openshift · openshift-merge-bot · Feb 20, 2024 · Jan 17, 2024 · Jan 18, 2024 · Jan 19, 2024
diff --git a/main.go b/main.go
@@ -20,14 +20,15 @@ import (
 	"context"
 	"flag"
 	"fmt"
+	"os"
+
 	"github.com/openshift/oadp-operator/pkg/common"
 	monitor "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/client-go/discovery"
 	"k8s.io/client-go/kubernetes"
-	"os"
 	client "sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/config"
 
@@ -57,12 +58,22 @@ var (
 	setupLog = ctrl.Log.WithName("setup")
 )
 
-// WebIdentityTokenPath mount present on operator CSV
-const WebIdentityTokenPath = "/var/run/secrets/openshift/serviceaccount/token"
+const (
+	// WebIdentityTokenPath mount present on operator CSV
+	WebIdentityTokenPath = "/var/run/secrets/openshift/serviceaccount/token"
+
+	// CloudCredentials API constants
+	CloudCredentialGroupVersion = "cloudcredential.openshift.io/v1"
+	CloudCredentialsCRDName     = "credentialsrequests"
 
-// CloudCredentials API constants
-const CloudCredentialGroupVersion = "cloudcredential.openshift.io/v1"
-const CloudCredentialsCRDName = "credentialsrequests"
+	// Pod security admission (PSA) labels
+	psaLabelPrefix = "pod-security.kubernetes.io/"
+	enforceLabel   = psaLabelPrefix + "enforce"
+	auditLabel     = psaLabelPrefix + "audit"
+	warnLabel      = psaLabelPrefix + "warn"
+
+	privileged = "privileged"
+)
 
 func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
@@ -222,12 +233,12 @@ func getWatchNamespace() (string, error) {
 	return ns, nil
 }
 
-// setting privileged pod security labels to OADP operator namespace
+// setting Pod security admission (PSA) labels to privileged in OADP operator namespace
 func addPodSecurityPrivilegedLabels(watchNamespaceName string) error {
-	setupLog.Info("patching operator namespace with PSA labels")
+	setupLog.Info("patching operator namespace with Pod security admission (PSA) labels to privileged")
 
 	if len(watchNamespaceName) == 0 {
-		return fmt.Errorf("cannot add privileged pod security labels, watchNamespaceName is empty")
+		return fmt.Errorf("cannot patch operator namespace with PSA labels to privileged, watchNamespaceName is empty")
 	}
 
 	kubeconf := ctrl.GetConfigOrDie()
@@ -243,17 +254,17 @@ func addPodSecurityPrivilegedLabels(watchNamespaceName string) error {
 		return err
 	}
 
-	privilegedLabels := map[string]string{
-		"pod-security.kubernetes.io/enforce": "privileged",
-		"pod-security.kubernetes.io/audit":   "privileged",
-		"pod-security.kubernetes.io/warn":    "privileged",
-	}
+	namespaceLabels := operatorNamespace.GetLabels()
+	// overwrite PSA labels, if they exist; otherwise, add them
+	namespaceLabels[enforceLabel] = privileged
+	namespaceLabels[auditLabel] = privileged
+	namespaceLabels[warnLabel] = privileged
 
-	operatorNamespace.SetLabels(privilegedLabels)
+	operatorNamespace.SetLabels(namespaceLabels)
 
 	_, err = clientset.CoreV1().Namespaces().Update(context.TODO(), operatorNamespace, metav1.UpdateOptions{})
 	if err != nil {
-		setupLog.Error(err, "problem patching operator namespace for privileged pod security labels")
+		setupLog.Error(err, "problem patching operator namespace with PSA labels to privileged")
 		return err
 	}
 	return nil