Merge branch 'psa-check-labels-map' into 'master'

Before adding PSA labels to namespace, initialize labels map if nil See merge request nvidia/kubernetes/gpu-operator!614
parallelo · Jan 11, 2023 · a438e00 · a438e00
2 parents f7b23cf + 1bce7a8
commit a438e00
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/controllers/state_manager.go b/controllers/state_manager.go
@@ -580,6 +580,13 @@ func (n *ClusterPolicyController) setPodSecurityLabelsForNamespace() error {
 
 	patch := client.MergeFrom(ns.DeepCopy())
 	modified := false
+	// On K8s<1.21, namespaces are not automatically labeled with an immutable label. Initialize
+	// a labels map if needed before adding PSA labels.
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#automatic-labelling
+	if ns.ObjectMeta.Labels == nil {
+		ns.ObjectMeta.Labels = make(map[string]string)
+		modified = true
+	}
 	for _, mode := range podSecurityModes {
 		key := podSecurityLabelPrefix + mode
 		if val, ok := ns.ObjectMeta.Labels[key]; !ok || (val != podSecurityLevelPrivileged) {