From 9fef436ce414236750acdf4ad51c84d4c9bc9470 Mon Sep 17 00:00:00 2001
From: phuhung273 <phuhung.tranpham@gmail.com>
Date: Tue, 15 Oct 2024 18:56:55 +0700
Subject: [PATCH] Chart add PSA doc

---
 charts/ingress-nginx/README.md        | 20 ++++++++++++++++++++
 charts/ingress-nginx/README.md.gotmpl | 20 ++++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md
index b902c1b23..659c7c5eb 100644
--- a/charts/ingress-nginx/README.md
+++ b/charts/ingress-nginx/README.md
@@ -229,6 +229,26 @@ Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13
 
 As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered.
 
+### Pod Security Admission
+
+You can use PSA by applying label to `ingress-nginx` namespace as instructed by [Pod Security Admission](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/)
+
+For now, highest level can be <strong>enforced</strong> is `baseline`
+
+Example:
+
+```yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    pod-security.kubernetes.io/enforce: baseline 
+    pod-security.kubernetes.io/enforce-version: v1.31
+    kubernetes.io/metadata.name: ingress-nginx
+    name: ingress-nginx
+  name: ingress-nginx
+```
+
 ## Values
 
 | Key | Type | Default | Description |
diff --git a/charts/ingress-nginx/README.md.gotmpl b/charts/ingress-nginx/README.md.gotmpl
index 17b029bbf..06d7992ff 100644
--- a/charts/ingress-nginx/README.md.gotmpl
+++ b/charts/ingress-nginx/README.md.gotmpl
@@ -226,4 +226,24 @@ Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13
 
 As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered.
 
+### Pod Security Admission
+
+You can use PSA by applying label to `ingress-nginx` namespace as instructed by [Pod Security Admission](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/)
+
+For now, highest level can be <strong>enforced</strong> is `baseline`
+
+Example:
+
+```yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    pod-security.kubernetes.io/enforce: baseline 
+    pod-security.kubernetes.io/enforce-version: v1.31
+    kubernetes.io/metadata.name: ingress-nginx
+    name: ingress-nginx
+  name: ingress-nginx
+```
+
 {{ template "chart.valuesSection" . }}