Allow setting the pod security labels on the Flux namespace

stefanprodan · stefanprodan · commit e031f926b7d7 · 2024-12-20T14:46:48.000+02:00
Signed-off-by: Stefan Prodan &lt;stefan.prodan@gmail.com&gt;
diff --git a/modules/flux-aio/README.md b/modules/flux-aio/README.md
@@ -88,6 +88,7 @@ flux -n flux-system uninstall
 | `imagePullSecret: username:` | `string`                           | `null`                        | Registry username for the generated image pull secret                                                                                                                                    |
 | `imagePullSecret: password:` | `string`                           | `null`                        | Registry password for the generated image pull secret                                                                                                                                    |
 | `compatibility:`             | `string`                           | `kubernetes`                  | Can be set to `openshift` to make the security context compatible with RedHat OpenShift                                                                                                  |                                                                                                 |
+| `podSecurityProfile:`        | `string`                           | `""`                          | Can be `privileged` or `restricted`, used for setting the `pod-security.kubernetes.io` labels on the namespace                                                                           |
 
 ### Controllers
 
diff --git a/modules/flux-aio/debug_values.cue b/modules/flux-aio/debug_values.cue
@@ -63,8 +63,9 @@ values: {
 		identity: "arn:aws:iam::111122223333:role/my-role"
 		provider: "aws"
 	}
-	hostNetwork:     true
-	securityProfile: "privileged"
+	hostNetwork:        true
+	podSecurityProfile: "privileged"
+	securityProfile:    "privileged"
 	resources: {
 		requests: {
 			cpu:    "250m"
diff --git a/modules/flux-aio/templates/config.cue b/modules/flux-aio/templates/config.cue
@@ -64,6 +64,8 @@ import (
 
 	securityProfile: "restricted" | "privileged"
 
+	podSecurityProfile: *"" | "restricted" | "privileged"
+
 	logLevel: *"info" | string
 
 	hostNetwork: *true | bool
diff --git a/modules/flux-aio/templates/namespace.cue b/modules/flux-aio/templates/namespace.cue
@@ -10,7 +10,14 @@ import (
 	kind:       "Namespace"
 	metadata: {
 		name:        #config.metadata.namespace
-		labels:      #config.metadata.labels
 		annotations: #config.metadata.annotations
+		labels:      #config.metadata.labels
+		if #config.podSecurityProfile != "" {
+			labels: {
+				"pod-security.kubernetes.io/enforce": #config.podSecurityProfile
+				"pod-security.kubernetes.io/warn":    #config.podSecurityProfile
+				"pod-security.kubernetes.io/audit":   #config.podSecurityProfile
+			}
+		}
 	}
 }
