From ac67bb15f0802dfc3cfe47d0dee3ac939575a18d Mon Sep 17 00:00:00 2001 From: Tomas Zvala Date: Thu, 18 Aug 2022 10:16:36 +0200 Subject: [PATCH] Add the option to enable default Pod Security Configuration (#9017) * Add the option to enable default Pod Security Configuration Enable Pod Security in all namespaces by default with the option to exempt some namespaces. Without the change only namespaces explicitly configured will receive the admission plugin treatment. * Fix the PR according to code review comments * Revert the latest changes - leave the empty file when kube_pod_security_use_default, but add comment explaining the empty file - don't attempt magic at conditionally adding PodSecurity to kube_apiserver_admission_plugins_needs_configuration --- docs/hardening.md | 5 +++++ .../control-plane/defaults/main/main.yml | 12 ++++++++++++ .../control-plane/templates/podsecurity.yaml.j2 | 17 +++++++++++++++++ roles/kubernetes/control-plane/vars/main.yaml | 2 +- 4 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 roles/kubernetes/control-plane/templates/podsecurity.yaml.j2 diff --git a/docs/hardening.md b/docs/hardening.md index 510f7cf12a6..df757df327d 100644 --- a/docs/hardening.md +++ b/docs/hardening.md @@ -89,6 +89,11 @@ kubelet_seccomp_default: true # additional configurations kube_owner: root kube_cert_group: root + +# create a default Pod Security Configuration and deny running of insecure pods +# kube_system namespace is exempted by default +kube_pod_security_use_default: true +kube_pod_security_default_enforce: restricted ``` Let's take a deep look to the resultant **kubernetes** configuration: diff --git a/roles/kubernetes/control-plane/defaults/main/main.yml b/roles/kubernetes/control-plane/defaults/main/main.yml index 3a80f0620a3..85f43a60713 100644 --- a/roles/kubernetes/control-plane/defaults/main/main.yml +++ b/roles/kubernetes/control-plane/defaults/main/main.yml @@ -132,6 +132,18 @@ kube_apiserver_admission_control_config_file: false # cache_size: kube_apiserver_admission_event_rate_limits: {} +kube_pod_security_use_default: false +kube_pod_security_default_enforce: baseline +kube_pod_security_default_enforce_version: latest +kube_pod_security_default_audit: restricted +kube_pod_security_default_audit_version: latest +kube_pod_security_default_warn: restricted +kube_pod_security_default_warn_version: latest +kube_pod_security_exemptions_usernames: [] +kube_pod_security_exemptions_runtime_class_names: [] +kube_pod_security_exemptions_namespaces: + - kube-system + # 1.10+ list of disabled admission plugins kube_apiserver_disable_admission_plugins: [] diff --git a/roles/kubernetes/control-plane/templates/podsecurity.yaml.j2 b/roles/kubernetes/control-plane/templates/podsecurity.yaml.j2 new file mode 100644 index 00000000000..5d39576ffb8 --- /dev/null +++ b/roles/kubernetes/control-plane/templates/podsecurity.yaml.j2 @@ -0,0 +1,17 @@ +{% if kube_pod_security_use_default %} +apiVersion: pod-security.admission.config.k8s.io/v1beta1 +kind: PodSecurityConfiguration +defaults: + enforce: "{{ kube_pod_security_default_enforce }}" + enforce-version: "{{ kube_pod_security_default_enforce_version }}" + audit: "{{ kube_pod_security_default_audit }}" + audit-version: "{{ kube_pod_security_default_audit_version }}" + warn: "{{ kube_pod_security_default_warn }}" + warn-version: "{{ kube_pod_security_default_warn_version }}" +exemptions: + usernames: {{ kube_pod_security_exemptions_usernames|to_json }} + runtimeClasses: {{ kube_pod_security_exemptions_runtime_class_names|to_json }} + namespaces: {{ kube_pod_security_exemptions_namespaces|to_json }} +{% else %} +# This file is intentinally left empty as kube_pod_security_use_default={{ kube_pod_security_use_default }} +{% endif %} diff --git a/roles/kubernetes/control-plane/vars/main.yaml b/roles/kubernetes/control-plane/vars/main.yaml index 57a39f78422..f888d6b0ce8 100644 --- a/roles/kubernetes/control-plane/vars/main.yaml +++ b/roles/kubernetes/control-plane/vars/main.yaml @@ -1,3 +1,3 @@ --- # list of admission plugins that needs to be configured -kube_apiserver_admission_plugins_needs_configuration: [EventRateLimit] +kube_apiserver_admission_plugins_needs_configuration: [EventRateLimit, PodSecurity]