In a recent effort to update our systems to respect and work with PSA changes, we are updating openshift-* namespaces to have two labels set:

{{pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: <kubernetes version used in payload>}}

To do this we just need to add the labels to the repo's namespace manifest and make sure it generates to the manifests directory. The only complex thing here may come from how we will keep the enforce-version up-to-date, so we should look into that.

For more information, reference the official documentation for this subject:

https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/

Open Questions:

• Can we set the enforce-version field to 'latest' so we don't need to update it per-minor-version release?
• Is there any openshift policy for the enforce-version key?

AC:

• Update the o/platform-operators repository and add the relevant pod security labels to the namespace manifests