diff --git a/docs/hardening.md b/docs/hardening.md index 9a7f3d841..b3359b74b 100644 --- a/docs/hardening.md +++ b/docs/hardening.md @@ -41,7 +41,18 @@ kube_encrypt_secret_data: true kube_encryption_resources: [secrets] kube_encryption_algorithm: "secretbox" -kube_apiserver_enable_admission_plugins: ['EventRateLimit,AlwaysPullImages,ServiceAccount,NamespaceLifecycle,NodeRestriction,LimitRanger,ResourceQuota,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,PodNodeSelector,PodSecurity'] +kube_apiserver_enable_admission_plugins: + - EventRateLimit + - AlwaysPullImages + - ServiceAccount + - NamespaceLifecycle + - NodeRestriction + - LimitRanger + - ResourceQuota + - MutatingAdmissionWebhook + - ValidatingAdmissionWebhook + - PodNodeSelector + - PodSecurity kube_apiserver_admission_control_config_file: true # EventRateLimit plugin configuration kube_apiserver_admission_event_rate_limits: diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml index 5f8c78445..d9f7304ef 100644 --- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml +++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml @@ -106,7 +106,7 @@ when: - kube_apiserver_admission_control_config_file - item in kube_apiserver_admission_plugins_needs_configuration - loop: "{{ kube_apiserver_enable_admission_plugins[0].split(',') }}" + loop: "{{ kube_apiserver_enable_admission_plugins }}" - name: kubeadm | Check if apiserver.crt contains all needed SANs shell: | diff --git a/roles/kubernetes/control-plane/templates/admission-controls.yaml.j2 b/roles/kubernetes/control-plane/templates/admission-controls.yaml.j2 index 0bb4517c2..34f5f188c 100644 --- a/roles/kubernetes/control-plane/templates/admission-controls.yaml.j2 +++ b/roles/kubernetes/control-plane/templates/admission-controls.yaml.j2 @@ -1,7 +1,7 @@ apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration plugins: -{% for plugin in kube_apiserver_enable_admission_plugins[0].split(',') %} +{% for plugin in kube_apiserver_enable_admission_plugins %} {% if plugin in kube_apiserver_admission_plugins_needs_configuration %} - name: {{ plugin }} path: {{ kube_config_dir }}/{{ plugin|lower }}.yaml diff --git a/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml b/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml index b7f9b2570..242d6def9 100644 --- a/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml +++ b/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml @@ -305,3 +305,11 @@ when: - kube_external_ca_mode - not ignore_assert_errors + +- name: Stop if using deprecated comma separated list for admission plugins + assert: + that: "',' not in kube_apiserver_enable_admission_plugins[0]" + msg: "Comma-separated list for kube_apiserver_enable_admission_plugins is now deprecated, use separate list items for each plugin." + when: + - kube_apiserver_enable_admission_plugins is defined + - kube_apiserver_enable_admission_plugins | length > 0 diff --git a/tests/files/packet_ubuntu20-calico-aio-hardening.yml b/tests/files/packet_ubuntu20-calico-aio-hardening.yml index c013f7954..76340d873 100644 --- a/tests/files/packet_ubuntu20-calico-aio-hardening.yml +++ b/tests/files/packet_ubuntu20-calico-aio-hardening.yml @@ -36,7 +36,18 @@ kube_encrypt_secret_data: true kube_encryption_resources: [secrets] kube_encryption_algorithm: "secretbox" -kube_apiserver_enable_admission_plugins: ['EventRateLimit,AlwaysPullImages,ServiceAccount,NamespaceLifecycle,NodeRestriction,LimitRanger,ResourceQuota,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,PodNodeSelector,PodSecurity'] +kube_apiserver_enable_admission_plugins: + - EventRateLimit + - AlwaysPullImages + - ServiceAccount + - NamespaceLifecycle + - NodeRestriction + - LimitRanger + - ResourceQuota + - MutatingAdmissionWebhook + - ValidatingAdmissionWebhook + - PodNodeSelector + - PodSecurity kube_apiserver_admission_control_config_file: true # EventRateLimit plugin configuration kube_apiserver_admission_event_rate_limits: