From b50e9e1a085c43c775400dc59217c8f699f4dfae Mon Sep 17 00:00:00 2001
From: Saumeya Katyal <saumeyakatyal@gmail.com>
Date: Wed, 4 Sep 2024 20:17:42 +0530
Subject: [PATCH] fix: ensure pod security label on namespace (#774)

* fix: ensure pod security label on namespace

Signed-off-by: saumeya <saumeyakatyal@gmail.com>

* fix:

Signed-off-by: saumeya <saumeyakatyal@gmail.com>

* review comments

Signed-off-by: saumeya <saumeyakatyal@gmail.com>

---------

Signed-off-by: saumeya <saumeyakatyal@gmail.com>
---
 controllers/gitopsservice_controller.go | 39 +++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/controllers/gitopsservice_controller.go b/controllers/gitopsservice_controller.go
index 5c47afe0..e6822e2b 100644
--- a/controllers/gitopsservice_controller.go
+++ b/controllers/gitopsservice_controller.go
@@ -230,6 +230,14 @@ func (r *ReconcileGitopsService) Reconcile(ctx context.Context, request reconcil
 		} else {
 			return reconcile.Result{}, err
 		}
+	} else {
+		needUpdate, updateNameSpace := ensurePodSecurityLabels(namespaceRef)
+		if needUpdate {
+			err = r.Client.Update(context.TODO(), updateNameSpace)
+			if err != nil {
+				return reconcile.Result{}, err
+			}
+		}
 	}
 
 	gitopsserviceNamespacedName := types.NamespacedName{
@@ -369,6 +377,15 @@ func (r *ReconcileGitopsService) reconcileDefaultArgoCDInstance(instance *pipeli
 				return reconcile.Result{}, err
 			}
 		}
+
+		needUpdate, updateNameSpace := ensurePodSecurityLabels(argocdNS)
+		if needUpdate {
+			err = r.Client.Update(context.TODO(), updateNameSpace)
+			if err != nil {
+				return reconcile.Result{}, err
+			}
+		}
+
 	}
 
 	// Set GitopsService instance as the owner and controller
@@ -920,3 +937,25 @@ func policyRuleForBackendServiceClusterRole() []rbacv1.PolicyRule {
 		},
 	}
 }
+
+func ensurePodSecurityLabels(namespace *corev1.Namespace) (bool, *corev1.Namespace) {
+
+	pssLabels := map[string]string{
+		"pod-security.kubernetes.io/enforce":         "restricted",
+		"pod-security.kubernetes.io/enforce-version": "v1.29",
+		"pod-security.kubernetes.io/audit":           "restricted",
+		"pod-security.kubernetes.io/audit-version":   "latest",
+		"pod-security.kubernetes.io/warn":            "restricted",
+		"pod-security.kubernetes.io/warn-version":    "latest",
+	}
+
+	changed := false
+	for pssKey, pssVal := range pssLabels {
+		if nsVal, exists := namespace.Labels[pssKey]; !exists || nsVal != pssVal {
+			namespace.Labels[pssKey] = pssVal
+			changed = true
+		}
+
+	}
+	return changed, namespace
+}