label namespace to comply with Pod Security Admission

Author: boddumanohar

src/deployment/__init__.py

@@ -77,6 +77,11 @@
 _LOAD_BALANCER_POLL_INTERVAL_SECONDS = float(2)
 _OVERLAY_IP_TIMEOUT_SECONDS = float(300)
 _OVERLAY_IP_POLL_INTERVAL_SECONDS = float(5)
+_POD_SECURITY_LABELS = {
+    "pod-security.kubernetes.io/enforce": "privileged",
+    "pod-security.kubernetes.io/audit": "privileged",
+    "pod-security.kubernetes.io/warn": "privileged",
+}
 DNSRecordType = Literal["AAAA", "CNAME"]
 DATABASE_DNS_RECORD_TYPE: Literal["AAAA"] = "AAAA"
 
@@ -494,6 +499,8 @@ async def create_vela_config(
         branch_id,
     )
 
+    await kube_service.ensure_namespace(namespace, labels=_POD_SECURITY_LABELS)
+
     chart = resources.files(__package__) / "charts" / "vela"
     compose_file = _configure_compose_storage(
         _load_compose_manifest(),

src/deployment/kubernetes/__init__.py

@@ -1,5 +1,6 @@
 import logging
 import math
+from collections.abc import Mapping
 from copy import deepcopy
 from typing import Any
 
@@ -18,9 +19,13 @@ async def delete_namespace(self, namespace: str) -> None:
         async with core_v1_client() as core_v1:
             await core_v1.delete_namespace(name=namespace)
 
-    async def ensure_namespace(self, namespace: str) -> None:
+    async def ensure_namespace(self, namespace: str, *, labels: Mapping[str, str] | None = None) -> None:
+        metadata_kwargs: dict[str, Any] = {"name": namespace}
+        if labels:
+            metadata_kwargs["labels"] = labels
+
         async with core_v1_client() as core_v1:
-            body = client.V1Namespace(metadata=client.V1ObjectMeta(name=namespace))
+            body = client.V1Namespace(metadata=client.V1ObjectMeta(**metadata_kwargs))
             try:
                 await core_v1.create_namespace(body=body)
             except client.exceptions.ApiException as exc: