From 1a8bdac8ae4984527ef0b630cee714c0d24996cc Mon Sep 17 00:00:00 2001
From: Joe Lanford <joe.lanford@gmail.com>
Date: Wed, 5 Jul 2023 16:54:12 -0400
Subject: [PATCH] add PSA labels to namespace for baseline enforcement (#109)

Ideally, we would enforce restricted. However, some catalog
images may not be compatible with restriced enforcement.

This is another motivation for us to treat catalog images
differently from runnable images. PSA compatibility of
catalog images should never be a consideration because we
only need to extract static files from them. Actually
running them should never be necessary.

Signed-off-by: Joe Lanford <joe.lanford@gmail.com>
---
 config/manager/manager.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
index bd3f7181..4c9306c2 100644
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -9,6 +9,8 @@ metadata:
     app.kubernetes.io/created-by: catalogd
     app.kubernetes.io/part-of: catalogd
     app.kubernetes.io/managed-by: kustomize
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/enforce-version: latest
   name: system
 ---
 apiVersion: apps/v1