From 2fa0034df330ff9032b0a04fe745ffa74f2ec7ef Mon Sep 17 00:00:00 2001 From: Todd Malsbary Date: Wed, 10 Nov 2021 11:43:33 -0800 Subject: [PATCH] Enable pod security policies Signed-off-by: Todd Malsbary Change-Id: Ifb2bf5aaccbc58e5e761508197b01197e62ed707 --- deploy/clusters/clusters.sh | 148 ++++++++++ deploy/clusters/templates/clusterresourceset.yaml | 2 + deploy/clusters/templates/kubeadmcontrolplane.yaml | 4 + deploy/clusters/templates/podsecurity-addon.yaml | 301 +++++++++++++++++++++ deploy/podsecurity/.helmignore | 23 ++ deploy/podsecurity/Chart.yaml | 8 + deploy/podsecurity/templates/rolebinding.yaml | 14 + deploy/podsecurity/values.yaml | 3 + deploy/site/vm/e2etest/cdi-operator-release.yaml | 2 + deploy/site/vm/e2etest/cpu-manager-release.yaml | 2 + deploy/site/vm/e2etest/emco-db-release.yaml | 2 + .../site/vm/e2etest/emco-podsecurity-release.yaml | 22 ++ deploy/site/vm/e2etest/emco-tools-release.yaml | 2 + .../site/vm/e2etest/kubevirt-operator-release.yaml | 2 + deploy/site/vm/e2etest/kud-podsecurity.yaml | 22 ++ deploy/site/vm/e2etest/multus-cni-release.yaml | 2 + .../vm/e2etest/node-feature-discovery-release.yaml | 2 + deploy/site/vm/e2etest/ovn4nfv-release.yaml | 2 + .../site/vm/e2etest/qat-device-plugin-release.yaml | 2 + .../vm/e2etest/sriov-network-operator-release.yaml | 2 + 20 files changed, 567 insertions(+) create mode 100644 deploy/clusters/templates/podsecurity-addon.yaml create mode 100644 deploy/podsecurity/.helmignore create mode 100644 deploy/podsecurity/Chart.yaml create mode 100644 deploy/podsecurity/templates/rolebinding.yaml create mode 100644 deploy/podsecurity/values.yaml create mode 100644 deploy/site/vm/e2etest/emco-podsecurity-release.yaml create mode 100644 deploy/site/vm/e2etest/kud-podsecurity.yaml diff --git a/deploy/clusters/clusters.sh b/deploy/clusters/clusters.sh index b10d2ca..73f63d8 100755 --- a/deploy/clusters/clusters.sh +++ b/deploy/clusters/clusters.sh @@ -68,6 +68,154 @@ $(kubectl create configmap flux-addon --from-file=${SCRIPTDIR}/addons/flux-syste {{- end }} EOF sed -i -e 's/ name: flux-addon/ name: {{ $clusterName }}-flux-addon/' ${SCRIPTDIR}/templates/flux-addon.yaml + + # PodSecurityPolicy is being replaced in future versions of K8s. + # The recommended practice is described by K8s at + # - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#recommended-practice + # - https://kubernetes.io/docs/concepts/security/pod-security-standards/ + # and provides three levels: privileged, baseline, and restricted. + # + # The question to answer here is how to reconcile the K8s levels + # against the Akraino security requirements. + # + # For the time being, the below populates the cluster with the K8s + # recommended levels and provides an additional policy (icn) bound + # to the system:authenticated group to meet the Akraino + # requirements. + cat <${SCRIPTDIR}/addons/podsecurity.yaml +--- +$(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/privileged-psp.yaml) +--- +$(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/baseline-psp.yaml) +--- +$(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/restricted-psp.yaml) +--- +$(curl -sL https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/policy/privileged-psp.yaml | + sed -e 's/ name: privileged/ name: icn/' | + sed -e '/^ allowedCapabilities:/,/^ [!