hardening: Add `SeccompDefault` admission plugin for kubelet (#9074)

* docs(hardening): add SeccompDefault admission plugin to kubelet feature gates * fix(kubelet-config): enable config through kubelet_feature_gates * feat(kubelet): add kubelet_seccomp_default variable
2 years ago · 3ce5458f32
2 changed files with 7 additions and 3 deletions
--- a/docs/hardening.md
+++ b/docs/hardening.md
@ -83,7 +83,8 @@ kubelet_event_record_qps: 1
 kubelet_rotate_certificates: true
 kubelet_streaming_connection_idle_timeout: "5m"
 kubelet_make_iptables_util_chains: true
-kubelet_feature_gates: ["RotateKubeletServerCertificate=true"]
+kubelet_feature_gates: ["RotateKubeletServerCertificate=true","SeccompDefault=true"]
+kubelet_seccomp_default: true

 # additional configurations
 kube_owner: root
--- a/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2
+++ b/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2
@ -116,9 +116,9 @@ resolvConf: "{{ kube_resolv_conf }}"
 {% if inventory_hostname in groups['kube_node'] and kubelet_node_config_extra_args %}
 {{ kubelet_node_config_extra_args | to_nice_yaml(indent=2) }}
 {% endif %}
-{% if kube_feature_gates %}
+{% if kubelet_feature_gates or kube_feature_gates %}
 featureGates:
-{% for feature in kube_feature_gates %}
+{% for feature in (kubelet_feature_gates | default(kube_feature_gates, true)) %}
  {{ feature|replace("=", ": ") }}
 {% endfor %}
 {% endif %}
@ -146,3 +146,6 @@ streamingConnectionIdleTimeout: {{ kubelet_streaming_connection_idle_timeout }}
 {% if kubelet_make_iptables_util_chains is defined %}
 makeIPTablesUtilChains: {{ kubelet_make_iptables_util_chains | bool }}
 {% endif %}
+{% if kubelet_seccomp_default is defined %}
+seccompDefault: {{ kubelet_seccomp_default | bool }}
+{% endif %}