fix: ensure pod security label on namespace

[saumeya]

What type of PR is this?

Uncomment only one /kind line, and delete the rest.
For example, > /kind bug would simply become: /kind bug

/kind bug
/kind cleanup
/kind failing-test
/kind enhancement
/kind documentation
/kind code-refactoring

What does this PR do / why we need it:

Have you updated the necessary documentation?

• Documentation update is required by this PR.
• Documentation has been updated.

Which issue(s) this PR fixes:

Fixes #?

Test acceptance criteria:

• Unit Test
• E2E Test

How to test changes / Special notes to the reviewer:

[svghadi]

/hold

We need to revisit this. Adding a restrictive pod security standard to an existing namespace (during an upgrade) will result in failure because the existing pods in the namespace won't be compliant with the restricted policy. The required policy configurations were added in argoproj-labs/argocd-operator#1288 and argoproj-labs/argocd-operator#1493, but these changes only work for fresh installs. Existing pods are not configured with the new policy settings unless the corresponding deployments are manually deleted.

[svghadi]

OpenShift automatically handles the securityContext if it is missing. After running some tests, my previous concerns have been addressed, and there shouldn’t be any issues during the upgrade. I also have PR #1533 to handle existing deployments, but it’s not a blocker for this PR.

/remove-hold

[svghadi]

Can we do a strict check here? The current logic won't detect changes if the label value is modified. Something like...

Suggested change

	func ensurePodSecurityLabels(namespace *corev1.Namespace) (bool, *corev1.Namespace) {
	for key := range namespace.Labels {
	if strings.HasPrefix(key, "pod-security") {
	return false, namespace
	}
	}
	namespace.Labels["pod-security.kubernetes.io/enforce"] = "restricted"
	namespace.Labels["pod-security.kubernetes.io/enforce-version"] = "v1.29"
	namespace.Labels["pod-security.kubernetes.io/audit"] = "restricted"
	namespace.Labels["pod-security.kubernetes.io/audit-version"] = "latest"
	namespace.Labels["pod-security.kubernetes.io/warn"] = "restricted"
	namespace.Labels["pod-security.kubernetes.io/warn-version"] = "latest"
	return true, namespace
	}
	func ensurePodSecurityLabels(namespace *corev1.Namespace) (bool, *corev1.Namespace) {
	pssLabels := map[string]string{
	"pod-security.kubernetes.io/enforce": "restricted",
	"pod-security.kubernetes.io/enforce-version": "v1.29",
	"pod-security.kubernetes.io/audit": "restricted",
	"pod-security.kubernetes.io/audit-version": "latest",
	"pod-security.kubernetes.io/warn": "restricted",
	"pod-security.kubernetes.io/warn-version": "latest",
	}
	changed := false
	for pssKey, pssVal := range pssLabels {
	if nsVal, exists := namespace.Labels[pssKey]; !exists || nsVal != pssVal {
	namespace.Labels[pssKey] = pssVal
	changed = true
	}
	}
	return changed, namespace
	}

[saumeya]

Sure

[svghadi]

/remove-hold

[svghadi]

/lgtm

Thanks

[iam-veeramalla]

Just a NIT, I would change the word needUpdate to needsUpdate.

[iam-veeramalla]

Thanks for the PR, LGTM except for the NIT.

[iam-veeramalla]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: iam-veeramalla

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [iam-veeramalla]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[saumeya]

/cherry-pick v1.14

[saumeya]

/cherry-pick v1.13

[openshift-cherrypick-robot]

@saumeya: only redhat-developer org members may request cherry picks. If you are already part of the org, make sure to change your membership to public. Otherwise you can still do the cherry-pick manually.

In response to this:

/cherry-pick v1.14

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-cherrypick-robot]

@saumeya: only redhat-developer org members may request cherry picks. If you are already part of the org, make sure to change your membership to public. Otherwise you can still do the cherry-pick manually.

In response to this:

/cherry-pick v1.13

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[saumeya]

/cherry-pick v1.14

[saumeya]

/cherry-pick v1.13

[openshift-cherrypick-robot]

@saumeya: #774 failed to apply on top of branch "v1.14":

Patch is empty.
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To record the empty patch as an empty commit, run "git am --allow-empty".
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick v1.14

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-cherrypick-robot]

@saumeya: new pull request created: #777

In response to this:

/cherry-pick v1.13

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.