Browse Source

Add the option to enable default Pod Security Configuration (#9017)

* Add the option to enable default Pod Security Configuration

Enable Pod Security in all namespaces by default with the option to
exempt some namespaces. Without the change only namespaces explicitly
configured will receive the admission plugin treatment.

* Fix the PR according to code review comments

* Revert the latest changes

- leave the empty file when kube_pod_security_use_default, but add comment explaining the empty file
- don't attempt magic at conditionally adding PodSecurity to kube_apiserver_admission_plugins_needs_configuration
pull/9191/head
Tomas Zvala 2 years ago
committed by GitHub
parent
commit
30c77ea4c1
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 35 additions and 1 deletions
  1. 5
      docs/hardening.md
  2. 12
      roles/kubernetes/control-plane/defaults/main/main.yml
  3. 17
      roles/kubernetes/control-plane/templates/podsecurity.yaml.j2
  4. 2
      roles/kubernetes/control-plane/vars/main.yaml

5
docs/hardening.md

@ -89,6 +89,11 @@ kubelet_seccomp_default: true
# additional configurations
kube_owner: root
kube_cert_group: root
# create a default Pod Security Configuration and deny running of insecure pods
# kube_system namespace is exempted by default
kube_pod_security_use_default: true
kube_pod_security_default_enforce: restricted
```
Let's take a deep look to the resultant **kubernetes** configuration:

12
roles/kubernetes/control-plane/defaults/main/main.yml

@ -104,6 +104,18 @@ kube_apiserver_admission_control_config_file: false
# cache_size: <cache_size_value>
kube_apiserver_admission_event_rate_limits: {}
kube_pod_security_use_default: false
kube_pod_security_default_enforce: baseline
kube_pod_security_default_enforce_version: latest
kube_pod_security_default_audit: restricted
kube_pod_security_default_audit_version: latest
kube_pod_security_default_warn: restricted
kube_pod_security_default_warn_version: latest
kube_pod_security_exemptions_usernames: []
kube_pod_security_exemptions_runtime_class_names: []
kube_pod_security_exemptions_namespaces:
- kube-system
# 1.10+ list of disabled admission plugins
kube_apiserver_disable_admission_plugins: []

17
roles/kubernetes/control-plane/templates/podsecurity.yaml.j2

@ -0,0 +1,17 @@
{% if kube_pod_security_use_default %}
apiVersion: pod-security.admission.config.k8s.io/v1beta1
kind: PodSecurityConfiguration
defaults:
enforce: "{{ kube_pod_security_default_enforce }}"
enforce-version: "{{ kube_pod_security_default_enforce_version }}"
audit: "{{ kube_pod_security_default_audit }}"
audit-version: "{{ kube_pod_security_default_audit_version }}"
warn: "{{ kube_pod_security_default_warn }}"
warn-version: "{{ kube_pod_security_default_warn_version }}"
exemptions:
usernames: {{ kube_pod_security_exemptions_usernames|to_json }}
runtimeClasses: {{ kube_pod_security_exemptions_runtime_class_names|to_json }}
namespaces: {{ kube_pod_security_exemptions_namespaces|to_json }}
{% else %}
# This file is intentinally left empty as kube_pod_security_use_default={{ kube_pod_security_use_default }}
{% endif %}

2
roles/kubernetes/control-plane/vars/main.yaml

@ -1,3 +1,3 @@
---
# list of admission plugins that needs to be configured
kube_apiserver_admission_plugins_needs_configuration: [EventRateLimit]
kube_apiserver_admission_plugins_needs_configuration: [EventRateLimit, PodSecurity]
Loading…
Cancel
Save