From 145a91f59bdd31fd75a5484fad353735e3556ab9 Mon Sep 17 00:00:00 2001
From: Xun Jiang <blackpiglet@gmail.com>
Date: Fri, 17 Feb 2023 15:30:21 +0800
Subject: [PATCH] Add labels for created namespace during velero installation
 to adopt k8s v1.25's PSS and PSA.

Signed-off-by: Xun Jiang <blackpiglet@gmail.com>
---
 changelogs/unreleased/5887-blackpiglet | 1 +
 pkg/install/resources.go               | 7 ++++++-
 pkg/install/resources_test.go          | 5 +++++
 3 files changed, 12 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/unreleased/5887-blackpiglet

diff --git a/changelogs/unreleased/5887-blackpiglet b/changelogs/unreleased/5887-blackpiglet
new file mode 100644
index 0000000000..3ee3fb4d7a
--- /dev/null
+++ b/changelogs/unreleased/5887-blackpiglet
@@ -0,0 +1 @@
+Add labels for velero installed namespace to support PSA.
\ No newline at end of file
diff --git a/pkg/install/resources.go b/pkg/install/resources.go
index 78a9ed6891..d66e11872e 100644
--- a/pkg/install/resources.go
+++ b/pkg/install/resources.go
@@ -136,13 +136,18 @@ func ClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding {
 }
 
 func Namespace(namespace string) *corev1.Namespace {
-	return &corev1.Namespace{
+	ns := &corev1.Namespace{
 		ObjectMeta: objectMeta("", namespace),
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Namespace",
 			APIVersion: corev1.SchemeGroupVersion.String(),
 		},
 	}
+
+	ns.Labels["pod-security.kubernetes.io/enforce"] = "privileged"
+	ns.Labels["pod-security.kubernetes.io/enforce-version"] = "latest"
+
+	return ns
 }
 
 func BackupStorageLocation(namespace, provider, bucket, prefix string, config map[string]string, caCert []byte) *velerov1api.BackupStorageLocation {
diff --git a/pkg/install/resources_test.go b/pkg/install/resources_test.go
index 748d70defe..298dca9eb7 100644
--- a/pkg/install/resources_test.go
+++ b/pkg/install/resources_test.go
@@ -40,6 +40,11 @@ func TestResources(t *testing.T) {
 	ns := Namespace("velero")
 
 	assert.Equal(t, "velero", ns.Name)
+	// For k8s version v1.25 and later, need to add the following labels to make
+	// velero installation namespace has privileged version to work with
+	// PSA(Pod Security Admission) and PSS(Pod Security Standards).
+	assert.Equal(t, ns.Labels["pod-security.kubernetes.io/enforce"], "privileged")
+	assert.Equal(t, ns.Labels["pod-security.kubernetes.io/enforce-version"], "latest")
 
 	crb := ClusterRoleBinding(DefaultVeleroNamespace)
 	// The CRB is a cluster-scoped resource