hardening: Add SeccompDefault admission plugin for kubelet (kuberne…

…tes-sigs#9074) * docs(hardening): add SeccompDefault admission plugin to kubelet feature gates * fix(kubelet-config): enable config through kubelet_feature_gates * feat(kubelet): add kubelet_seccomp_default variable
southbridgeio · Jul 2, 2023 · 49bcdfa · 49bcdfa
1 parent 524929b
commit 49bcdfa
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/docs/hardening.md b/docs/hardening.md
@@ -83,7 +83,8 @@ kubelet_event_record_qps: 1
 kubelet_rotate_certificates: true
 kubelet_streaming_connection_idle_timeout: "5m"
 kubelet_make_iptables_util_chains: true
-kubelet_feature_gates: ["RotateKubeletServerCertificate=true"]
+kubelet_feature_gates: ["RotateKubeletServerCertificate=true","SeccompDefault=true"]
+kubelet_seccomp_default: true
 
 # additional configurations
 kube_owner: root

diff --git a/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2 b/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2
@@ -121,9 +121,9 @@ resolvConf: "{{ kube_resolv_conf }}"
 {% if inventory_hostname in groups['kube_node'] and kubelet_node_config_extra_args %}
 {{ kubelet_node_config_extra_args | to_nice_yaml(indent=2) }}
 {% endif %}
-{% if kube_feature_gates %}
+{% if kubelet_feature_gates or kube_feature_gates %}
 featureGates:
-{% for feature in kube_feature_gates %}
+{% for feature in (kubelet_feature_gates | default(kube_feature_gates, true)) %}
   {{ feature|replace("=", ": ") }}
 {% endfor %}
 {% endif %}
@@ -151,3 +151,6 @@ streamingConnectionIdleTimeout: {{ kubelet_streaming_connection_idle_timeout }}
 {% if kubelet_make_iptables_util_chains is defined %}
 makeIPTablesUtilChains: {{ kubelet_make_iptables_util_chains | bool }}
 {% endif %}
+{% if kubelet_seccomp_default is defined %}
+seccompDefault: {{ kubelet_seccomp_default | bool }}
+{% endif %}