Update support for operator deployment on PSA

PR #371 provided changes to allow the deployment of the operator when PSA is enabled. https://kubernetes.io/docs/concepts/security/pod-security-admission/ This commit provides minor updates to address comments on the previous PR. Signed-off-by: Salvatore Daniele <[email protected]> Co-authored-by: Sebastian Sch <[email protected]>
k8snetworkplumbingwg · Feb 14, 2023 · 664b363 · 664b363
1 parent dacee68
commit 664b363
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/deploy/namespace.yaml b/deploy/namespace.yaml
@@ -4,3 +4,6 @@ metadata:
   name: $NAMESPACE
   labels:
     name: $NAMESPACE
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged
diff --git a/deployment/sriov-network-operator/README.md b/deployment/sriov-network-operator/README.md
@@ -46,6 +46,11 @@ $ helm install -n sriov-network-operator --create-namespace --wait sriov-network
 $ kubectl -n sriov-network-operator get pods
 ```
 
+In the case that [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) is enabled, the sriov network operator namespace will require a security level of 'privileged'
+```
+$ kubectl label ns sriov-network-operator pod-security.kubernetes.io/enforce=privileged
+```
+
 ## Chart parameters
 
 In order to tailor the deployment of the network operator to your cluster needs