From d92e0dbea6db14783b8b8c233bdb04b181945706 Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <liggitt@google.com>
Date: Wed, 3 Nov 2021 11:35:20 -0400
Subject: [PATCH] PodSecurity: update webhook manifest to label namespace as
 restricted

---
 .../webhook/manifests/10-namespace.yaml                     | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/staging/src/k8s.io/pod-security-admission/webhook/manifests/10-namespace.yaml b/staging/src/k8s.io/pod-security-admission/webhook/manifests/10-namespace.yaml
index 5a1d492060c..2b00684b4d2 100644
--- a/staging/src/k8s.io/pod-security-admission/webhook/manifests/10-namespace.yaml
+++ b/staging/src/k8s.io/pod-security-admission/webhook/manifests/10-namespace.yaml
@@ -1,4 +1,8 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: pod-security-webhook
\ No newline at end of file
+  name: pod-security-webhook
+  labels:
+    # Even though the validating webhook excludes intercepting this namespace to avoid a circular dependency,
+    # the deployment pod spec is compatible with the restricted level, so mark the namespace as restricted anyway.
+    pod-security.kubernetes.io/enforce: restricted