add support for pod security admission

Signed-off-by: franknstyle <gizmocat@protonmail.com>
vmware-tanzu · Mar 1, 2023 · 537203a · 537203a
1 parent 3375907
commit 537203a
Show file tree

Hide file tree

Showing 60 changed files with 444 additions and 80 deletions.
diff --git a/cmd/sonobuoy/app/args.go b/cmd/sonobuoy/app/args.go
@@ -36,28 +36,29 @@ import (
 )
 
 const (
-	namespaceFlag              = "namespace"
-	sonobuoyImageFlag          = "sonobuoy-image"
-	imagePullPolicyFlag        = "image-pull-policy"
-	forceImagePullPolicyFlag   = "force-image-pull-policy"
-	pluginFlag                 = "plugin"
-	timeoutFlag                = "timeout"
-	waitOutputFlag             = "wait-output"
-	customRegistryFlag         = "custom-registry"
-	kubeconfig                 = "kubeconfig"
-	kubecontext                = "context"
-	e2eFocusFlag               = "e2e-focus"
-	e2eSkipFlag                = "e2e-skip"
-	e2eParallelFlag            = "e2e-parallel"
-	e2eRegistryConfigFlag      = "e2e-repo-config"
-	e2eRegistryFlag            = "e2e-repo"
-	pluginImageFlag            = "plugin-image"
-	filenameFlag               = "filename"
-	retrievePathFlag           = "retrieve-path"
-	securityContextModeFlag    = "security-context-mode"
-	aggregatorPermissionsFlag  = "aggregator-permissions"
-	serviceAccountNameFlag     = "service-account-name"
-	existingServiceAccountFlag = "existing-service-account"
+	namespaceFlag                = "namespace"
+	sonobuoyImageFlag            = "sonobuoy-image"
+	imagePullPolicyFlag          = "image-pull-policy"
+	forceImagePullPolicyFlag     = "force-image-pull-policy"
+	pluginFlag                   = "plugin"
+	timeoutFlag                  = "timeout"
+	waitOutputFlag               = "wait-output"
+	customRegistryFlag           = "custom-registry"
+	kubeconfig                   = "kubeconfig"
+	kubecontext                  = "context"
+	e2eFocusFlag                 = "e2e-focus"
+	e2eSkipFlag                  = "e2e-skip"
+	e2eParallelFlag              = "e2e-parallel"
+	e2eRegistryConfigFlag        = "e2e-repo-config"
+	e2eRegistryFlag              = "e2e-repo"
+	pluginImageFlag              = "plugin-image"
+	filenameFlag                 = "filename"
+	retrievePathFlag             = "retrieve-path"
+	securityContextModeFlag      = "security-context-mode"
+	aggregatorPermissionsFlag    = "aggregator-permissions"
+	serviceAccountNameFlag       = "service-account-name"
+	existingServiceAccountFlag   = "existing-service-account"
+	namespacePSAEnforceLevelFlag = "namespace-psa-enforce-level"
 )
 
 // AddNamespaceFlag initialises a namespace flag.
@@ -470,6 +471,14 @@ func AddRetrievePathFlag(str *string, flags *pflag.FlagSet) {
 	)
 }
 
+// AddNamespacePSAEnforceLevelFlag adds a flag for labelling the namespace
+func AddNamespacePSAEnforceLevelFlag(str *string, flags *pflag.FlagSet) {
+	flags.StringVar(
+		str, namespacePSAEnforceLevelFlag, config.DefaultNamespacePSAEnforceLevel,
+		"The PSA enforce level for the namespace.",
+	)
+}
+
 // Used if we're just setting the given string as the value; focus and skip need
 // regexp validation first.
 type envVarModierFlag struct {

diff --git a/cmd/sonobuoy/app/gen.go b/cmd/sonobuoy/app/gen.go
@@ -84,6 +84,7 @@ func GenFlagSet(cfg *genFlags, rbac RBACMode) *pflag.FlagSet {
 	AddAggregatorPermissionsFlag(&cfg.sonobuoyConfig.AggregatorPermissions, genset)
 	AddServiceAccountNameFlag(&cfg.sonobuoyConfig.ServiceAccountName, genset)
 	AddExistingServiceAccountFlag(&cfg.sonobuoyConfig.ExistingServiceAccount, genset)
+	AddNamespacePSAEnforceLevelFlag(&cfg.sonobuoyConfig.NamespacePSAEnforceLevel, genset)
 
 	AddNamespaceFlag(&cfg.sonobuoyConfig.Namespace, genset)
 	AddDNSNamespaceFlag(&cfg.dnsNamespace, genset)

diff --git a/pkg/client/gen.go b/pkg/client/gen.go
@@ -621,8 +621,11 @@ func generateNS(w io.Writer, cfg GenConfig) error {
 		return nil
 	}
 
+	labels := make(map[string]string)
+	labels["pod-security.kubernetes.io/enforce"] = cfg.Config.NamespacePSAEnforceLevel
 	ns := &corev1.Namespace{}
 	ns.Name = cfg.Config.Namespace
+	ns.Labels = labels
 	ns.SetGroupVersionKind(schema.GroupVersionKind{Group: "", Version: "v1", Kind: "Namespace"})
 	return appendAsYAML(w, ns)
 }

diff --git a/pkg/client/testdata/aggregatorpermissions-noncluster-admin.golden b/pkg/client/testdata/aggregatorpermissions-noncluster-admin.golden
@@ -8,7 +8,7 @@ metadata:
 ---
 apiVersion: v1
 data:
-  config.json: '{"Description":"DEFAULT","UUID":"","Version":"static-version-for-testing","ResultsDir":"/tmp/sonobuoy/results","Resources":null,"Filters":{"Namespaces":".*","LabelSelector":""},"Limits":{"PodLogs":{"Namespaces":"kube-system","SonobuoyNamespace":true,"FieldSelectors":[],"LabelSelector":"","Previous":false,"SinceSeconds":null,"SinceTime":null,"Timestamps":false,"TailLines":null,"LimitBytes":null}},"QPS":30,"Burst":50,"Server":{"bindaddress":"0.0.0.0","bindport":8080,"advertiseaddress":"","timeoutseconds":21600},"Plugins":null,"PluginSearchPath":["./plugins.d","/etc/sonobuoy/plugins.d","~/sonobuoy/plugins.d"],"Namespace":"sonobuoy","WorkerImage":"sonobuoy/sonobuoy:static-version-for-testing","ImagePullPolicy":"IfNotPresent","ImagePullSecrets":"","AggregatorPermissions":"somethingelse","ServiceAccountName":"sonobuoy-serviceaccount","ProgressUpdatesPort":"8099","SecurityContextMode":"nonroot"}'
+  config.json: '{"Description":"DEFAULT","UUID":"","Version":"static-version-for-testing","ResultsDir":"/tmp/sonobuoy/results","Resources":null,"Filters":{"Namespaces":".*","LabelSelector":""},"Limits":{"PodLogs":{"Namespaces":"kube-system","SonobuoyNamespace":true,"FieldSelectors":[],"LabelSelector":"","Previous":false,"SinceSeconds":null,"SinceTime":null,"Timestamps":false,"TailLines":null,"LimitBytes":null}},"QPS":30,"Burst":50,"Server":{"bindaddress":"0.0.0.0","bindport":8080,"advertiseaddress":"","timeoutseconds":21600},"Plugins":null,"PluginSearchPath":["./plugins.d","/etc/sonobuoy/plugins.d","~/sonobuoy/plugins.d"],"Namespace":"sonobuoy","WorkerImage":"sonobuoy/sonobuoy:static-version-for-testing","ImagePullPolicy":"IfNotPresent","ImagePullSecrets":"","AggregatorPermissions":"somethingelse","ServiceAccountName":"sonobuoy-serviceaccount","NamespacePSAEnforceLevel":"privileged","ProgressUpdatesPort":"8099","SecurityContextMode":"nonroot"}'
 kind: ConfigMap
 metadata:
   labels:

diff --git a/pkg/client/testdata/default-plugins-via-nil-selection.golden b/pkg/client/testdata/default-plugins-via-nil-selection.golden
@@ -1,6 +1,8 @@
 apiVersion: v1
 kind: Namespace
 metadata:
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
   name: sonobuoy
 ---
 apiVersion: v1
@@ -13,7 +15,7 @@ metadata:
 ---
 apiVersion: v1
 data:
-  config.json: '{"Description":"DEFAULT","UUID":"","Version":"static-version-for-testing","ResultsDir":"/tmp/sonobuoy/results","Resources":null,"Filters":{"Namespaces":".*","LabelSelector":""},"Limits":{"PodLogs":{"Namespaces":"kube-system","SonobuoyNamespace":true,"FieldSelectors":[],"LabelSelector":"","Previous":false,"SinceSeconds":null,"SinceTime":null,"Timestamps":false,"TailLines":null,"LimitBytes":null}},"QPS":30,"Burst":50,"Server":{"bindaddress":"0.0.0.0","bindport":8080,"advertiseaddress":"","timeoutseconds":21600},"Plugins":null,"PluginSearchPath":["./plugins.d","/etc/sonobuoy/plugins.d","~/sonobuoy/plugins.d"],"Namespace":"sonobuoy","WorkerImage":"sonobuoy/sonobuoy:static-version-for-testing","ImagePullPolicy":"IfNotPresent","ImagePullSecrets":"","AggregatorPermissions":"clusterAdmin","ServiceAccountName":"sonobuoy-serviceaccount","ProgressUpdatesPort":"8099","SecurityContextMode":"nonroot"}'
+  config.json: '{"Description":"DEFAULT","UUID":"","Version":"static-version-for-testing","ResultsDir":"/tmp/sonobuoy/results","Resources":null,"Filters":{"Namespaces":".*","LabelSelector":""},"Limits":{"PodLogs":{"Namespaces":"kube-system","SonobuoyNamespace":true,"FieldSelectors":[],"LabelSelector":"","Previous":false,"SinceSeconds":null,"SinceTime":null,"Timestamps":false,"TailLines":null,"LimitBytes":null}},"QPS":30,"Burst":50,"Server":{"bindaddress":"0.0.0.0","bindport":8080,"advertiseaddress":"","timeoutseconds":21600},"Plugins":null,"PluginSearchPath":["./plugins.d","/etc/sonobuoy/plugins.d","~/sonobuoy/plugins.d"],"Namespace":"sonobuoy","WorkerImage":"sonobuoy/sonobuoy:static-version-for-testing","ImagePullPolicy":"IfNotPresent","ImagePullSecrets":"","AggregatorPermissions":"clusterAdmin","ServiceAccountName":"sonobuoy-serviceaccount","NamespacePSAEnforceLevel":"privileged","ProgressUpdatesPort":"8099","SecurityContextMode":"nonroot"}'
 kind: ConfigMap
 metadata:
   labels:

diff --git a/pkg/client/testdata/default-plugins-via-selection.golden b/pkg/client/testdata/default-plugins-via-selection.golden
@@ -1,6 +1,8 @@
 apiVersion: v1
 kind: Namespace
 metadata:
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
   name: sonobuoy
 ---
 apiVersion: v1
@@ -13,7 +15,7 @@ metadata:
 ---
 apiVersion: v1
 data:
-  config.json: '{"Description":"DEFAULT","UUID":"","Version":"static-version-for-testing","ResultsDir":"/tmp/sonobuoy/results","Resources":null,"Filters":{"Namespaces":".*","LabelSelector":""},"Limits":{"PodLogs":{"Namespaces":"kube-system","SonobuoyNamespace":true,"FieldSelectors":[],"LabelSelector":"","Previous":false,"SinceSeconds":null,"SinceTime":null,"Timestamps":false,"TailLines":null,"LimitBytes":null}},"QPS":30,"Burst":50,"Server":{"bindaddress":"0.0.0.0","bindport":8080,"advertiseaddress":"","timeoutseconds":21600},"Plugins":[],"PluginSearchPath":["./plugins.d","/etc/sonobuoy/plugins.d","~/sonobuoy/plugins.d"],"Namespace":"sonobuoy","WorkerImage":"sonobuoy/sonobuoy:static-version-for-testing","ImagePullPolicy":"IfNotPresent","ImagePullSecrets":"","AggregatorPermissions":"clusterAdmin","ServiceAccountName":"sonobuoy-serviceaccount","ProgressUpdatesPort":"8099","SecurityContextMode":"nonroot"}'
+  config.json: '{"Description":"DEFAULT","UUID":"","Version":"static-version-for-testing","ResultsDir":"/tmp/sonobuoy/results","Resources":null,"Filters":{"Namespaces":".*","LabelSelector":""},"Limits":{"PodLogs":{"Namespaces":"kube-system","SonobuoyNamespace":true,"FieldSelectors":[],"LabelSelector":"","Previous":false,"SinceSeconds":null,"SinceTime":null,"Timestamps":false,"TailLines":null,"LimitBytes":null}},"QPS":30,"Burst":50,"Server":{"bindaddress":"0.0.0.0","bindport":8080,"advertiseaddress":"","timeoutseconds":21600},"Plugins":[],"PluginSearchPath":["./plugins.d","/etc/sonobuoy/plugins.d","~/sonobuoy/plugins.d"],"Namespace":"sonobuoy","WorkerImage":"sonobuoy/sonobuoy:static-version-for-testing","ImagePullPolicy":"IfNotPresent","ImagePullSecrets":"","AggregatorPermissions":"clusterAdmin","ServiceAccountName":"sonobuoy-serviceaccount","NamespacePSAEnforceLevel":"privileged","ProgressUpdatesPort":"8099","SecurityContextMode":"nonroot"}'
 kind: ConfigMap
 metadata:
   labels:

diff --git a/pkg/client/testdata/default-pod-spec.golden b/pkg/client/testdata/default-pod-spec.golden
@@ -1,6 +1,8 @@
 apiVersion: v1
 kind: Namespace
 metadata:
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
   name: sonobuoy
 ---
 apiVersion: v1
@@ -13,7 +15,7 @@ metadata:
 ---
 apiVersion: v1
 data:
-  config.json: '{"Description":"DEFAULT","UUID":"","Version":"static-version-for-testing","ResultsDir":"/tmp/sonobuoy/results","Resources":null,"Filters":{"Namespaces":".*","LabelSelector":""},"Limits":{"PodLogs":{"Namespaces":"kube-system","SonobuoyNamespace":true,"FieldSelectors":[],"LabelSelector":"","Previous":false,"SinceSeconds":null,"SinceTime":null,"Timestamps":false,"TailLines":null,"LimitBytes":null}},"QPS":30,"Burst":50,"Server":{"bindaddress":"0.0.0.0","bindport":8080,"advertiseaddress":"","timeoutseconds":21600},"Plugins":null,"PluginSearchPath":["./plugins.d","/etc/sonobuoy/plugins.d","~/sonobuoy/plugins.d"],"Namespace":"sonobuoy","WorkerImage":"sonobuoy/sonobuoy:static-version-for-testing","ImagePullPolicy":"IfNotPresent","ImagePullSecrets":"","AggregatorPermissions":"clusterAdmin","ServiceAccountName":"sonobuoy-serviceaccount","ProgressUpdatesPort":"8099","SecurityContextMode":"nonroot"}'
+  config.json: '{"Description":"DEFAULT","UUID":"","Version":"static-version-for-testing","ResultsDir":"/tmp/sonobuoy/results","Resources":null,"Filters":{"Namespaces":".*","LabelSelector":""},"Limits":{"PodLogs":{"Namespaces":"kube-system","SonobuoyNamespace":true,"FieldSelectors":[],"LabelSelector":"","Previous":false,"SinceSeconds":null,"SinceTime":null,"Timestamps":false,"TailLines":null,"LimitBytes":null}},"QPS":30,"Burst":50,"Server":{"bindaddress":"0.0.0.0","bindport":8080,"advertiseaddress":"","timeoutseconds":21600},"Plugins":null,"PluginSearchPath":["./plugins.d","/etc/sonobuoy/plugins.d","~/sonobuoy/plugins.d"],"Namespace":"sonobuoy","WorkerImage":"sonobuoy/sonobuoy:static-version-for-testing","ImagePullPolicy":"IfNotPresent","ImagePullSecrets":"","AggregatorPermissions":"clusterAdmin","ServiceAccountName":"sonobuoy-serviceaccount","NamespacePSAEnforceLevel":"privileged","ProgressUpdatesPort":"8099","SecurityContextMode":"nonroot"}'
 kind: ConfigMap
 metadata:
   labels:

diff --git a/pkg/client/testdata/default.golden b/pkg/client/testdata/default.golden
@@ -1,6 +1,8 @@
 apiVersion: v1
 kind: Namespace
 metadata:
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
   name: sonobuoy
 ---
 apiVersion: v1
@@ -13,7 +15,7 @@ metadata:
 ---
 apiVersion: v1
 data:
-  config.json: '{"Description":"DEFAULT","UUID":"","Version":"static-version-for-testing","ResultsDir":"/tmp/sonobuoy/results","Resources":null,"Filters":{"Namespaces":".*","LabelSelector":""},"Limits":{"PodLogs":{"Namespaces":"kube-system","SonobuoyNamespace":true,"FieldSelectors":[],"LabelSelector":"","Previous":false,"SinceSeconds":null,"SinceTime":null,"Timestamps":false,"TailLines":null,"LimitBytes":null}},"QPS":30,"Burst":50,"Server":{"bindaddress":"0.0.0.0","bindport":8080,"advertiseaddress":"","timeoutseconds":21600},"Plugins":null,"PluginSearchPath":["./plugins.d","/etc/sonobuoy/plugins.d","~/sonobuoy/plugins.d"],"Namespace":"sonobuoy","WorkerImage":"sonobuoy/sonobuoy:static-version-for-testing","ImagePullPolicy":"IfNotPresent","ImagePullSecrets":"","AggregatorPermissions":"clusterAdmin","ServiceAccountName":"sonobuoy-serviceaccount","ProgressUpdatesPort":"8099","SecurityContextMode":"nonroot"}'
+  config.json: '{"Description":"DEFAULT","UUID":"","Version":"static-version-for-testing","ResultsDir":"/tmp/sonobuoy/results","Resources":null,"Filters":{"Namespaces":".*","LabelSelector":""},"Limits":{"PodLogs":{"Namespaces":"kube-system","SonobuoyNamespace":true,"FieldSelectors":[],"LabelSelector":"","Previous":false,"SinceSeconds":null,"SinceTime":null,"Timestamps":false,"TailLines":null,"LimitBytes":null}},"QPS":30,"Burst":50,"Server":{"bindaddress":"0.0.0.0","bindport":8080,"advertiseaddress":"","timeoutseconds":21600},"Plugins":null,"PluginSearchPath":["./plugins.d","/etc/sonobuoy/plugins.d","~/sonobuoy/plugins.d"],"Namespace":"sonobuoy","WorkerImage":"sonobuoy/sonobuoy:static-version-for-testing","ImagePullPolicy":"IfNotPresent","ImagePullSecrets":"","AggregatorPermissions":"clusterAdmin","ServiceAccountName":"sonobuoy-serviceaccount","NamespacePSAEnforceLevel":"privileged","ProgressUpdatesPort":"8099","SecurityContextMode":"nonroot"}'
 kind: ConfigMap
 metadata:
   labels:

diff --git a/pkg/client/testdata/e2e-default.golden b/pkg/client/testdata/e2e-default.golden
@@ -1,6 +1,8 @@
 apiVersion: v1
 kind: Namespace
 metadata:
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
   name: sonobuoy
 ---
 apiVersion: v1
@@ -13,7 +15,7 @@ metadata:
 ---
 apiVersion: v1
 data:
-  config.json: '{"Description":"DEFAULT","UUID":"","Version":"static-version-for-testing","ResultsDir":"/tmp/sonobuoy/results","Resources":null,"Filters":{"Namespaces":".*","LabelSelector":""},"Limits":{"PodLogs":{"Namespaces":"kube-system","SonobuoyNamespace":true,"FieldSelectors":[],"LabelSelector":"","Previous":false,"SinceSeconds":null,"SinceTime":null,"Timestamps":false,"TailLines":null,"LimitBytes":null}},"QPS":30,"Burst":50,"Server":{"bindaddress":"0.0.0.0","bindport":8080,"advertiseaddress":"","timeoutseconds":21600},"Plugins":[{"name":"e2e"}],"PluginSearchPath":["./plugins.d","/etc/sonobuoy/plugins.d","~/sonobuoy/plugins.d"],"Namespace":"sonobuoy","WorkerImage":"sonobuoy/sonobuoy:static-version-for-testing","ImagePullPolicy":"IfNotPresent","ImagePullSecrets":"","AggregatorPermissions":"clusterAdmin","ServiceAccountName":"sonobuoy-serviceaccount","ProgressUpdatesPort":"8099","SecurityContextMode":"nonroot"}'
+  config.json: '{"Description":"DEFAULT","UUID":"","Version":"static-version-for-testing","ResultsDir":"/tmp/sonobuoy/results","Resources":null,"Filters":{"Namespaces":".*","LabelSelector":""},"Limits":{"PodLogs":{"Namespaces":"kube-system","SonobuoyNamespace":true,"FieldSelectors":[],"LabelSelector":"","Previous":false,"SinceSeconds":null,"SinceTime":null,"Timestamps":false,"TailLines":null,"LimitBytes":null}},"QPS":30,"Burst":50,"Server":{"bindaddress":"0.0.0.0","bindport":8080,"advertiseaddress":"","timeoutseconds":21600},"Plugins":[{"name":"e2e"}],"PluginSearchPath":["./plugins.d","/etc/sonobuoy/plugins.d","~/sonobuoy/plugins.d"],"Namespace":"sonobuoy","WorkerImage":"sonobuoy/sonobuoy:static-version-for-testing","ImagePullPolicy":"IfNotPresent","ImagePullSecrets":"","AggregatorPermissions":"clusterAdmin","ServiceAccountName":"sonobuoy-serviceaccount","NamespacePSAEnforceLevel":"privileged","ProgressUpdatesPort":"8099","SecurityContextMode":"nonroot"}'
 kind: ConfigMap
 metadata:
   labels:

diff --git a/pkg/client/testdata/e2e-progress-custom-port.golden b/pkg/client/testdata/e2e-progress-custom-port.golden
@@ -1,6 +1,8 @@
 apiVersion: v1
 kind: Namespace
 metadata:
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
   name: sonobuoy
 ---
 apiVersion: v1
@@ -13,7 +15,7 @@ metadata:
 ---
 apiVersion: v1
 data:
-  config.json: '{"Description":"DEFAULT","UUID":"","Version":"static-version-for-testing","ResultsDir":"/tmp/sonobuoy/results","Resources":null,"Filters":{"Namespaces":".*","LabelSelector":""},"Limits":{"PodLogs":{"Namespaces":"kube-system","SonobuoyNamespace":true,"FieldSelectors":[],"LabelSelector":"","Previous":false,"SinceSeconds":null,"SinceTime":null,"Timestamps":false,"TailLines":null,"LimitBytes":null}},"QPS":30,"Burst":50,"Server":{"bindaddress":"0.0.0.0","bindport":8080,"advertiseaddress":"","timeoutseconds":21600},"Plugins":null,"PluginSearchPath":["./plugins.d","/etc/sonobuoy/plugins.d","~/sonobuoy/plugins.d"],"Namespace":"sonobuoy","WorkerImage":"sonobuoy/sonobuoy:static-version-for-testing","ImagePullPolicy":"IfNotPresent","ImagePullSecrets":"","AggregatorPermissions":"clusterAdmin","ServiceAccountName":"sonobuoy-serviceaccount","ProgressUpdatesPort":"1234","SecurityContextMode":"nonroot"}'
+  config.json: '{"Description":"DEFAULT","UUID":"","Version":"static-version-for-testing","ResultsDir":"/tmp/sonobuoy/results","Resources":null,"Filters":{"Namespaces":".*","LabelSelector":""},"Limits":{"PodLogs":{"Namespaces":"kube-system","SonobuoyNamespace":true,"FieldSelectors":[],"LabelSelector":"","Previous":false,"SinceSeconds":null,"SinceTime":null,"Timestamps":false,"TailLines":null,"LimitBytes":null}},"QPS":30,"Burst":50,"Server":{"bindaddress":"0.0.0.0","bindport":8080,"advertiseaddress":"","timeoutseconds":21600},"Plugins":null,"PluginSearchPath":["./plugins.d","/etc/sonobuoy/plugins.d","~/sonobuoy/plugins.d"],"Namespace":"sonobuoy","WorkerImage":"sonobuoy/sonobuoy:static-version-for-testing","ImagePullPolicy":"IfNotPresent","ImagePullSecrets":"","AggregatorPermissions":"clusterAdmin","ServiceAccountName":"sonobuoy-serviceaccount","NamespacePSAEnforceLevel":"privileged","ProgressUpdatesPort":"1234","SecurityContextMode":"nonroot"}'
 kind: ConfigMap
 metadata:
   labels: