Remove the PSA enforce labels from the created ns by default.

Signed-off-by: Xun Jiang <[email protected]>

test/e2e/backups/deletion.go

@@ -101,7 +101,7 @@ func runBackupDeletionTests(client TestClient, veleroCfg VeleroConfig, backupLoc
 	registryCredentialFile := veleroCfg.RegistryCredentialFile
 	veleroFeatures := veleroCfg.Features
 	for _, ns := range workloadNamespaceList {
-		if err := CreateNamespace(oneHourTimeout, client, ns); err != nil {
+		if err := CreateNamespace(oneHourTimeout, client, ns, false); err != nil {
 			return errors.Wrapf(err, "Failed to create namespace %s to install Kibishii workload", ns)
 		}
 

test/e2e/backups/sync_backups.go

@@ -82,7 +82,7 @@ func BackupsSyncTest() {
 		ctx, ctxCancel := context.WithTimeout(context.Background(), 30*time.Minute)
 		defer ctxCancel()
 		By(fmt.Sprintf("Prepare workload as target to backup by creating namespace %s namespace", test.testNS))
-		Expect(CreateNamespace(ctx, *veleroCfg.ClientToInstallVelero, test.testNS)).To(Succeed(),
+		Expect(CreateNamespace(ctx, *veleroCfg.ClientToInstallVelero, test.testNS, false)).To(Succeed(),
 			fmt.Sprintf("Failed to create %s namespace", test.testNS))
 
 		if CurrentSpecReport().Failed() && veleroCfg.FailFast {
@@ -127,7 +127,7 @@ func BackupsSyncTest() {
 		ctx, ctxCancel := context.WithTimeout(context.Background(), 30*time.Minute)
 		defer ctxCancel()
 		By(fmt.Sprintf("Prepare workload as target to backup by creating namespace in %s namespace", test.testNS), func() {
-			Expect(CreateNamespace(ctx, *veleroCfg.ClientToInstallVelero, test.testNS)).To(Succeed(),
+			Expect(CreateNamespace(ctx, *veleroCfg.ClientToInstallVelero, test.testNS, false)).To(Succeed(),
 				fmt.Sprintf("Failed to create %s namespace", test.testNS))
 		})
 

test/e2e/backups/ttl.go

@@ -95,7 +95,7 @@ func TTLTest() {
 		ctx, ctxCancel := context.WithTimeout(context.Background(), 1*time.Hour)
 		defer ctxCancel()
 		By(fmt.Sprintf("Prepare workload as target to backup by creating namespace %s namespace", test.testNS), func() {
-			Expect(CreateNamespace(ctx, client, test.testNS)).To(Succeed(),
+			Expect(CreateNamespace(ctx, client, test.testNS, false)).To(Succeed(),
 				fmt.Sprintf("Failed to create %s namespace", test.testNS))
 		})
 

test/e2e/basic/api-group/enable_api_group_versions.go

@@ -489,7 +489,7 @@ func installTestResources(ctx context.Context, client TestClient, group string,
 
 		for version, cr := range tc.srcCRs {
 			ns := fmt.Sprintf("rockband%ds-src-%s-%d", i, version, i)
-			if err := CreateNamespace(ctx, client, ns); err != nil {
+			if err := CreateNamespace(ctx, client, ns, false); err != nil {
 				return "", "", errors.Wrapf(err, "create %s namespace", ns)
 			}
 

test/e2e/basic/namespace-mapping.go

@@ -88,7 +88,7 @@ func (n *NamespaceMapping) CreateResources() error {
 	for index, ns := range *n.NSIncluded {
 		n.kibishiiData.Levels = len(*n.NSIncluded) + index
 		By(fmt.Sprintf("Creating namespaces ...%s\n", ns), func() {
-			Expect(CreateNamespace(n.Ctx, n.Client, ns)).To(Succeed(), fmt.Sprintf("Failed to create namespace %s", ns))
+			Expect(CreateNamespace(n.Ctx, n.Client, ns, false)).To(Succeed(), fmt.Sprintf("Failed to create namespace %s", ns))
 		})
 		By("Deploy sample workload of Kibishii", func() {
 			Expect(KibishiiPrepareBeforeBackup(n.Ctx, n.Client, n.VeleroCfg.CloudProvider,

test/e2e/basic/nodeport.go

@@ -64,7 +64,7 @@ func (n *NodePort) Init() error {
 func (n *NodePort) CreateResources() error {
 	for _, ns := range *n.NSIncluded {
 		By(fmt.Sprintf("Creating service %s in namespaces %s ......\n", n.serviceName, ns), func() {
-			Expect(CreateNamespace(n.Ctx, n.Client, ns)).To(Succeed(), fmt.Sprintf("Failed to create namespace %s", ns))
+			Expect(CreateNamespace(n.Ctx, n.Client, ns, false)).To(Succeed(), fmt.Sprintf("Failed to create namespace %s", ns))
 			Expect(createServiceWithNodeport(n.Ctx, n.Client, ns, n.serviceName, n.labels, 0)).To(Succeed(), fmt.Sprintf("Failed to create service %s", n.serviceName))
 			service, err := GetService(n.Ctx, n.Client, ns, n.serviceName)
 			Expect(err).To(Succeed())
@@ -88,7 +88,7 @@ func (n *NodePort) Destroy() error {
 		})
 
 		By(fmt.Sprintf("Creating a new service which has the same nodeport as backed up service has in a new namespaces for nodeport collision ...%s\n", n.namespaceToCollision[i]), func() {
-			Expect(CreateNamespace(n.Ctx, n.Client, n.namespaceToCollision[i])).To(Succeed(), fmt.Sprintf("Failed to create namespace %s", n.namespaceToCollision[i]))
+			Expect(CreateNamespace(n.Ctx, n.Client, n.namespaceToCollision[i], false)).To(Succeed(), fmt.Sprintf("Failed to create namespace %s", n.namespaceToCollision[i]))
 			Expect(createServiceWithNodeport(n.Ctx, n.Client, n.namespaceToCollision[i], n.serviceName, n.labels, n.nodePort)).To(Succeed(), fmt.Sprintf("Failed to create service %s", n.serviceName))
 			_, err := GetAllService(n.Ctx)
 			Expect(err).To(Succeed(), "fail to get service")

test/e2e/basic/pvc-selected-node-changing.go

@@ -64,7 +64,7 @@ func (p *PVCSelectedNodeChanging) Init() error {
 
 func (p *PVCSelectedNodeChanging) CreateResources() error {
 	By(fmt.Sprintf("Create namespace %s", p.namespace), func() {
-		Expect(CreateNamespace(p.Ctx, p.Client, p.namespace)).To(Succeed(),
+		Expect(CreateNamespace(p.Ctx, p.Client, p.namespace, false)).To(Succeed(),
 			fmt.Sprintf("Failed to create namespace %s", p.namespace))
 	})
 

test/e2e/basic/resources-check/rbac.go

@@ -81,7 +81,7 @@ func (r *RBACCase) CreateResources() error {
 	for nsNum := 0; nsNum < r.NamespacesTotal; nsNum++ {
 		createNSName := fmt.Sprintf("%s-%00000d", r.CaseBaseName, nsNum)
 		fmt.Printf("Creating namespaces ...%s\n", createNSName)
-		if err := CreateNamespace(r.Ctx, r.Client, createNSName); err != nil {
+		if err := CreateNamespace(r.Ctx, r.Client, createNSName, false); err != nil {
 			return errors.Wrapf(err, "Failed to create namespace %s", createNSName)
 		}
 		serviceAccountName := fmt.Sprintf("service-account-%s-%00000d", r.CaseBaseName, nsNum)

test/e2e/basic/storage-class-changing.go

@@ -73,7 +73,7 @@ func (s *StorageClasssChanging) CreateResources() error {
 	}
 
 	By(fmt.Sprintf("Create namespace %s", s.namespace), func() {
-		Expect(CreateNamespace(s.Ctx, s.Client, s.namespace)).To(Succeed(),
+		Expect(CreateNamespace(s.Ctx, s.Client, s.namespace, false)).To(Succeed(),
 			fmt.Sprintf("Failed to create namespace %s", s.namespace))
 	})
 

test/e2e/bsl-mgmt/deletion.go

@@ -146,7 +146,7 @@ func BslDeletionTest(useVolumeSnapshots bool) {
 			//label2 := "for!=1"
 			label2 := "for=2"
 			By("Create namespace for sample workload", func() {
-				Expect(CreateNamespace(oneHourTimeout, *veleroCfg.ClientToInstallVelero, bslDeletionTestNs)).To(Succeed())
+				Expect(CreateNamespace(oneHourTimeout, *veleroCfg.ClientToInstallVelero, bslDeletionTestNs, false)).To(Succeed())
 			})
 
 			By("Deploy sample workload of Kibishii", func() {

test/e2e/migration/migration.go

@@ -181,6 +181,7 @@ func (m *migrationE2E) Backup() error {
 			m.Ctx,
 			*m.VeleroCfg.DefaultClient,
 			m.CaseBaseName,
+			false,
 		)).To(Succeed(),
 			fmt.Sprintf("Failed to create namespace %s to install Kibishii workload",
 				m.CaseBaseName))

test/e2e/parallelfilesdownload/parallel_files_download.go

@@ -90,7 +90,7 @@ func (p *ParallelFilesDownload) Init() error {
 
 func (p *ParallelFilesDownload) CreateResources() error {
 	By(fmt.Sprintf("Create namespace %s", p.namespace), func() {
-		Expect(CreateNamespace(p.Ctx, p.Client, p.namespace)).To(Succeed(),
+		Expect(CreateNamespace(p.Ctx, p.Client, p.namespace, false)).To(Succeed(),
 			fmt.Sprintf("Failed to create namespace %s", p.namespace))
 	})
 

test/e2e/parallelfilesupload/parallel_files_upload.go

@@ -81,7 +81,7 @@ func (p *ParallelFilesUpload) Init() error {
 
 func (p *ParallelFilesUpload) CreateResources() error {
 	By(fmt.Sprintf("Create namespace %s", p.namespace), func() {
-		Expect(CreateNamespace(p.Ctx, p.Client, p.namespace)).To(Succeed(),
+		Expect(CreateNamespace(p.Ctx, p.Client, p.namespace, false)).To(Succeed(),
 			fmt.Sprintf("Failed to create namespace %s", p.namespace))
 	})
 

test/e2e/privilegesmgmt/ssr.go

@@ -54,7 +54,7 @@ func SSRTest() {
 		defer ctxCancel()
 		defer DeleteNamespace(context.TODO(), *veleroCfg.ClientToInstallVelero, testNS, false)
 		By(fmt.Sprintf("Create %s namespace", testNS))
-		Expect(CreateNamespace(ctx, *veleroCfg.ClientToInstallVelero, testNS)).To(Succeed(),
+		Expect(CreateNamespace(ctx, *veleroCfg.ClientToInstallVelero, testNS, false)).To(Succeed(),
 			fmt.Sprintf("Failed to create %s namespace", testNS))
 
 		By(fmt.Sprintf("Get version in %s namespace", testNS), func() {

test/e2e/pv-backup/pv-backup-filter.go

@@ -65,7 +65,7 @@ func (p *PVBackupFiltering) Init() error {
 func (p *PVBackupFiltering) CreateResources() error {
 	for _, ns := range *p.NSIncluded {
 		By(fmt.Sprintf("Create namespaces %s for workload\n", ns), func() {
-			Expect(CreateNamespace(p.Ctx, p.Client, ns)).To(Succeed(), fmt.Sprintf("Failed to create namespace %s", ns))
+			Expect(CreateNamespace(p.Ctx, p.Client, ns, false)).To(Succeed(), fmt.Sprintf("Failed to create namespace %s", ns))
 		})
 		var pods []string
 		By(fmt.Sprintf("Deploy a few pods with several PVs in namespace %s", ns), func() {

test/e2e/resource-filtering/base.go

@@ -63,7 +63,7 @@ func (f *FilteringCase) CreateResources() error {
 	for nsNum := 0; nsNum < f.NamespacesTotal; nsNum++ {
 		namespace := fmt.Sprintf("%s-%00000d", f.CaseBaseName, nsNum)
 		fmt.Printf("Creating resources in namespace ...%s\n", namespace)
-		if err := CreateNamespace(f.Ctx, f.Client, namespace); err != nil {
+		if err := CreateNamespace(f.Ctx, f.Client, namespace, false); err != nil {
 			return errors.Wrapf(err, "Failed to create namespace %s", namespace)
 		}
 		//Create deployment

test/e2e/resource-filtering/exclude_label.go

@@ -83,7 +83,7 @@ func (e *ExcludeFromBackup) CreateResources() error {
 		velerov1api.ExcludeFromBackupLabel: "false",
 	}
 	fmt.Printf("Creating resources in namespace ...%s\n", namespace)
-	if err := CreateNamespace(e.Ctx, e.Client, namespace); err != nil {
+	if err := CreateNamespace(e.Ctx, e.Client, namespace, false); err != nil {
 		return errors.Wrapf(err, "Failed to create namespace %s", namespace)
 	}
 	//Create deployment: to be included

test/e2e/resource-filtering/exclude_namespaces.go

@@ -109,7 +109,7 @@ func (e *ExcludeNamespaces) CreateResources() error {
 	for nsNum := 0; nsNum < e.NamespacesTotal; nsNum++ {
 		createNSName := fmt.Sprintf("%s-%00000d", e.CaseBaseName, nsNum)
 		fmt.Printf("Creating namespaces ...%s\n", createNSName)
-		if err := CreateNamespace(e.Ctx, e.Client, createNSName); err != nil {
+		if err := CreateNamespace(e.Ctx, e.Client, createNSName, false); err != nil {
 			return errors.Wrapf(err, "Failed to create namespace %s", createNSName)
 		}
 	}

test/e2e/resource-filtering/include_namespaces.go

@@ -104,7 +104,7 @@ func (i *IncludeNamespaces) CreateResources() error {
 	for nsNum := 0; nsNum < i.NamespacesTotal; nsNum++ {
 		createNSName := fmt.Sprintf("%s-%00000d", i.CaseBaseName, nsNum)
 		fmt.Printf("Creating namespaces ...%s\n", createNSName)
-		if err := CreateNamespace(i.Ctx, i.Client, createNSName); err != nil {
+		if err := CreateNamespace(i.Ctx, i.Client, createNSName, false); err != nil {
 			return errors.Wrapf(err, "Failed to create namespace %s", createNSName)
 		}
 	}

test/e2e/resourcemodifiers/resource_modifiers.go

@@ -106,7 +106,7 @@ func (r *ResourceModifiersCase) CreateResources() error {
 	for nsNum := 0; nsNum < r.NamespacesTotal; nsNum++ {
 		namespace := fmt.Sprintf("%s-%00000d", r.CaseBaseName, nsNum)
 		By(fmt.Sprintf("Create namespaces %s for workload\n", namespace), func() {
-			Expect(CreateNamespace(r.Ctx, r.Client, namespace)).To(Succeed(), fmt.Sprintf("Failed to create namespace %s", namespace))
+			Expect(CreateNamespace(r.Ctx, r.Client, namespace, false)).To(Succeed(), fmt.Sprintf("Failed to create namespace %s", namespace))
 		})
 
 		By(fmt.Sprintf("Creating deployment in namespaces ...%s\n", namespace), func() {

test/e2e/resourcepolicies/resource_policies.go

@@ -111,7 +111,7 @@ func (r *ResourcePoliciesCase) CreateResources() error {
 	for nsNum := 0; nsNum < r.NamespacesTotal; nsNum++ {
 		namespace := fmt.Sprintf("%s-%00000d", r.CaseBaseName, nsNum)
 		By(fmt.Sprintf("Create namespaces %s for workload\n", namespace), func() {
-			Expect(CreateNamespace(r.Ctx, r.Client, namespace)).To(Succeed(), fmt.Sprintf("Failed to create namespace %s", namespace))
+			Expect(CreateNamespace(r.Ctx, r.Client, namespace, false)).To(Succeed(), fmt.Sprintf("Failed to create namespace %s", namespace))
 		})
 
 		volName := fmt.Sprintf("vol-%s-%00000d", r.CaseBaseName, nsNum)

test/e2e/schedule/in_progress.go

@@ -69,6 +69,7 @@ func (s *InProgressCase) CreateResources() error {
 				s.Ctx,
 				s.Client,
 				s.namespace,
+				false,
 			),
 		).To(Succeed(),
 			fmt.Sprintf("Failed to create namespace %s", s.namespace))

test/e2e/schedule/ordered_resources.go

@@ -92,7 +92,7 @@ func (o *OrderedResources) CreateResources() error {
 		"orderedresources": "true",
 	}
 	fmt.Printf("Creating resources in %s namespace ...\n", o.Namespace)
-	if err := k8sutil.CreateNamespace(o.Ctx, o.Client, o.Namespace); err != nil {
+	if err := k8sutil.CreateNamespace(o.Ctx, o.Client, o.Namespace, false); err != nil {
 		return errors.Wrapf(err, "failed to create namespace %s", o.Namespace)
 	}
 

test/e2e/schedule/periodical.go

@@ -53,6 +53,7 @@ func (n *PeriodicalCase) CreateResources() error {
 					n.Ctx,
 					n.Client,
 					ns,
+					false,
 				),
 			).To(
 				Succeed(),

test/e2e/upgrade/upgrade.go

@@ -152,7 +152,7 @@ func BackupUpgradeRestoreTest(useVolumeSnapshots bool, veleroCLI2Version VeleroC
 			tmpCfg.UpgradeFromVeleroVersion = veleroCLI2Version.VeleroVersion
 
 			By("Create namespace for sample workload", func() {
-				Expect(CreateNamespace(oneHourTimeout, *veleroCfg.ClientToInstallVelero, upgradeNamespace)).To(Succeed(),
+				Expect(CreateNamespace(oneHourTimeout, *veleroCfg.ClientToInstallVelero, upgradeNamespace, false)).To(Succeed(),
 					fmt.Sprintf("Failed to create namespace %s to install Kibishii workload", upgradeNamespace))
 			})
 

test/util/k8s/namespace.go

@@ -35,13 +35,17 @@ import (
 	veleroexec "github.com/vmware-tanzu/velero/pkg/util/exec"
 )
 
-func CreateNamespace(ctx context.Context, client TestClient, namespace string) error {
+func CreateNamespace(ctx context.Context, client TestClient, namespace string, addPsaLabels bool) error {
 	ns := builder.ForNamespace(namespace).Result()
-	// Add label to avoid PSA check.
-	ns.Labels = map[string]string{
-		"pod-security.kubernetes.io/enforce":         "baseline",
-		"pod-security.kubernetes.io/enforce-version": "latest",
+
+	if addPsaLabels {
+		// Add label to avoid PSA check.
+		ns.Labels = map[string]string{
+			"pod-security.kubernetes.io/enforce":         "baseline",
+			"pod-security.kubernetes.io/enforce-version": "latest",
+		}
 	}
+
 	_, err := client.ClientGo.CoreV1().Namespaces().Create(context.TODO(), ns, metav1.CreateOptions{})
 	if apierrors.IsAlreadyExists(err) {
 		return nil
@@ -52,9 +56,6 @@ func CreateNamespace(ctx context.Context, client TestClient, namespace string) e
 func CreateNamespaceWithLabel(ctx context.Context, client TestClient, namespace string, label map[string]string) error {
 	ns := builder.ForNamespace(namespace).Result()
 	ns.Labels = label
-	// Add label to avoid PSA check.
-	ns.Labels["pod-security.kubernetes.io/enforce"] = "baseline"
-	ns.Labels["pod-security.kubernetes.io/enforce-version"] = "latest"
 	_, err := client.ClientGo.CoreV1().Namespaces().Create(ctx, ns, metav1.CreateOptions{})
 	if apierrors.IsAlreadyExists(err) {
 		return nil
@@ -64,11 +65,6 @@ func CreateNamespaceWithLabel(ctx context.Context, client TestClient, namespace
 
 func CreateNamespaceWithAnnotation(ctx context.Context, client TestClient, namespace string, annotation map[string]string) error {
 	ns := builder.ForNamespace(namespace).Result()
-	// Add label to avoid PSA check.
-	ns.Labels = map[string]string{
-		"pod-security.kubernetes.io/enforce":         "baseline",
-		"pod-security.kubernetes.io/enforce-version": "latest",
-	}
 	ns.ObjectMeta.Annotations = annotation
 	_, err := client.ClientGo.CoreV1().Namespaces().Create(context.TODO(), ns, metav1.CreateOptions{})
 	if apierrors.IsAlreadyExists(err) {

test/util/kibishii/kibishii_utils.go

@@ -90,7 +90,7 @@ func RunKibishiiTests(
 			fmt.Println(errors.Wrapf(err, "failed to delete the namespace %q", kibishiiNamespace))
 		}
 	}
-	if err := CreateNamespace(oneHourTimeout, client, kibishiiNamespace); err != nil {
+	if err := CreateNamespace(oneHourTimeout, client, kibishiiNamespace, false); err != nil {
 		return errors.Wrapf(err, "Failed to create namespace %s to install Kibishii workload", kibishiiNamespace)
 	}
 	defer func() {
@@ -282,12 +282,6 @@ func installKibishii(ctx context.Context, namespace string, cloudPlatform, veler
 		return errors.Wrapf(err, "failed to install kibishii, stderr=%s", stderr)
 	}
 
-	labelNamespaceCmd := exec.CommandContext(ctx, "kubectl", "label", "namespace", namespace, "pod-security.kubernetes.io/enforce=baseline", "pod-security.kubernetes.io/enforce-version=latest", "--overwrite=true")
-	_, stderr, err = veleroexec.RunCommand(labelNamespaceCmd)
-	fmt.Printf("Label namespace with PSA policy: %s\n", labelNamespaceCmd)
-	if err != nil {
-		return errors.Wrapf(err, "failed to label namespace with PSA policy, stderr=%s", stderr)
-	}
 	if workerReplicas != DefaultKibishiiWorkerCounts {
 		err = ScaleStatefulSet(ctx, namespace, "kibishii-deployment", workerReplicas)
 		if err != nil {

test/util/velero/install.go

@@ -180,6 +180,7 @@ func generateVSpherePlugin(veleroCfg *test.VeleroConfig) error {
 		context.Background(),
 		*cli,
 		veleroCfg.VeleroNamespace,
+		true, // need to add PSA labels to Velero namespace.
 	); err != nil {
 		return errors.WithMessagef(
 			err,