Add the option to enable default Pod Security Configuration (#9017)

* Add the option to enable default Pod Security Configuration

Enable Pod Security in all namespaces by default with the option to
exempt some namespaces. Without the change only namespaces explicitly
configured will receive the admission plugin treatment.

* Fix the PR according to code review comments

* Revert the latest changes

- leave the empty file when kube_pod_security_use_default, but add comment explaining the empty file
- don't attempt magic at conditionally adding PodSecurity to kube_apiserver_admission_plugins_needs_configuration
This commit is contained in:
Tomas Zvala 2022-08-18 10:16:36 +02:00 committed by GitHub
parent 175cdba9b1
commit 30c77ea4c1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 35 additions and 1 deletions

View file

@ -89,6 +89,11 @@ kubelet_seccomp_default: true
# additional configurations # additional configurations
kube_owner: root kube_owner: root
kube_cert_group: root kube_cert_group: root
# create a default Pod Security Configuration and deny running of insecure pods
# kube_system namespace is exempted by default
kube_pod_security_use_default: true
kube_pod_security_default_enforce: restricted
``` ```
Let's take a deep look to the resultant **kubernetes** configuration: Let's take a deep look to the resultant **kubernetes** configuration:

View file

@ -104,6 +104,18 @@ kube_apiserver_admission_control_config_file: false
# cache_size: <cache_size_value> # cache_size: <cache_size_value>
kube_apiserver_admission_event_rate_limits: {} kube_apiserver_admission_event_rate_limits: {}
kube_pod_security_use_default: false
kube_pod_security_default_enforce: baseline
kube_pod_security_default_enforce_version: latest
kube_pod_security_default_audit: restricted
kube_pod_security_default_audit_version: latest
kube_pod_security_default_warn: restricted
kube_pod_security_default_warn_version: latest
kube_pod_security_exemptions_usernames: []
kube_pod_security_exemptions_runtime_class_names: []
kube_pod_security_exemptions_namespaces:
- kube-system
# 1.10+ list of disabled admission plugins # 1.10+ list of disabled admission plugins
kube_apiserver_disable_admission_plugins: [] kube_apiserver_disable_admission_plugins: []

View file

@ -0,0 +1,17 @@
{% if kube_pod_security_use_default %}
apiVersion: pod-security.admission.config.k8s.io/v1beta1
kind: PodSecurityConfiguration
defaults:
enforce: "{{ kube_pod_security_default_enforce }}"
enforce-version: "{{ kube_pod_security_default_enforce_version }}"
audit: "{{ kube_pod_security_default_audit }}"
audit-version: "{{ kube_pod_security_default_audit_version }}"
warn: "{{ kube_pod_security_default_warn }}"
warn-version: "{{ kube_pod_security_default_warn_version }}"
exemptions:
usernames: {{ kube_pod_security_exemptions_usernames|to_json }}
runtimeClasses: {{ kube_pod_security_exemptions_runtime_class_names|to_json }}
namespaces: {{ kube_pod_security_exemptions_namespaces|to_json }}
{% else %}
# This file is intentinally left empty as kube_pod_security_use_default={{ kube_pod_security_use_default }}
{% endif %}

View file

@ -1,3 +1,3 @@
--- ---
# list of admission plugins that needs to be configured # list of admission plugins that needs to be configured
kube_apiserver_admission_plugins_needs_configuration: [EventRateLimit] kube_apiserver_admission_plugins_needs_configuration: [EventRateLimit, PodSecurity]