feat: add PodSecurityStandard setting (#842)

* feat: add PodSecurity Standard setting Signed-off-by: Andy Lee <andy.lee@suse.com> * refactor: unneeded change Signed-off-by: Andy Lee <andy.lee@suse.com> * refactor: filter by isSystem namespace Signed-off-by: Andy Lee <andy.lee@suse.com> * refactor: add fallback logic Signed-off-by: Andy Lee <andy.lee@suse.com> --------- Signed-off-by: Andy Lee <andy.lee@suse.com>
2026-05-14 06:51:46 +00:00 · 2026-05-07 13:15:47 +08:00 · 2026-05-07 13:15:47 +08:00 · d291a35754
commit d291a35754
parent 5cc8b4c301
4 changed files with 211 additions and 2 deletions
--- a/pkg/harvester/components/settings/cluster-pod-security-standard.vue
+++ b/pkg/harvester/components/settings/cluster-pod-security-standard.vue
@ -0,0 +1,196 @@
+<script>
+import { RadioGroup } from '@components/Form/Radio';
+import LabeledSelect from '@shell/components/form/LabeledSelect';
+import { NAMESPACE } from '@shell/config/types';
+import CreateEditView from '@shell/mixins/create-edit-view';
+
+export default {
+  name: 'HarvesterClusterPodSecurityStandard',
+
+  components: {
+    RadioGroup,
+    LabeledSelect,
+  },
+
+  mixins: [CreateEditView],
+
+  props: {
+    value: {
+      type:    Object,
+      default: () => ({}),
+    },
+  },
+
+  async fetch() {
+    const inStore = this.$store.getters['currentProduct'].inStore;
+
+    await this.$store.dispatch(`${ inStore }/findAll`, { type: NAMESPACE });
+  },
+
+  data() {
+    let enabled = false;
+    let whitelistedNamespaces = [];
+    let privilegedNamespaces = [];
+    let restrictedNamespaces = [];
+
+    try {
+      const parsed = JSON.parse(this.value.value || this.value.default || '{}');
+
+      enabled = !!parsed.enabled;
+      whitelistedNamespaces = parsed.whitelistedNamespacesList ? parsed.whitelistedNamespacesList.split(',') : [];
+      privilegedNamespaces = parsed.privilegedNamespacesList ? parsed.privilegedNamespacesList.split(',') : [];
+      restrictedNamespaces = parsed.restrictedNamespacesList ? parsed.restrictedNamespacesList.split(',') : [];
+    } catch (e) {
+      enabled = false;
+      whitelistedNamespaces = [];
+      privilegedNamespaces = [];
+      restrictedNamespaces = [];
+    }
+
+    return {
+      enabled,
+      whitelistedNamespaces,
+      privilegedNamespaces,
+      restrictedNamespaces,
+    };
+  },
+
+  computed: {
+    enabledOptions() {
+      return [
+        { label: this.t('generic.enabled'), value: true },
+        { label: this.t('generic.disabled'), value: false },
+      ];
+    },
+
+    allNamespaces() {
+      const inStore = this.$store.getters['currentProduct'].inStore;
+
+      return this.$store.getters[`${ inStore }/all`](NAMESPACE).filter((ns) => !ns.isSystem).map((ns) => ns.id);
+    },
+
+    whitelistedOptions() {
+      const excluded = new Set([...this.privilegedNamespaces, ...this.restrictedNamespaces]);
+
+      return this.allNamespaces.filter((ns) => !excluded.has(ns));
+    },
+
+    privilegedOptions() {
+      const excluded = new Set([...this.whitelistedNamespaces, ...this.restrictedNamespaces]);
+
+      return this.allNamespaces.filter((ns) => !excluded.has(ns));
+    },
+
+    restrictedOptions() {
+      const excluded = new Set([...this.whitelistedNamespaces, ...this.privilegedNamespaces]);
+
+      return this.allNamespaces.filter((ns) => !excluded.has(ns));
+    },
+  },
+
+  methods: {
+    useDefault() {
+      try {
+        const parsed = JSON.parse(this.value.default || '{}');
+
+        this.enabled = !!parsed.enabled;
+        this.whitelistedNamespaces = parsed.whitelistedNamespacesList ? parsed.whitelistedNamespacesList.split(',') : [];
+        this.privilegedNamespaces = parsed.privilegedNamespacesList ? parsed.privilegedNamespacesList.split(',') : [];
+        this.restrictedNamespaces = parsed.restrictedNamespacesList ? parsed.restrictedNamespacesList.split(',') : [];
+      } catch (e) {
+        this.enabled = false;
+        this.whitelistedNamespaces = [];
+        this.privilegedNamespaces = [];
+        this.restrictedNamespaces = [];
+      }
+      this.save();
+    },
+
+    onUpdateEnabled() {
+      if (!this.enabled) {
+        this.whitelistedNamespaces = [];
+        this.privilegedNamespaces = [];
+        this.restrictedNamespaces = [];
+      }
+      this.save();
+    },
+
+    updateWhitelisted(selected) {
+      this.whitelistedNamespaces = selected;
+      this.save();
+    },
+
+    updatePrivileged(selected) {
+      this.privilegedNamespaces = selected;
+      this.save();
+    },
+
+    updateRestricted(selected) {
+      this.restrictedNamespaces = selected;
+      this.save();
+    },
+
+    save() {
+      this.value.value = JSON.stringify({
+        enabled:                   this.enabled,
+        whitelistedNamespacesList: this.whitelistedNamespaces.join(','),
+        privilegedNamespacesList:  this.privilegedNamespaces.join(','),
+        restrictedNamespacesList:  this.restrictedNamespaces.join(','),
+      });
+    },
+  },
+};
+</script>
+
+<template>
+  <div>
+    <div class="row mb-20">
+      <div class="col span-6">
+        <RadioGroup
+          v-model:value="enabled"
+          name="enabled"
+          :options="enabledOptions"
+          @update:value="onUpdateEnabled"
+        />
+      </div>
+    </div>
+    <template v-if="enabled">
+      <div class="row mb-20">
+        <div class="col span-12">
+          <LabeledSelect
+            v-model:value="whitelistedNamespaces"
+            :label="t('harvester.setting.clusterPodSecurityStandard.whitelistedNamespaces.label')"
+            :options="whitelistedOptions"
+            :multiple="true"
+            :mode="mode"
+            @update:value="updateWhitelisted"
+          />
+        </div>
+      </div>
+      <div class="row mb-20">
+        <div class="col span-12">
+          <LabeledSelect
+            v-model:value="privilegedNamespaces"
+            :label="t('harvester.setting.clusterPodSecurityStandard.privilegedNamespaces.label')"
+            :options="privilegedOptions"
+            :multiple="true"
+            :mode="mode"
+            @update:value="updatePrivileged"
+          />
+        </div>
+      </div>
+      <div class="row mb-20">
+        <div class="col span-12">
+          <LabeledSelect
+            v-model:value="restrictedNamespaces"
+            :label="t('harvester.setting.clusterPodSecurityStandard.restrictedNamespaces.label')"
+            :options="restrictedOptions"
+            :multiple="true"
+            :mode="mode"
+            @update:value="updateRestricted"
+          />
+        </div>
+      </div>
+    </template>
+  </div>
+</template>
--- a/pkg/harvester/config/feature-flags.js
+++ b/pkg/harvester/config/feature-flags.js
@ -65,7 +65,8 @@ const FEATURE_FLAGS = {
    'vGPUAsPCIDevice',
    'instanceManagerResourcesSetting',
    'rwxNetworkSetting',
-    'createPVCWithDataVolume'
+    'createPVCWithDataVolume',
+    'clusterPodSecurityStandardSetting'
  ],
  'v1.8.1': [],
  'v1.9.0': [],
--- a/pkg/harvester/config/settings.ts
+++ b/pkg/harvester/config/settings.ts
@ -41,7 +41,8 @@ export const HCI_SETTING = {
  RANCHER_CLUSTER:                        'rancher-cluster',
  MAX_HOTPLUG_RATIO:                      'max-hotplug-ratio',
  KUBEVIRT_MIGRATION:                     'kubevirt-migration',
-  INSTANCE_MANAGER_RESOURCES:             'instance-manager-resources'
+  INSTANCE_MANAGER_RESOURCES:             'instance-manager-resources',
+  CLUSTER_POD_SECURITY_STANDARD:          'cluster-pod-security-standard'
 };

