"openshift.io/cluster-monitoring": "true",
 		},
 	}
+
+	if strings.HasPrefix(ns, "openshift-") {
+		// Set pod security policy, which is required for namespaces pre-fixed with openshift
+		// as the pod security label syncer doesn't set them on OCP namespaces.
+		objectMeta.Labels["pod-security.kubernetes.io/enforce"] = "restricted"
+		objectMeta.Labels["pod-security.kubernetes.io/enforce-version"] = "v1.29"
+		objectMeta.Labels["pod-security.kubernetes.io/audit"] = "restricted"
+		objectMeta.Labels["pod-security.kubernetes.io/audit-version"] = "latest"
+		objectMeta.Labels["pod-security.kubernetes.io/warn"] = "restricted"
+		objectMeta.Labels["pod-security.kubernetes.io/warn-version"] = "latest"
+	}
+
 	return &corev1.Namespace{
 		ObjectMeta: objectMeta,
 	}
