Browse Source
Add the option to enable default Pod Security Configuration (#9017 )
* Add the option to enable default Pod Security Configuration
Enable Pod Security in all namespaces by default with the option to
exempt some namespaces. Without the change only namespaces explicitly
configured will receive the admission plugin treatment.
* Fix the PR according to code review comments
* Revert the latest changes
- leave the empty file when kube_pod_security_use_default, but add comment explaining the empty file
- don't attempt magic at conditionally adding PodSecurity to kube_apiserver_admission_plugins_needs_configuration
pull/9191/head
Tomas Zvala
2 years ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with
35 additions and
1 deletions
docs/hardening.md
roles/kubernetes/control-plane/defaults/main/main.yml
roles/kubernetes/control-plane/templates/podsecurity.yaml.j2
roles/kubernetes/control-plane/vars/main.yaml
@ -89,6 +89,11 @@ kubelet_seccomp_default: true
# additional configurations
kube_owner: root
kube_cert_group: root
# create a default Pod Security Configuration and deny running of insecure pods
# kube_system namespace is exempted by default
kube_pod_security_use_default: true
kube_pod_security_default_enforce: restricted
```
Let's take a deep look to the resultant **kubernetes** configuration:
@ -104,6 +104,18 @@ kube_apiserver_admission_control_config_file: false
# cache_size: <cache_size_value>
kube_apiserver_admission_event_rate_limits : {}
kube_pod_security_use_default : false
kube_pod_security_default_enforce : baseline
kube_pod_security_default_enforce_version : latest
kube_pod_security_default_audit : restricted
kube_pod_security_default_audit_version : latest
kube_pod_security_default_warn : restricted
kube_pod_security_default_warn_version : latest
kube_pod_security_exemptions_usernames : [ ]
kube_pod_security_exemptions_runtime_class_names : [ ]
kube_pod_security_exemptions_namespaces:
- kube-system
# 1.10+ list of disabled admission plugins
kube_apiserver_disable_admission_plugins : [ ]
@ -0,0 +1,17 @@
{% if kube_pod_security_use_default %}
apiVersion: pod-security.admission.config.k8s.io/v1beta1
kind: PodSecurityConfiguration
defaults:
enforce: "{{ kube_pod_security_default_enforce }}"
enforce-version: "{{ kube_pod_security_default_enforce_version }}"
audit: "{{ kube_pod_security_default_audit }}"
audit-version: "{{ kube_pod_security_default_audit_version }}"
warn: "{{ kube_pod_security_default_warn }}"
warn-version: "{{ kube_pod_security_default_warn_version }}"
exemptions:
usernames: {{ kube_pod_security_exemptions_usernames|to_json }}
runtimeClasses: {{ kube_pod_security_exemptions_runtime_class_names|to_json }}
namespaces: {{ kube_pod_security_exemptions_namespaces|to_json }}
{% else %}
# This file is intentinally left empty as kube_pod_security_use_default={{ kube_pod_security_use_default }}
{% endif %}
@ -1,3 +1,3 @@
---
# list of admission plugins that needs to be configured
kube_apiserver_admission_plugins_needs_configuration : [ EventRateLimit]
kube_apiserver_admission_plugins_needs_configuration : [ EventRateLimit, PodSecurity ]