diff --git a/api/v1beta1/hostedcluster_types.go b/api/v1beta1/hostedcluster_types.go index 75c6e4cda8f..71b1f532f61 100644 --- a/api/v1beta1/hostedcluster_types.go +++ b/api/v1beta1/hostedcluster_types.go @@ -197,6 +197,11 @@ const ( // AllowGuestWebhooksServiceLabel marks a service deployed in the control plane as a valid target // for validating/mutating webhooks running in the guest cluster. AllowGuestWebhooksServiceLabel = "hypershift.openshift.io/allow-guest-webhooks" + + // PodSecurityAdmissionLabelOverrideAnnotation allows overriding the pod security admission label on + // hosted control plane namespacces. The default is 'Restricted'. Valid values are 'Restricted', 'Baseline', or 'Privileged' + // See https://github.com/openshift/enhancements/blob/master/enhancements/authentication/pod-security-admission.md + PodSecurityAdmissionLabelOverrideAnnotation = "hypershift.openshift.io/pod-security-admission-label-override" ) // HostedClusterSpec is the desired behavior of a HostedCluster. diff --git a/hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go b/hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go index 95682ad5f83..0638325cdc6 100644 --- a/hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go +++ b/hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go @@ -997,7 +997,12 @@ func (r *HostedClusterReconciler) reconcile(ctx context.Context, req ctrl.Reques controlPlaneNamespace.Labels["hypershift.openshift.io/hosted-control-plane"] = "true" // Set pod security labels on HCP namespace - if useRestrictedPSA { + psaOverride := hcluster.Annotations[hyperv1.PodSecurityAdmissionLabelOverrideAnnotation] + if psaOverride != "" { + controlPlaneNamespace.Labels["pod-security.kubernetes.io/enforce"] = psaOverride + controlPlaneNamespace.Labels["pod-security.kubernetes.io/audit"] = psaOverride + controlPlaneNamespace.Labels["pod-security.kubernetes.io/warn"] = psaOverride + } else if useRestrictedPSA { controlPlaneNamespace.Labels["pod-security.kubernetes.io/enforce"] = "restricted" controlPlaneNamespace.Labels["pod-security.kubernetes.io/audit"] = "restricted" controlPlaneNamespace.Labels["pod-security.kubernetes.io/warn"] = "restricted"