From 321b9580e09dac28ef825f68873e57472c26a7a1 Mon Sep 17 00:00:00 2001
From: mjshastha <61929310+mjshastha@users.noreply.github.com>
Date: Mon, 25 Aug 2025 15:30:58 +0530
Subject: [PATCH] feat:Add namespace manifest with PSA for KE required by
 kube-bench job. - Introduced aqua namespace manifest with Pod Security
 Admission set to "privileged" - Ensures kube-bench job can run with required
 privileged mounts and host access - Documented prerequisite step to apply
 this namespace before running kube-bench

---
 .../kube_enforcer/005_kube_enforcer_ns.yaml         | 13 +++++++++++++
 .../manifests/kube_enforcer/README.md               |  6 ++++++
 .../005_kube_enforcer_ns.yaml                       | 13 +++++++++++++
 .../manifests/kube_enforcer_advanced/README.md      |  5 +++++
 .../005_kube_enforcer_ns.yaml                       | 13 +++++++++++++
 .../kube_enforcer_advanced_trivy/README.md          |  5 +++++
 .../kube_enforcer_trivy/005_kube_enforcer_ns.yaml   | 13 +++++++++++++
 .../manifests/kube_enforcer_trivy/README.md         |  6 ++++++
 8 files changed, 74 insertions(+)
 create mode 100644 enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/005_kube_enforcer_ns.yaml
 create mode 100644 enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/005_kube_enforcer_ns.yaml
 create mode 100644 enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/005_kube_enforcer_ns.yaml
 create mode 100644 enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/005_kube_enforcer_ns.yaml

diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/005_kube_enforcer_ns.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/005_kube_enforcer_ns.yaml
new file mode 100644
index 000000000..8ea461ec4
--- /dev/null
+++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/005_kube_enforcer_ns.yaml
@@ -0,0 +1,13 @@
+# Kube-bench
+# Pod Security Admission (PSA) is set to "privileged" so that
+# privileged workloads (which KB requires for mounts and host access)
+# are allowed without being blocked, audited, or warned.
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: aqua
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged
+  
\ No newline at end of file
diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/README.md b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/README.md
index bebe1f6dd..26a38ac58 100644
--- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/README.md
+++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/README.md
@@ -50,6 +50,12 @@ You can skip any step in this section, if you have already performed.
    ```
    Note: (Optional) Instead of Aqua Namespace, You can also use your custom Namespace to deploy KubeEnforcer.
 
+***Note: For KubeEnforcer deployment in Talos environments***
+* Create the aqua namespace with PSA so that kube-bench can run successfully.
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/005_kube_enforcer_ns.yaml
+  ```
+
 **Step 2. Create a docker-registry secret (if not already done).**
 
    ```shell
diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/005_kube_enforcer_ns.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/005_kube_enforcer_ns.yaml
new file mode 100644
index 000000000..8ea461ec4
--- /dev/null
+++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/005_kube_enforcer_ns.yaml
@@ -0,0 +1,13 @@
+# Kube-bench
+# Pod Security Admission (PSA) is set to "privileged" so that
+# privileged workloads (which KB requires for mounts and host access)
+# are allowed without being blocked, audited, or warned.
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: aqua
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged
+  
\ No newline at end of file
diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/README.md b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/README.md
index 4b2e5106a..5a9617eb6 100644
--- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/README.md
+++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/README.md
@@ -52,6 +52,11 @@ You can skip any step in this section, if you have already performed.
    ```
    Note: (Optional) Instead of Aqua Namespace, You can also use your custom Namespace to deploy KubeEnforcer.
 
+***Note: For KubeEnforcer deployment in Talos environments***
+* Create the aqua namespace with PSA so that kube-bench can run successfully.
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/005_kube_enforcer_ns.yaml
+  ```
 
 **Step 2. Create a docker-registry secret (if not already done).**
    ```shell
diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/005_kube_enforcer_ns.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/005_kube_enforcer_ns.yaml
new file mode 100644
index 000000000..8ea461ec4
--- /dev/null
+++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/005_kube_enforcer_ns.yaml
@@ -0,0 +1,13 @@
+# Kube-bench
+# Pod Security Admission (PSA) is set to "privileged" so that
+# privileged workloads (which KB requires for mounts and host access)
+# are allowed without being blocked, audited, or warned.
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: aqua
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged
+  
\ No newline at end of file
diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/README.md b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/README.md
index ca3a174b2..8728a2b1a 100644
--- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/README.md
+++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/README.md
@@ -52,6 +52,11 @@ You can skip any step in this section, if you have already performed.
    ```
    Note: (Optional) Instead of Aqua Namespace, You can also use your custom Namespace to deploy KubeEnforcer.
 
+***Note: For KubeEnforcer deployment in Talos environments***
+* Create the aqua namespace with PSA so that kube-bench can run successfully.
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/005_kube_enforcer_ns.yaml
+  ```
 
 **Step 2. Create a docker-registry secret (if not already done).**
    ```shell
diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/005_kube_enforcer_ns.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/005_kube_enforcer_ns.yaml
new file mode 100644
index 000000000..8ea461ec4
--- /dev/null
+++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/005_kube_enforcer_ns.yaml
@@ -0,0 +1,13 @@
+# Kube-bench
+# Pod Security Admission (PSA) is set to "privileged" so that
+# privileged workloads (which KB requires for mounts and host access)
+# are allowed without being blocked, audited, or warned.
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: aqua
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged
+  
\ No newline at end of file
diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/README.md b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/README.md
index bc7627af3..d47726d59 100644
--- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/README.md
+++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/README.md
@@ -50,6 +50,12 @@ You can skip any step in this section, if you have already performed.
    ```
    Note: (Optional) Instead of Aqua Namespace, You can also use your custom Namespace to deploy KubeEnforcer.
 
+***Note: For KubeEnforcer deployment in Talos environments***
+* Create the aqua namespace with PSA so that kube-bench can run successfully.
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/005_kube_enforcer_ns.yaml
+  ```
+
 **Step 2. Create a docker-registry secret (if not already done).**
 
    ```shell