From 3ce5458f32f19a31278d2fbc0e4049c7f674401c Mon Sep 17 00:00:00 2001
From: Alessio Greggi <ale_grey_91@hotmail.it>
Date: Tue, 19 Jul 2022 09:50:07 +0200
Subject: [PATCH] hardening: Add `SeccompDefault` admission plugin for kubelet
 (#9074)

* docs(hardening): add SeccompDefault admission plugin to kubelet feature gates

* fix(kubelet-config): enable config through kubelet_feature_gates

* feat(kubelet): add kubelet_seccomp_default variable
---
 docs/hardening.md                                          | 3 ++-
 .../node/templates/kubelet-config.v1beta1.yaml.j2          | 7 +++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/docs/hardening.md b/docs/hardening.md
index 180979ed6..510f7cf12 100644
--- a/docs/hardening.md
+++ b/docs/hardening.md
@@ -83,7 +83,8 @@ kubelet_event_record_qps: 1
 kubelet_rotate_certificates: true
 kubelet_streaming_connection_idle_timeout: "5m"
 kubelet_make_iptables_util_chains: true
-kubelet_feature_gates: ["RotateKubeletServerCertificate=true"]
+kubelet_feature_gates: ["RotateKubeletServerCertificate=true","SeccompDefault=true"]
+kubelet_seccomp_default: true
 
 # additional configurations
 kube_owner: root
diff --git a/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2 b/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2
index a010fbe0e..341f3398a 100644
--- a/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2
+++ b/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2
@@ -116,9 +116,9 @@ resolvConf: "{{ kube_resolv_conf }}"
 {% if inventory_hostname in groups['kube_node'] and kubelet_node_config_extra_args %}
 {{ kubelet_node_config_extra_args | to_nice_yaml(indent=2) }}
 {% endif %}
-{% if kube_feature_gates %}
+{% if kubelet_feature_gates or kube_feature_gates %}
 featureGates:
-{% for feature in kube_feature_gates %}
+{% for feature in (kubelet_feature_gates | default(kube_feature_gates, true)) %}
   {{ feature|replace("=", ": ") }}
 {% endfor %}
 {% endif %}
@@ -146,3 +146,6 @@ streamingConnectionIdleTimeout: {{ kubelet_streaming_connection_idle_timeout }}
 {% if kubelet_make_iptables_util_chains is defined %}
 makeIPTablesUtilChains: {{ kubelet_make_iptables_util_chains | bool }}
 {% endif %}
+{% if kubelet_seccomp_default is defined %}
+seccompDefault: {{ kubelet_seccomp_default | bool }}
+{% endif %}