Merge branch 'feature/namespace-add-podsecurity-label' into 'v3'

kubernetes: Add support for PodSecurity labeling See merge request anders/ci-configuration!370
andersinno · Sep 8, 2023 · 3bc7332 · 3bc7332
2 parents fabbbfc + 92cb851
commit 3bc7332
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 2 deletions.
diff --git a/.gitlab-ci-base-template.yml b/.gitlab-ci-base-template.yml
@@ -30,6 +30,10 @@ variables:
   SERVICE_ARTIFACT_FOLDER: "service_artifacts"
   BUILD_ARTIFACT_FOLDER: "build_artifacts"
 
+  # Default PodSecurity label
+  K8S_POD_SECURITY: baseline
+
+  # Kolga branch used in the pipeline
   KOLGA_BRANCH: "v3"
 
 .build:

diff --git a/kolga/libs/kubernetes.py b/kolga/libs/kubernetes.py
@@ -287,6 +287,17 @@ def get_namespace_labels() -> Dict[str, str]:
         # TODO: Un-hardcode this label
         labels = {"app": "kubed"}
 
+        if settings.K8S_POD_SECURITY:
+            if settings.K8S_POD_SECURITY not in (
+                "privileged",
+                "baseline",
+                "restricted",
+            ):
+                logger.warning(
+                    f"Unknown pod security standard: {settings.K8S_POD_SECURITY}"
+                )
+            labels["pod-security.kubernetes.io/enforce"] = settings.K8S_POD_SECURITY
+
         if settings.PROJECT_ID:
             labels["kolga.io/project_id"] = settings.PROJECT_ID
 

diff --git a/kolga/settings.py b/kolga/settings.py
@@ -171,6 +171,7 @@ class SettingsValues(BaseSettings):
     K8S_PERSISTENT_STORAGE_PATH: str = ""
     K8S_PERSISTENT_STORAGE_SIZE: str = "1Gi"
     K8S_PERSISTENT_STORAGE_STORAGE_TYPE: str = "standard"
+    K8S_POD_SECURITY: str = ""
     K8S_PROBE_FAILURE_THRESHOLD: int = 3
     K8S_PROBE_INITIAL_DELAY: int = 60
     K8S_PROBE_PERIOD: int = 10

diff --git a/utils/check-style b/utils/check-style
@@ -6,6 +6,8 @@ set -u
 # Change working directory to project root
 cd "$(dirname "$0")/.."
 
+set -x
+
 flake8
-isort . -c
-black . --check
+isort . --check
+black . --check --diff