Make the default security policy baseline given onerous requirements of restricted on workshop creators.

GrahamDumpleton · GrahamDumpleton · commit cd4c37beb83a · 2022-05-06T17:28:37.000+10:00
diff --git a/carvel-package/bundle/config/11-session-manager/01-crds-workshop.yaml b/carvel-package/bundle/config/11-session-manager/01-crds-workshop.yaml
@@ -322,7 +322,7 @@ spec:
                               - nonroot
                               - anyuid
                               - custom
-                              default: restricted
+                              default: baseline
                         secondary:
                           type: array
                           items:
@@ -380,7 +380,7 @@ spec:
                                     - nonroot
                                     - anyuid
                                     - custom
-                                    default: restricted
+                                    default: baseline
                     resources:
                       type: object
                       properties:
diff --git a/session-manager/handlers/workshopsession.py b/session-manager/handlers/workshopsession.py
@@ -523,7 +523,7 @@ def workshop_session_create(name, meta, spec, status, patch, logger, **_):
     budget = "default"
     limits = {}
 
-    namespace_security_policy = "nonroot"
+    namespace_security_policy = "baseline"
 
     security_policy_mapping = {
         "restricted": "restricted",
@@ -536,7 +536,7 @@ def workshop_session_create(name, meta, spec, status, patch, logger, **_):
     }
 
     def resolve_security_policy(name):
-        return security_policy_mapping.get(name, "restricted")
+        return security_policy_mapping.get(name, "baseline")
 
     if workshop_spec.get("session"):
         role = workshop_spec["session"].get("namespaces", {}).get("role", role)
