feat(scorecard): add psa labels for scorecard namespace (#621)

* feat(scorecard): add psa labels for scorecard namespace Signed-off-by: Thuan Vo <thuan.votann@gmail.com> * chore(make): use variable --------- Signed-off-by: Thuan Vo <thuan.votann@gmail.com>
cryostatio · Sep 12, 2023 · 788f71f · 788f71f
1 parent 5c3769f
commit 788f71f
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/Makefile b/Makefile
@@ -152,15 +152,16 @@ endif
 define scorecard-setup
 @$(CLUSTER_CLIENT) get namespace $(SCORECARD_NAMESPACE) >/dev/null 2>&1 &&\
 	echo "$(SCORECARD_NAMESPACE) namespace already exists, please remove it with \"make clean-scorecard\"" >&2 && exit 1 || true
-$(CLUSTER_CLIENT) create namespace $(SCORECARD_NAMESPACE)
+$(CLUSTER_CLIENT) create namespace $(SCORECARD_NAMESPACE) && \
+	$(CLUSTER_CLIENT) label --overwrite namespace $(SCORECARD_NAMESPACE) pod-security.kubernetes.io/warn=restricted pod-security.kubernetes.io/audit=restricted
 cd internal/images/custom-scorecard-tests/rbac/ && $(KUSTOMIZE) edit set namespace $(SCORECARD_NAMESPACE)
 $(KUSTOMIZE) build internal/images/custom-scorecard-tests/rbac/ | $(CLUSTER_CLIENT) apply -f -
 @if [ -n "$(SCORECARD_ARGS)" ]; then \
 	$(CLUSTER_CLIENT) create -n $(SCORECARD_NAMESPACE) secret docker-registry registry-key --docker-server="$(SCORECARD_REGISTRY_SERVER)" \
 		--docker-username="$(SCORECARD_REGISTRY_USERNAME)" --docker-password="$(SCORECARD_REGISTRY_PASSWORD)"; \
 	$(CLUSTER_CLIENT) patch sa cryostat-scorecard -n $(SCORECARD_NAMESPACE) -p '{"imagePullSecrets": [{"name": "registry-key"}]}'; \
 fi
-operator-sdk run bundle -n $(SCORECARD_NAMESPACE) --timeout 20m $(BUNDLE_IMG) $(SCORECARD_ARGS)
+operator-sdk run bundle -n $(SCORECARD_NAMESPACE) --timeout 20m $(BUNDLE_IMG) --security-context-config=restricted $(SCORECARD_ARGS)
 endef
 
 define scorecard-cleanup