final

ca-gip · Jan 5, 2024 · fa27575 · fa27575
1 parent 69b68a7
commit fa27575
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 2 deletions.
diff --git a/Readme.md b/Readme.md
@@ -105,6 +105,10 @@ For specific exceptions, add another network policy.
 |  **CUSTOM_LABELS**                 | *Add custom labels to namespaces*    | `quota=managed,monitoring=true`  | `no   `     | -           |
 |  **DEFAULT_PERMISSION**            | *ClusterRole associated with default service account*    | `view`       | `no   `     | -           |
 |  **BLACKLIST**                     | *Ignore Project*                     | `my-project-dev`                 | `no   `     | -           |
+|  **PODSECURITYADMISSION_ENFORCEMENT**                     | *PodSecurityAdmission  Enforcement*                     | `restricted`                 | `no   `     | `baseline  `           |
+|  **PODSECURITYADMISSION_WARNING**                     | *PodSecurityAdmission Warning*                     | `restricted`                 | `no   `     | `restricted  `           |
+|  **PODSECURITYADMISSION_AUDIT**                     | *PodSecurityAdmission Audit*                     | `restricted`                 | `no   `     | `restricted  `           |
+|  **PRIVILEGED_NAMESPACES**                     | *Namespaces allowed to use privileged annotation*                     | `native-development`                 | `no   `     | -           |
 
 ## Versioning
 

diff --git a/internal/utils/constants.go b/internal/utils/constants.go
@@ -55,6 +55,8 @@ const (
 	PodSecurityAdmissionEnforcement = "baseline"
 	PodSecurityAdmissionWarning     = "restricted"
 	PodSecurityAdmissionAudit       = "restricted"
+
+	PodSecurityPrivileged = "privileged"
 )
 
 var BlacklistedNamespaces = []string{

diff --git a/internal/utils/helpers.go b/internal/utils/helpers.go
@@ -53,8 +53,8 @@ func Union(a map[string]string, b map[string]string) map[string]string {
 func IsInPrivilegedNamespacesList(namespace string) string {
 	for _, nsItem := range Config.PrivilegedNamespaces {
 		if strings.Contains(nsItem, namespace) {
-			Log.Info().Msgf("Namespace %v is labeled as privileged", namespace)
-			return "privileged"
+			Log.Warn().Msgf("Namespace %v is labeled as privileged", namespace)
+			return PodSecurityPrivileged
 		}
 	}
 	return Config.PodSecurityAdmissionEnforcement