terraform-aws-eks icon indicating copy to clipboard operation
terraform-aws-eks copied to clipboard

Published 20 hours ago β€’ verified publisher icon terraform-aws-modules

Add Labelling to System Namespaces for PSA

Open jbruce-nex opened this issue 2 years ago β€’ 1 comments

Description

To adopt pod security admission https://kubernetes.io/docs/concepts/security/pod-security-admission/ it would be good if there was functionality to add the required labels and levels to the 'system' namespaces (default, kube-*).

Describe the solution you'd like.

variable "enforce_level" {
  type = string
  description = "PSA Enforce Level"

  validation {
    condition = contains(["privileged", "baseline", "restricted"], var.enforce_level)
    error_message = "Valid values for var: enforce_level are (privileged, baseline, restricted)."
  } 
}

locals {
  psa_restricted = {
    "pod-security.kubernetes.io/enforce" = var.enforce_level
    "pod-security.kubernetes.io/enforce-version" = var.eks_cluster_version
    "pod-security.kubernetes.io/audit" = "restricted"
    "pod-security.kubernetes.io/audit-version" = var.eks_cluster_version
    "pod-security.kubernetes.io/warn" = "restricted"
    "pod-security.kubernetes.io/warn-version" = var.eks_cluster_version
  }
}

resource "kubernetes_namespace" "kube-system" {
  metadata {
    name = "kube-system"
    labels = merge( local.psa_privileged_labels, {
      "kubernetes.io/metadata.name" = "kube-system"
    } )
  }
}

jbruce-nex avatar May 22 '23 10:05 jbruce-nex

"kubernetes_namespace" resource can be added in user module according to their needs. Unless there's dependency (eg. EKS managed addons etc) or EKS specific PSA implementation (which currently as-is from upstream), putting this resource in terraform-aws-eks is nice but not useful.

tanvp112 avatar Jun 01 '23 03:06 tanvp112

thank you for the suggest - however, we do not have plans to add additional Kubernetes resources here (from the Kubernetes provider) and instead leave this choice up to users

bryantbiggs avatar Jun 07 '23 00:06 bryantbiggs

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Jul 07 '23 02:07 github-actions[bot]