From 30c77ea4c1205c8e7a9496dcd5cd13e5c1d10940 Mon Sep 17 00:00:00 2001 From: Tomas Zvala Date: Thu, 18 Aug 2022 10:16:36 +0200 Subject: [PATCH] Add the option to enable default Pod Security Configuration (#9017) * Add the option to enable default Pod Security Configuration Enable Pod Security in all namespaces by default with the option to exempt some namespaces. Without the change only namespaces explicitly configured will receive the admission plugin treatment. * Fix the PR according to code review comments * Revert the latest changes - leave the empty file when kube_pod_security_use_default, but add comment explaining the empty file - don't attempt magic at conditionally adding PodSecurity to kube_apiserver_admission_plugins_needs_configuration --- docs/hardening.md | 5 +++++ .../control-plane/defaults/main/main.yml | 12 ++++++++++++ .../control-plane/templates/podsecurity.yaml.j2 | 17 +++++++++++++++++ roles/kubernetes/control-plane/vars/main.yaml | 2 +- 4 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 roles/kubernetes/control-plane/templates/podsecurity.yaml.j2 diff --git a/docs/hardening.md b/docs/hardening.md index 510f7cf12..df757df32 100644 --- a/docs/hardening.md +++ b/docs/hardening.md @@ -89,6 +89,11 @@ kubelet_seccomp_default: true # additional configurations kube_owner: root kube_cert_group: root + +# create a default Pod Security Configuration and deny running of insecure pods +# kube_system namespace is exempted by default +kube_pod_security_use_default: true +kube_pod_security_default_enforce: restricted ``` Let's take a deep look to the resultant **kubernetes** configuration: diff --git a/roles/kubernetes/control-plane/defaults/main/main.yml b/roles/kubernetes/control-plane/defaults/main/main.yml index c53743207..32cabb91e 100644 --- a/roles/kubernetes/control-plane/defaults/main/main.yml +++ b/roles/kubernetes/control-plane/defaults/main/main.yml @@ -104,6 +104,18 @@ kube_apiserver_admission_control_config_file: false # cache_size: kube_apiserver_admission_event_rate_limits: {} +kube_pod_security_use_default: false +kube_pod_security_default_enforce: baseline +kube_pod_security_default_enforce_version: latest +kube_pod_security_default_audit: restricted +kube_pod_security_default_audit_version: latest +kube_pod_security_default_warn: restricted +kube_pod_security_default_warn_version: latest +kube_pod_security_exemptions_usernames: [] +kube_pod_security_exemptions_runtime_class_names: [] +kube_pod_security_exemptions_namespaces: + - kube-system + # 1.10+ list of disabled admission plugins kube_apiserver_disable_admission_plugins: [] diff --git a/roles/kubernetes/control-plane/templates/podsecurity.yaml.j2 b/roles/kubernetes/control-plane/templates/podsecurity.yaml.j2 new file mode 100644 index 000000000..5d39576ff --- /dev/null +++ b/roles/kubernetes/control-plane/templates/podsecurity.yaml.j2 @@ -0,0 +1,17 @@ +{% if kube_pod_security_use_default %} +apiVersion: pod-security.admission.config.k8s.io/v1beta1 +kind: PodSecurityConfiguration +defaults: + enforce: "{{ kube_pod_security_default_enforce }}" + enforce-version: "{{ kube_pod_security_default_enforce_version }}" + audit: "{{ kube_pod_security_default_audit }}" + audit-version: "{{ kube_pod_security_default_audit_version }}" + warn: "{{ kube_pod_security_default_warn }}" + warn-version: "{{ kube_pod_security_default_warn_version }}" +exemptions: + usernames: {{ kube_pod_security_exemptions_usernames|to_json }} + runtimeClasses: {{ kube_pod_security_exemptions_runtime_class_names|to_json }} + namespaces: {{ kube_pod_security_exemptions_namespaces|to_json }} +{% else %} +# This file is intentinally left empty as kube_pod_security_use_default={{ kube_pod_security_use_default }} +{% endif %} diff --git a/roles/kubernetes/control-plane/vars/main.yaml b/roles/kubernetes/control-plane/vars/main.yaml index 57a39f784..f888d6b0c 100644 --- a/roles/kubernetes/control-plane/vars/main.yaml +++ b/roles/kubernetes/control-plane/vars/main.yaml @@ -1,3 +1,3 @@ --- # list of admission plugins that needs to be configured -kube_apiserver_admission_plugins_needs_configuration: [EventRateLimit] +kube_apiserver_admission_plugins_needs_configuration: [EventRateLimit, PodSecurity]