From bed9f4a1471c8dddee1e14b40e5452554c52152a Mon Sep 17 00:00:00 2001 From: Thuan Vo Date: Thu, 7 Sep 2023 14:35:51 -0700 Subject: [PATCH 1/2] feat(scorecard): add psa labels for scorecard namespace Signed-off-by: Thuan Vo --- Makefile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 541f4db2..9b487968 100644 --- a/Makefile +++ b/Makefile @@ -152,7 +152,8 @@ endif define scorecard-setup @$(CLUSTER_CLIENT) get namespace $(SCORECARD_NAMESPACE) >/dev/null 2>&1 &&\ echo "$(SCORECARD_NAMESPACE) namespace already exists, please remove it with \"make clean-scorecard\"" >&2 && exit 1 || true -$(CLUSTER_CLIENT) create namespace $(SCORECARD_NAMESPACE) +$(CLUSTER_CLIENT) create namespace $(SCORECARD_NAMESPACE) && \ + kubectl label --overwrite namespace $(SCORECARD_NAMESPACE) pod-security.kubernetes.io/warn=restricted pod-security.kubernetes.io/audit=restricted cd internal/images/custom-scorecard-tests/rbac/ && $(KUSTOMIZE) edit set namespace $(SCORECARD_NAMESPACE) $(KUSTOMIZE) build internal/images/custom-scorecard-tests/rbac/ | $(CLUSTER_CLIENT) apply -f - @if [ -n "$(SCORECARD_ARGS)" ]; then \ @@ -160,7 +161,7 @@ $(KUSTOMIZE) build internal/images/custom-scorecard-tests/rbac/ | $(CLUSTER_CLIE --docker-username="$(SCORECARD_REGISTRY_USERNAME)" --docker-password="$(SCORECARD_REGISTRY_PASSWORD)"; \ $(CLUSTER_CLIENT) patch sa cryostat-scorecard -n $(SCORECARD_NAMESPACE) -p '{"imagePullSecrets": [{"name": "registry-key"}]}'; \ fi -operator-sdk run bundle -n $(SCORECARD_NAMESPACE) --timeout 20m $(BUNDLE_IMG) $(SCORECARD_ARGS) +operator-sdk run bundle -n $(SCORECARD_NAMESPACE) --timeout 20m $(BUNDLE_IMG) --security-context-config=restricted $(SCORECARD_ARGS) endef define scorecard-cleanup From eba7b417698f46b3af1958e7cadfed48ad519c7f Mon Sep 17 00:00:00 2001 From: Thuan Vo Date: Fri, 8 Sep 2023 13:05:28 -0700 Subject: [PATCH 2/2] chore(make): use variable --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 9b487968..2b86978e 100644 --- a/Makefile +++ b/Makefile @@ -153,7 +153,7 @@ define scorecard-setup @$(CLUSTER_CLIENT) get namespace $(SCORECARD_NAMESPACE) >/dev/null 2>&1 &&\ echo "$(SCORECARD_NAMESPACE) namespace already exists, please remove it with \"make clean-scorecard\"" >&2 && exit 1 || true $(CLUSTER_CLIENT) create namespace $(SCORECARD_NAMESPACE) && \ - kubectl label --overwrite namespace $(SCORECARD_NAMESPACE) pod-security.kubernetes.io/warn=restricted pod-security.kubernetes.io/audit=restricted + $(CLUSTER_CLIENT) label --overwrite namespace $(SCORECARD_NAMESPACE) pod-security.kubernetes.io/warn=restricted pod-security.kubernetes.io/audit=restricted cd internal/images/custom-scorecard-tests/rbac/ && $(KUSTOMIZE) edit set namespace $(SCORECARD_NAMESPACE) $(KUSTOMIZE) build internal/images/custom-scorecard-tests/rbac/ | $(CLUSTER_CLIENT) apply -f - @if [ -n "$(SCORECARD_ARGS)" ]; then \