add PSA labels to namespace for baseline enforcement (#109)

Ideally, we would enforce restricted. However, some catalog images may not be compatible with restriced enforcement. This is another motivation for us to treat catalog images differently from runnable images. PSA compatibility of catalog images should never be a consideration because we only need to extract static files from them. Actually running them should never be necessary. Signed-off-by: Joe Lanford <joe.lanford@gmail.com>
operator-framework · Jul 5, 2023 · 1a8bdac · 1a8bdac
1 parent c691c3e
commit 1a8bdac
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -9,6 +9,8 @@ metadata:
     app.kubernetes.io/created-by: catalogd
     app.kubernetes.io/part-of: catalogd
     app.kubernetes.io/managed-by: kustomize
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/enforce-version: latest
   name: system
 ---
 apiVersion: apps/v1