-]/d') + allowedCapabilities: + - 'NET_ADMIN' + - 'SYS_ADMIN' + - 'SYS_NICE' + - 'SYS_PTRACE' + requiredDropCapabilities: + - 'NET_RAW' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: psp:privileged + labels: + addonmanager.kubernetes.io/mode: Reconcile +rules: +- apiGroups: + - policy + resourceNames: + - privileged + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: psp:baseline + labels: + addonmanager.kubernetes.io/mode: Reconcile +rules: +- apiGroups: + - policy + resourceNames: + - baseline + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: psp:icn + labels: + addonmanager.kubernetes.io/mode: Reconcile +rules: +- apiGroups: + - policy + resourceNames: + - icn + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: psp:restricted + labels: + addonmanager.kubernetes.io/mode: Reconcile +rules: +- apiGroups: + - policy + resourceNames: + - restricted + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: psp:privileged:nodes + namespace: kube-system + labels: + addonmanager.kubernetes.io/mode: Reconcile +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: psp:privileged +subjects: +- kind: Group + name: system:nodes + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: psp:privileged:kube-system + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: psp:privileged +subjects: +- kind: Group + name: system:serviceaccounts:kube-system + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: psp:icn:any +roleRef: + kind: ClusterRole + name: psp:icn + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: Group + name: system:authenticated + apiGroup: rbac.authorization.k8s.io +EOF + cat <${SCRIPTDIR}/templates/podsecurity-addon.yaml +{{- range \$clusterName, \$cluster := .Values.clusters }} +--- +$(kubectl create configmap podsecurity-addon --from-file=${SCRIPTDIR}/addons/podsecurity.yaml -o yaml --dry-run=client) +{{- end }} +EOF + sed -i -e 's/ name: podsecurity-addon/ name: {{ $clusterName }}-podsecurity-addon/' ${SCRIPTDIR}/templates/podsecurity-addon.yaml + } case $1 in diff --git a/deploy/clusters/templates/clusterresourceset.yaml b/deploy/clusters/templates/clusterresourceset.yaml index 5146d3a..d12e253 100644 --- a/deploy/clusters/templates/clusterresourceset.yaml +++ b/deploy/clusters/templates/clusterresourceset.yaml @@ -17,4 +17,6 @@ spec: - name: {{ $clusterName }}-flux-addon kind: ConfigMap {{- end }} + - name: {{ $clusterName }}-podsecurity-addon + kind: ConfigMap {{- end }} diff --git a/deploy/clusters/templates/kubeadmcontrolplane.yaml b/deploy/clusters/templates/kubeadmcontrolplane.yaml index a3881b6..307c047 100644 --- a/deploy/clusters/templates/kubeadmcontrolplane.yaml +++ b/deploy/clusters/templates/kubeadmcontrolplane.yaml @@ -6,6 +6,10 @@ metadata: name: {{ $clusterName }} spec: kubeadmConfigSpec: + clusterConfiguration: + apiServer: + extraArgs: + enable-admission-plugins: NodeRestriction,PodSecurityPolicy initConfiguration: nodeRegistration: kubeletExtraArgs: diff --git a/deploy/clusters/templates/podsecurity-addon.yaml b/deploy/clusters/templates/podsecurity-addon.yaml new file mode 100644 index 0000000..55b9607 --- /dev/null +++ b/deploy/clusters/templates/podsecurity-addon.yaml @@ -0,0 +1,301 @@ +{{- range $clusterName, $cluster := .Values.clusters }} +--- +apiVersion: v1 +data: + podsecurity.yaml: | + --- + apiVersion: policy/v1beta1 + kind: PodSecurityPolicy + metadata: + name: privileged + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + spec: + privileged: true + allowPrivilegeEscalation: true + allowedCapabilities: + - '*' + volumes: + - '*' + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + hostIPC: true + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + --- + apiVersion: policy/v1beta1 + kind: PodSecurityPolicy + metadata: + name: baseline + annotations: + # Optional: Allow the default AppArmor profile, requires setting the default. + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + spec: + privileged: false + # The moby default capability set, minus NET_RAW + allowedCapabilities: + - 'CHOWN' + - 'DAC_OVERRIDE' + - 'FSETID' + - 'FOWNER' + - 'MKNOD' + - 'SETGID' + - 'SETUID' + - 'SETFCAP' + - 'SETPCAP' + - 'NET_BIND_SERVICE' + - 'SYS_CHROOT' + - 'KILL' + - 'AUDIT_WRITE' + # Allow all volume types except hostpath + volumes: + # 'core' volume types + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + # Assume that ephemeral CSI drivers & persistentVolumes set up by the cluster admin are safe to use. + - 'csi' + - 'persistentVolumeClaim' + - 'ephemeral' + # Allow all other non-hostpath volume types. + - 'awsElasticBlockStore' + - 'azureDisk' + - 'azureFile' + - 'cephFS' + - 'cinder' + - 'fc' + - 'flexVolume' + - 'flocker' + - 'gcePersistentDisk' + - 'gitRepo' + - 'glusterfs' + - 'iscsi' + - 'nfs' + - 'photonPersistentDisk' + - 'portworxVolume' + - 'quobyte' + - 'rbd' + - 'scaleIO' + - 'storageos' + - 'vsphereVolume' + hostNetwork: false + hostIPC: false + hostPID: false + readOnlyRootFilesystem: false + runAsUser: + rule: 'RunAsAny' + seLinux: + # This policy assumes the nodes are using AppArmor rather than SELinux. + # The PSP SELinux API cannot express the SELinux Pod Security Standards, + # so if using SELinux, you must choose a more restrictive default. + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + --- + apiVersion: policy/v1beta1 + kind: PodSecurityPolicy + metadata: + name: restricted + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + # Assume that ephemeral CSI drivers & persistentVolumes set up by the cluster admin are safe to use. + - 'csi' + - 'persistentVolumeClaim' + - 'ephemeral' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: 'MustRunAsNonRoot' + seLinux: + # This policy assumes the nodes are using AppArmor rather than SELinux. + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + --- + apiVersion: policy/v1beta1 + kind: PodSecurityPolicy + metadata: + name: icn + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + spec: + privileged: true + allowPrivilegeEscalation: true + volumes: + - '*' + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + hostIPC: true + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + allowedCapabilities: + - 'NET_ADMIN' + - 'SYS_ADMIN' + - 'SYS_NICE' + - 'SYS_PTRACE' + requiredDropCapabilities: + - 'NET_RAW' + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: psp:privileged + labels: + addonmanager.kubernetes.io/mode: Reconcile + rules: + - apiGroups: + - policy + resourceNames: + - privileged + resources: + - podsecuritypolicies + verbs: + - use + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: psp:baseline + labels: + addonmanager.kubernetes.io/mode: Reconcile + rules: + - apiGroups: + - policy + resourceNames: + - baseline + resources: + - podsecuritypolicies + verbs: + - use + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: psp:icn + labels: + addonmanager.kubernetes.io/mode: Reconcile + rules: + - apiGroups: + - policy + resourceNames: + - icn + resources: + - podsecuritypolicies + verbs: + - use + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: psp:restricted + labels: + addonmanager.kubernetes.io/mode: Reconcile + rules: + - apiGroups: + - policy + resourceNames: + - restricted + resources: + - podsecuritypolicies + verbs: + - use + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: psp:privileged:nodes + namespace: kube-system + labels: + addonmanager.kubernetes.io/mode: Reconcile + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: psp:privileged + subjects: + - kind: Group + name: system:nodes + apiGroup: rbac.authorization.k8s.io + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: psp:privileged:kube-system + namespace: kube-system + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: psp:privileged + subjects: + - kind: Group + name: system:serviceaccounts:kube-system + apiGroup: rbac.authorization.k8s.io + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: psp:icn:any + roleRef: + kind: ClusterRole + name: psp:icn + apiGroup: rbac.authorization.k8s.io + subjects: + - kind: Group + name: system:authenticated + apiGroup: rbac.authorization.k8s.io +kind: ConfigMap +metadata: + creationTimestamp: null + name: {{ $clusterName }}-podsecurity-addon +{{- end }} diff --git a/deploy/podsecurity/.helmignore b/deploy/podsecurity/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/deploy/podsecurity/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/deploy/podsecurity/Chart.yaml b/deploy/podsecurity/Chart.yaml new file mode 100644 index 0000000..6dc32c3 --- /dev/null +++ b/deploy/podsecurity/Chart.yaml @@ -0,0 +1,8 @@ +# A simple chart to create a RoleBinding of a Namespace to a +# PodSecurityPolicy. This can be used with the Flux "dependsOn" +# feature to install the binding before deploying additional +# HelmReleases into the Namespace. +apiVersion: v2 +name: podsecurity +type: application +version: 0.1.0 diff --git a/deploy/podsecurity/templates/rolebinding.yaml b/deploy/podsecurity/templates/rolebinding.yaml new file mode 100644 index 0000000..918439f --- /dev/null +++ b/deploy/podsecurity/templates/rolebinding.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Values.roleRef }}-{{ .Release.Namespace }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.roleRef }} +subjects: +- kind: Group + name: system:serviceaccounts:{{ .Release.Namespace }} + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/podsecurity/values.yaml b/deploy/podsecurity/values.yaml new file mode 100644 index 0000000..777e6c6 --- /dev/null +++ b/deploy/podsecurity/values.yaml @@ -0,0 +1,3 @@ +# Under ICN, roleRef may be psp:restricted, psp:baseline, or +# psp:privileged +roleRef: psp:baseline diff --git a/deploy/site/vm/e2etest/cdi-operator-release.yaml b/deploy/site/vm/e2etest/cdi-operator-release.yaml index 4f1a2e2..acef817 100644 --- a/deploy/site/vm/e2etest/cdi-operator-release.yaml +++ b/deploy/site/vm/e2etest/cdi-operator-release.yaml @@ -18,3 +18,5 @@ spec: targetNamespace: kud install: createNamespace: true + dependsOn: + - name: kud-podsecurity diff --git a/deploy/site/vm/e2etest/cpu-manager-release.yaml b/deploy/site/vm/e2etest/cpu-manager-release.yaml index 25a25e0..5ac0e43 100644 --- a/deploy/site/vm/e2etest/cpu-manager-release.yaml +++ b/deploy/site/vm/e2etest/cpu-manager-release.yaml @@ -18,3 +18,5 @@ spec: targetNamespace: kud install: createNamespace: true + dependsOn: + - name: kud-podsecurity diff --git a/deploy/site/vm/e2etest/emco-db-release.yaml b/deploy/site/vm/e2etest/emco-db-release.yaml index 3660206..8f15512 100644 --- a/deploy/site/vm/e2etest/emco-db-release.yaml +++ b/deploy/site/vm/e2etest/emco-db-release.yaml @@ -18,6 +18,8 @@ spec: targetNamespace: emco install: createNamespace: true + dependsOn: + - name: emco-podsecurity values: global: repository: integratedcloudnative/ diff --git a/deploy/site/vm/e2etest/emco-podsecurity-release.yaml b/deploy/site/vm/e2etest/emco-podsecurity-release.yaml new file mode 100644 index 0000000..20c6c20 --- /dev/null +++ b/deploy/site/vm/e2etest/emco-podsecurity-release.