From 2c41244cfce936790202dda6d275a9a6318a15e7 Mon Sep 17 00:00:00 2001
From: Xun Jiang <jxun@vmware.com>
Date: Tue, 5 Sep 2023 10:50:20 +0800
Subject: [PATCH] Fix #6752: add namespace exclude check.

Add PSA audit and warn labels.

Signed-off-by: Xun Jiang <jxun@vmware.com>
---
 changelogs/unreleased/6760-blackpiglet |  1 +
 pkg/backup/item_collector.go           | 26 ++++----------------------
 pkg/install/resources.go               |  4 ++++
 3 files changed, 9 insertions(+), 22 deletions(-)
 create mode 100644 changelogs/unreleased/6760-blackpiglet

diff --git a/changelogs/unreleased/6760-blackpiglet b/changelogs/unreleased/6760-blackpiglet
new file mode 100644
index 00000000000..db9b5a118c9
--- /dev/null
+++ b/changelogs/unreleased/6760-blackpiglet
@@ -0,0 +1 @@
+Fix #6752: add namespace exclude check.
\ No newline at end of file
diff --git a/pkg/backup/item_collector.go b/pkg/backup/item_collector.go
index 5dc6ceacb06..871d386a7d3 100644
--- a/pkg/backup/item_collector.go
+++ b/pkg/backup/item_collector.go
@@ -289,7 +289,7 @@ func (r *itemCollector) getResourceItems(log logrus.FieldLogger, gv schema.Group
 			return nil, errors.WithStack(err)
 		}
 
-		items := r.backupNamespaces(unstructuredList, namespacesToList, gr, preferredGVR, log)
+		items := r.backupNamespaces(unstructuredList, r.backupRequest.NamespaceIncludesExcludes, gr, preferredGVR, log)
 
 		return items, nil
 	}
@@ -533,31 +533,13 @@ func (r *itemCollector) listItemsForLabel(unstructuredItems []unstructured.Unstr
 
 // backupNamespaces process namespace resource according to namespace filters.
 func (r *itemCollector) backupNamespaces(unstructuredList *unstructured.UnstructuredList,
-	namespacesToList []string, gr schema.GroupResource, preferredGVR schema.GroupVersionResource,
+	ie *collections.IncludesExcludes, gr schema.GroupResource, preferredGVR schema.GroupVersionResource,
 	log logrus.FieldLogger) []*kubernetesResource {
 	var items []*kubernetesResource
 	for index, unstructured := range unstructuredList.Items {
-		found := false
-		if len(namespacesToList) == 0 {
-			// No namespace found. By far, this condition cannot be triggered. Either way,
-			// namespacesToList is not empty.
-			log.Debug("Skip namespace resource, because no item found by namespace filters.")
-			break
-		} else if len(namespacesToList) == 1 && namespacesToList[0] == "" {
-			// All namespaces are included.
-			log.Debugf("Backup namespace %s due to full cluster backup.", unstructured.GetName())
-			found = true
-		} else {
-			for _, ns := range namespacesToList {
-				if unstructured.GetName() == ns {
-					log.Debugf("Backup namespace %s due to namespace filters setting.", unstructured.GetName())
-					found = true
-					break
-				}
-			}
-		}
+		if ie.ShouldInclude(unstructured.GetName()) {
+			log.Debugf("Backup namespace %s due to namespace filters setting.", unstructured.GetName())
 
-		if found {
 			path, err := r.writeToFile(&unstructuredList.Items[index])
 			if err != nil {
 				log.WithError(err).Error("Error writing item to file")
diff --git a/pkg/install/resources.go b/pkg/install/resources.go
index d7014c22c43..6cb10bb0d81 100644
--- a/pkg/install/resources.go
+++ b/pkg/install/resources.go
@@ -150,6 +150,10 @@ func Namespace(namespace string) *corev1.Namespace {
 
 	ns.Labels["pod-security.kubernetes.io/enforce"] = "privileged"
 	ns.Labels["pod-security.kubernetes.io/enforce-version"] = "latest"
+	ns.Labels["pod-security.kubernetes.io/audit"] = "privileged"
+	ns.Labels["pod-security.kubernetes.io/audit-version"] = "latest"
+	ns.Labels["pod-security.kubernetes.io/warn"] = "privileged"
+	ns.Labels["pod-security.kubernetes.io/warn-version"] = "latest"
 
 	return ns
 }