From 03335e95a69029851564617fbbf0a379afe3b9e1 Mon Sep 17 00:00:00 2001 From: Max Rantil Date: Mon, 19 Feb 2024 18:57:21 +0000 Subject: [PATCH] Implement privileged namespace security policy update for tilt-prepare This commit updates the updateNamespaceSecurityStandard function to set the pod-security.kubernetes.io/enforce label to 'privileged' for Namespace objects. Signed-off-by: Max Rantil Co-authored-by: Christian Schlotter --- hack/tools/internal/tilt-prepare/main.go | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/hack/tools/internal/tilt-prepare/main.go b/hack/tools/internal/tilt-prepare/main.go index c1366ea8c8ff..3d3c1435eef7 100644 --- a/hack/tools/internal/tilt-prepare/main.go +++ b/hack/tools/internal/tilt-prepare/main.go @@ -788,6 +788,9 @@ func writeIfChanged(prefix string, path string, yaml []byte) error { // This has the affect that the appended ones will take precedence, as those are read last. // Finally, we modify the deployment to enable prometheus metrics scraping. func prepareWorkload(name, prefix, binaryName, containerName string, objs []unstructured.Unstructured, ts *tiltSettings) error { + // Update provider namespaces to have the pod security standard enforce label set to privileged. + // This is required because we remove the SecurityContext from provider deployments below to make tilt work. + updateNamespacePodSecurityStandard(objs) return updateDeployment(prefix, objs, func(deployment *appsv1.Deployment) { for j, container := range deployment.Spec.Template.Spec.Containers { if container.Name != containerName { @@ -957,3 +960,19 @@ func getProviderObj(version *string) func(prefix string, objs []unstructured.Uns return providerObj, nil } } + +func updateNamespacePodSecurityStandard(objs []unstructured.Unstructured) { + for i, obj := range objs { + if obj.GetKind() != "Namespace" { + continue + } + // Ignore Deployments that are not part of the provider, eg. ASO in CAPZ. + if _, exists := obj.GetLabels()[clusterv1.ProviderNameLabel]; !exists { + continue + } + labels := obj.GetLabels() + labels["pod-security.kubernetes.io/enforce"] = "privileged" + obj.SetLabels(labels) + objs[i] = obj + } +}