Add the option to enable default Pod Security Configuration (#9017)
* Add the option to enable default Pod Security Configuration Enable Pod Security in all namespaces by default with the option to exempt some namespaces. Without the change only namespaces explicitly configured will receive the admission plugin treatment. * Fix the PR according to code review comments * Revert the latest changes - leave the empty file when kube_pod_security_use_default, but add comment explaining the empty file - don't attempt magic at conditionally adding PodSecurity to kube_apiserver_admission_plugins_needs_configuration
This commit is contained in:
parent
175cdba9b1
commit
30c77ea4c1
4 changed files with 35 additions and 1 deletions
|
@ -89,6 +89,11 @@ kubelet_seccomp_default: true
|
||||||
# additional configurations
|
# additional configurations
|
||||||
kube_owner: root
|
kube_owner: root
|
||||||
kube_cert_group: root
|
kube_cert_group: root
|
||||||
|
|
||||||
|
# create a default Pod Security Configuration and deny running of insecure pods
|
||||||
|
# kube_system namespace is exempted by default
|
||||||
|
kube_pod_security_use_default: true
|
||||||
|
kube_pod_security_default_enforce: restricted
|
||||||
```
|
```
|
||||||
|
|
||||||
Let's take a deep look to the resultant **kubernetes** configuration:
|
Let's take a deep look to the resultant **kubernetes** configuration:
|
||||||
|
|
|
@ -104,6 +104,18 @@ kube_apiserver_admission_control_config_file: false
|
||||||
# cache_size: <cache_size_value>
|
# cache_size: <cache_size_value>
|
||||||
kube_apiserver_admission_event_rate_limits: {}
|
kube_apiserver_admission_event_rate_limits: {}
|
||||||
|
|
||||||
|
kube_pod_security_use_default: false
|
||||||
|
kube_pod_security_default_enforce: baseline
|
||||||
|
kube_pod_security_default_enforce_version: latest
|
||||||
|
kube_pod_security_default_audit: restricted
|
||||||
|
kube_pod_security_default_audit_version: latest
|
||||||
|
kube_pod_security_default_warn: restricted
|
||||||
|
kube_pod_security_default_warn_version: latest
|
||||||
|
kube_pod_security_exemptions_usernames: []
|
||||||
|
kube_pod_security_exemptions_runtime_class_names: []
|
||||||
|
kube_pod_security_exemptions_namespaces:
|
||||||
|
- kube-system
|
||||||
|
|
||||||
# 1.10+ list of disabled admission plugins
|
# 1.10+ list of disabled admission plugins
|
||||||
kube_apiserver_disable_admission_plugins: []
|
kube_apiserver_disable_admission_plugins: []
|
||||||
|
|
||||||
|
|
17
roles/kubernetes/control-plane/templates/podsecurity.yaml.j2
Normal file
17
roles/kubernetes/control-plane/templates/podsecurity.yaml.j2
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
{% if kube_pod_security_use_default %}
|
||||||
|
apiVersion: pod-security.admission.config.k8s.io/v1beta1
|
||||||
|
kind: PodSecurityConfiguration
|
||||||
|
defaults:
|
||||||
|
enforce: "{{ kube_pod_security_default_enforce }}"
|
||||||
|
enforce-version: "{{ kube_pod_security_default_enforce_version }}"
|
||||||
|
audit: "{{ kube_pod_security_default_audit }}"
|
||||||
|
audit-version: "{{ kube_pod_security_default_audit_version }}"
|
||||||
|
warn: "{{ kube_pod_security_default_warn }}"
|
||||||
|
warn-version: "{{ kube_pod_security_default_warn_version }}"
|
||||||
|
exemptions:
|
||||||
|
usernames: {{ kube_pod_security_exemptions_usernames|to_json }}
|
||||||
|
runtimeClasses: {{ kube_pod_security_exemptions_runtime_class_names|to_json }}
|
||||||
|
namespaces: {{ kube_pod_security_exemptions_namespaces|to_json }}
|
||||||
|
{% else %}
|
||||||
|
# This file is intentinally left empty as kube_pod_security_use_default={{ kube_pod_security_use_default }}
|
||||||
|
{% endif %}
|
|
@ -1,3 +1,3 @@
|
||||||
---
|
---
|
||||||
# list of admission plugins that needs to be configured
|
# list of admission plugins that needs to be configured
|
||||||
kube_apiserver_admission_plugins_needs_configuration: [EventRateLimit]
|
kube_apiserver_admission_plugins_needs_configuration: [EventRateLimit, PodSecurity]
|
||||||
|
|
Loading…
Reference in a new issue