 export const HCI_ALLOWED_SETTINGS = {
@ -130,6 +131,9 @@ export const HCI_ALLOWED_SETTINGS = {
  },
  [HCI_SETTING.INSTANCE_MANAGER_RESOURCES]: {
    kind: 'json', from: 'import', featureFlag: 'instanceManagerResourcesSetting'
+  },
+  [HCI_SETTING.CLUSTER_POD_SECURITY_STANDARD]: {
+    kind: 'json', from: 'import', canReset: true, featureFlag: 'clusterPodSecurityStandardSetting'
  }
 };

--- a/pkg/harvester/l10n/en-us.yaml
+++ b/pkg/harvester/l10n/en-us.yaml
@ -1286,6 +1286,13 @@ harvester:
    rancherCluster:
      kubeConfig: Rancher KubeConfig
      removeUpstreamClusterWhenNamespaceIsDeleted: Remove Upstream Cluster When Namespace Is Deleted
+    clusterPodSecurityStandard:
+      whitelistedNamespaces:
+        label: 'Whitelisted Namespaces'
+      privilegedNamespaces:
+        label: 'Privileged Namespaces'
+      restrictedNamespaces:
+        label: 'Restricted Namespaces'
    storageNetwork:
      range:
        placeholder: e.g. 172.16.0.0/24
@ -2043,6 +2050,7 @@ advancedSettings:
    'harv-max-hotplug-ratio': 'The ratio for kubevirt to limit the maximum CPU and memory that can be hotplugged to a VM. The value could be an integer between 1 and 20, default to 4.'
    'harv-kubevirt-migration': 'Configure cluster-wide KubeVirt live migration parameters.'
    'harv-instance-manager-resources': 'Configure resource percentage reservations for Longhorn instance manager V1 and V2. Valid instance manager CPU range between 0 - 40.'
+    'harv-cluster-pod-security-standard': 'Enforce Kubernetes Pod Security Standards (PSS) at the cluster level.'

 typeLabel:
  kubevirt.io.virtualmachine: |-