From 19c883662490d64787549dfd9fec1923a88954d5 Mon Sep 17 00:00:00 2001
From: Xun Jiang/Bruce Jiang <59276555+blackpiglet@users.noreply.github.com>
Date: Fri, 8 Sep 2023 02:04:08 +0800
Subject: [PATCH] Add PSA audit and warn labels. (#6773)

Signed-off-by: Xun Jiang <jxun@vmware.com>
---
 changelogs/unreleased/6773-blackpiglet |  1 +
 pkg/install/resources.go               | 14 +++++++++++---
 pkg/install/resources_test.go          |  4 ++++
 3 files changed, 16 insertions(+), 3 deletions(-)
 create mode 100644 changelogs/unreleased/6773-blackpiglet

diff --git a/changelogs/unreleased/6773-blackpiglet b/changelogs/unreleased/6773-blackpiglet
new file mode 100644
index 000000000..e7e5d7120
--- /dev/null
+++ b/changelogs/unreleased/6773-blackpiglet
@@ -0,0 +1 @@
+Add PSA audit and warn labels.
\ No newline at end of file
diff --git a/pkg/install/resources.go b/pkg/install/resources.go
index a51137400..0f862d016 100644
--- a/pkg/install/resources.go
+++ b/pkg/install/resources.go
@@ -30,7 +30,11 @@ import (
 	velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
 )
 
-const defaultServiceAccountName = "velero"
+const (
+	defaultServiceAccountName = "velero"
+	podSecurityLevel          = "privileged"
+	podSecurityVersion        = "latest"
+)
 
 var (
 	DefaultVeleroPodCPURequest    = "500m"
@@ -146,8 +150,12 @@ func Namespace(namespace string) *corev1.Namespace {
 		},
 	}
 
-	ns.Labels["pod-security.kubernetes.io/enforce"] = "privileged"
-	ns.Labels["pod-security.kubernetes.io/enforce-version"] = "latest"
+	ns.Labels["pod-security.kubernetes.io/enforce"] = podSecurityLevel
+	ns.Labels["pod-security.kubernetes.io/enforce-version"] = podSecurityVersion
+	ns.Labels["pod-security.kubernetes.io/audit"] = podSecurityLevel
+	ns.Labels["pod-security.kubernetes.io/audit-version"] = podSecurityVersion
+	ns.Labels["pod-security.kubernetes.io/warn"] = podSecurityLevel
+	ns.Labels["pod-security.kubernetes.io/warn-version"] = podSecurityVersion
 
 	return ns
 }
diff --git a/pkg/install/resources_test.go b/pkg/install/resources_test.go
index 298dca9eb..28fc2e452 100644
--- a/pkg/install/resources_test.go
+++ b/pkg/install/resources_test.go
@@ -45,6 +45,10 @@ func TestResources(t *testing.T) {
 	// PSA(Pod Security Admission) and PSS(Pod Security Standards).
 	assert.Equal(t, ns.Labels["pod-security.kubernetes.io/enforce"], "privileged")
 	assert.Equal(t, ns.Labels["pod-security.kubernetes.io/enforce-version"], "latest")
+	assert.Equal(t, ns.Labels["pod-security.kubernetes.io/audit"], "privileged")
+	assert.Equal(t, ns.Labels["pod-security.kubernetes.io/audit-version"], "latest")
+	assert.Equal(t, ns.Labels["pod-security.kubernetes.io/warn"], "privileged")
+	assert.Equal(t, ns.Labels["pod-security.kubernetes.io/warn-version"], "latest")
 
 	crb := ClusterRoleBinding(DefaultVeleroNamespace)
 	// The CRB is a cluster-scoped resource