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: emco-podsecurity + namespace: flux-system +spec: + interval: 5m + chart: + spec: + chart: deploy/podsecurity + sourceRef: + kind: GitRepository + name: icn + namespace: flux-system + interval: 1m + releaseName: emco-podsecurity + targetNamespace: emco + install: + createNamespace: true + values: + roleRef: psp:privileged diff --git a/deploy/site/vm/e2etest/emco-tools-release.yaml b/deploy/site/vm/e2etest/emco-tools-release.yaml index e670d87..aec92a7 100644 --- a/deploy/site/vm/e2etest/emco-tools-release.yaml +++ b/deploy/site/vm/e2etest/emco-tools-release.yaml @@ -18,6 +18,8 @@ spec: targetNamespace: emco install: createNamespace: true + dependsOn: + - name: emco-podsecurity values: global: repository: integratedcloudnative/ diff --git a/deploy/site/vm/e2etest/kubevirt-operator-release.yaml b/deploy/site/vm/e2etest/kubevirt-operator-release.yaml index c588c20..eb77f1c 100644 --- a/deploy/site/vm/e2etest/kubevirt-operator-release.yaml +++ b/deploy/site/vm/e2etest/kubevirt-operator-release.yaml @@ -18,3 +18,5 @@ spec: targetNamespace: kud install: createNamespace: true + dependsOn: + - name: kud-podsecurity diff --git a/deploy/site/vm/e2etest/kud-podsecurity.yaml b/deploy/site/vm/e2etest/kud-podsecurity.yaml new file mode 100644 index 0000000..387c8e1 --- /dev/null +++ b/deploy/site/vm/e2etest/kud-podsecurity.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: kud-podsecurity + namespace: flux-system +spec: + interval: 5m + chart: + spec: + chart: deploy/podsecurity + sourceRef: + kind: GitRepository + name: icn + namespace: flux-system + interval: 1m + releaseName: kud-podsecurity + targetNamespace: kud + install: + createNamespace: true + values: + roleRef: psp:privileged diff --git a/deploy/site/vm/e2etest/multus-cni-release.yaml b/deploy/site/vm/e2etest/multus-cni-release.yaml index df2039a..d43f084 100644 --- a/deploy/site/vm/e2etest/multus-cni-release.yaml +++ b/deploy/site/vm/e2etest/multus-cni-release.yaml @@ -18,3 +18,5 @@ spec: targetNamespace: kud install: createNamespace: true + dependsOn: + - name: kud-podsecurity diff --git a/deploy/site/vm/e2etest/node-feature-discovery-release.yaml b/deploy/site/vm/e2etest/node-feature-discovery-release.yaml index 8ebe339..02c1c29 100644 --- a/deploy/site/vm/e2etest/node-feature-discovery-release.yaml +++ b/deploy/site/vm/e2etest/node-feature-discovery-release.yaml @@ -18,3 +18,5 @@ spec: targetNamespace: kud install: createNamespace: true + dependsOn: + - name: kud-podsecurity diff --git a/deploy/site/vm/e2etest/ovn4nfv-release.yaml b/deploy/site/vm/e2etest/ovn4nfv-release.yaml index 64e3bc2..c897be6 100644 --- a/deploy/site/vm/e2etest/ovn4nfv-release.yaml +++ b/deploy/site/vm/e2etest/ovn4nfv-release.yaml @@ -18,3 +18,5 @@ spec: targetNamespace: kud install: createNamespace: true + dependsOn: + - name: kud-podsecurity diff --git a/deploy/site/vm/e2etest/qat-device-plugin-release.yaml b/deploy/site/vm/e2etest/qat-device-plugin-release.yaml index cb08481..6e2cc1e 100644 --- a/deploy/site/vm/e2etest/qat-device-plugin-release.yaml +++ b/deploy/site/vm/e2etest/qat-device-plugin-release.yaml @@ -18,3 +18,5 @@ spec: targetNamespace: kud install: createNamespace: true + dependsOn: + - name: kud-podsecurity diff --git a/deploy/site/vm/e2etest/sriov-network-operator-release.yaml b/deploy/site/vm/e2etest/sriov-network-operator-release.yaml index 74ba035..44f8ffd 100644 --- a/deploy/site/vm/e2etest/sriov-network-operator-release.yaml +++ b/deploy/site/vm/e2etest/sriov-network-operator-release.yaml @@ -18,3 +18,5 @@ spec: targetNamespace: kud install: createNamespace: true + dependsOn: + - name: kud-podsecurity -- 2.16.6