move psa labels from deployment to namespace (#288)

joelanford · web-flow · commit 61b563fe1d3e · 2023-07-05T20:25:32.000-04:00
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -9,6 +9,8 @@ metadata:
     app.kubernetes.io/created-by: operator-controller
     app.kubernetes.io/part-of: operator-controller
     app.kubernetes.io/managed-by: kustomize
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: latest
   name: system
 ---
 apiVersion: apps/v1
@@ -26,8 +28,6 @@ metadata:
     app.kubernetes.io/created-by: operator-controller
     app.kubernetes.io/part-of: operator-controller
     app.kubernetes.io/managed-by: kustomize
-    pod-security.kubernetes.io/enforce: restricted
-    pod-security.kubernetes.io/enforce-version: latest
 spec:
   selector:
     matchLabels:
@@ -62,13 +62,8 @@ spec:
       #               - linux
       securityContext:
         runAsNonRoot: true
-        # TODO(user): For common cases that do not require escalating privileges
-        # it is recommended to ensure that all your Pods/Containers are restrictive.
-        # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
-        # Please uncomment the following code if your project does NOT have to work on old Kubernetes
-        # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
-        # seccompProfile:
-        #   type: RuntimeDefault
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - command:
         - /manager
