Provide support for Pod Security Admission (PSA) in GitLab Runner charts
Proposal
GitLab-runner (and presumably GitLab) charts do not provide support for Kubernetes Pod Security Admission (PSA) (that I can find documented).
This is a request to provide and document support for the use of PSA, primarily with GitLab-runner charts but could/should extend to GitLab itself.
The original request includes:
-
Ability to set PodSecurityAdmission baseline to the gitlab-runner namespace, for example:
kubectl label --overwrite ns gitlab-runner pod-security.kubernetes.io/enforce=baseline pod-security.kubernetes.io/enforce-version=v1.29
-
Understanding how to determine/address any baseline rules which are violated, e.g. in response to:
Warning: existing pods in namespace "gitlab-runner" violate the new PodSecurity enforce level "baseline:v1.29" Warning: runner-pkb2w-ek-project-117-concurrent-0-3ue795cp (and 4 other pods): privileged namespace/gitlab-runner labeled
-
Allow exceptions to baseline rules
It is not clear which aspects of PSA support would need to be provided for, nor what would need to be included in our charts, so creating this issue as a discussion point.