jandres - moscardo
11 months ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with
18 additions and
0 deletions
-
docs/hardening.md
-
roles/kubernetes/control-plane/defaults/main/main.yml
-
roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
-
roles/kubernetes/control-plane/templates/podnodeselector.yaml.j2
|
|
|
@ -54,6 +54,11 @@ kube_apiserver_enable_admission_plugins: |
|
|
|
- PodNodeSelector |
|
|
|
- PodSecurity |
|
|
|
kube_apiserver_admission_control_config_file: true |
|
|
|
# Creates config file for PodNodeSelector |
|
|
|
# kube_apiserver_admission_plugins_needs_configuration: [PodNodeSelector] |
|
|
|
# Define the default node selector, by default all the workloads will be scheduled on nodes |
|
|
|
# with label network=srv1 |
|
|
|
# kube_apiserver_admission_plugins_podnodeselector_default_node_selector: "network=srv1" |
|
|
|
# EventRateLimit plugin configuration |
|
|
|
kube_apiserver_admission_event_rate_limits: |
|
|
|
limit_1: |
|
|
|
|
|
|
|
@ -141,6 +141,8 @@ kube_webhook_token_auth_url_skip_tls_verify: false |
|
|
|
kube_webhook_authorization: false |
|
|
|
kube_webhook_authorization_url_skip_tls_verify: false |
|
|
|
|
|
|
|
# Default podnodeselector |
|
|
|
kube_apiserver_admission_plugins_podnodeselector_default_node_selector: "" |
|
|
|
|
|
|
|
## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/ |
|
|
|
## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...) |
|
|
|
|
|
|
|
@ -108,6 +108,15 @@ |
|
|
|
- item in kube_apiserver_admission_plugins_needs_configuration |
|
|
|
loop: "{{ kube_apiserver_enable_admission_plugins }}" |
|
|
|
|
|
|
|
- name: Kubeadm | Configure default cluster podnodeslector |
|
|
|
template: |
|
|
|
src: "podnodeselector.yaml.j2" |
|
|
|
dest: "{{ kube_config_dir }}/admission-controls/podnodeselector.yaml" |
|
|
|
mode: 0640 |
|
|
|
when: |
|
|
|
- kube_apiserver_admission_plugins_podnodeselector_default_node_selector is defined |
|
|
|
- kube_apiserver_admission_plugins_podnodeselector_default_node_selector | length > 0 |
|
|
|
|
|
|
|
- name: Kubeadm | Check apiserver.crt SANs |
|
|
|
vars: |
|
|
|
apiserver_ips: "{{ apiserver_sans | map('ansible.utils.ipaddr') | reject('equalto', False) | list }}" |
|
|
|
|
|
|
|
@ -0,0 +1,2 @@ |
|
|
|
podNodeSelectorPluginConfig: |
|
|
|
clusterDefaultNodeSelector: {{ kube_apiserver_admission_plugins_podnodeselector_default_node_selector }} |
