mirrors/velero
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/velero.git synced 2026-01-07 13:55:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #5873 from blackpiglet/add_psa_support

Browse Source
This commit is contained in:
Shubham Pampattiwar
2023-03-08 17:41:53 -08:00
committed by GitHub
parent 7d8cb990e0 6be07a1df3
commit c6059a93d2
3 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
pkg/install/resources.go
View File

@@ -138,13 +138,18 @@ func ClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding {
}
func Namespace(namespace string) *corev1.Namespace {
return &corev1.Namespace{
ns := &corev1.Namespace{
ObjectMeta: objectMeta("", namespace),
TypeMeta: metav1.TypeMeta{
Kind: "Namespace",
APIVersion: corev1.SchemeGroupVersion.String(),
},
}
ns.Labels["pod-security.kubernetes.io/enforce"] = "privileged"
ns.Labels["pod-security.kubernetes.io/enforce-version"] = "latest"
return ns
}
func BackupStorageLocation(namespace, provider, bucket, prefix string, config map[string]string, caCert []byte) *velerov1api.BackupStorageLocation {

5
pkg/install/resources_test.go
View File

@@ -40,6 +40,11 @@ func TestResources(t *testing.T) {
ns := Namespace("velero")
assert.Equal(t, "velero", ns.Name)
// For k8s version v1.25 and later, need to add the following labels to make
// velero installation namespace has privileged version to work with
// PSA(Pod Security Admission) and PSS(Pod Security Standards).
assert.Equal(t, ns.Labels["pod-security.kubernetes.io/enforce"], "privileged")
assert.Equal(t, ns.Labels["pod-security.kubernetes.io/enforce-version"], "latest")
crb := ClusterRoleBinding(DefaultVeleroNamespace)
// The CRB is a cluster-scoped resource