mirror of
https://github.com/holos-run/holos.git
synced 2026-03-20 09:15:02 +00:00
4ce39db745
This patch enforces the restricted pod security profile on the istio ingress namespace. The istio cni to move the traffic redirection from the init container to a cni daemon set pod. Refer to: - https://istio.io/latest/docs/setup/additional-setup/pod-security-admission/ - https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
25 lines
942 B
CUE
25 lines
942 B
CUE
package holos
|
|
|
|
// Refer to https://kubernetes.io/docs/concepts/security/pod-security-standards/
|
|
let Restricted = {
|
|
labels: "pod-security.kubernetes.io/enforce": "restricted"
|
|
labels: "pod-security.kubernetes.io/enforce-version": "latest"
|
|
}
|
|
let Privileged = {
|
|
labels: "pod-security.kubernetes.io/enforce": "privileged"
|
|
labels: "pod-security.kubernetes.io/enforce-version": "latest"
|
|
}
|
|
|
|
// #PlatformNamespaces is the union of all namespaces across all cluster types. Namespaces are created in all clusters regardless of if they're
|
|
// used within the cluster or not. The is important for security and consistency with IAM, RBAC, and Secrets sync between clusters.
|
|
#PlatformNamespaces: [
|
|
{name: "external-secrets"},
|
|
{name: "holos-system"},
|
|
{name: "flux-system"},
|
|
{name: "ceph-system"} & Privileged,
|
|
{name: "istio-system"} & Privileged,
|
|
{name: "istio-ingress"} & Restricted,
|
|
{name: "cert-manager"},
|
|
{name: "argocd"},
|
|
]
|