File tree Expand file tree Collapse file tree 4 files changed +53
-3
lines changed
e2e/data/infrastructure-docker/v1beta1/main Expand file tree Collapse file tree 4 files changed +53
-3
lines changed Original file line number Diff line number Diff line change 9898 plugins:
9999 - name: PodSecurity
100100 configuration:
101- apiVersion: pod-security.admission.config.k8s.io/v1beta1
101+ apiVersion: pod-security.admission.config.k8s.io/v1{{ if semverCompare "< v1.25" .builtin.controlPlane.version }}beta1{{ end }}
102102 kind: PodSecurityConfiguration
103103 defaults:
104104 enforce: "{{ .podSecurity.enforce }}"
@@ -164,7 +164,7 @@ spec:
164164 plugins:
165165 - name: PodSecurity
166166 configuration:
167- apiVersion: pod-security.admission.config.k8s.io/v1beta1
167+ apiVersion: pod-security.admission.config.k8s.io/v1{{ if semverCompare "< v1.25" .builtin.controlPlane.version }}beta1{{ end }}
168168 kind: PodSecurityConfiguration
169169 defaults:
170170 enforce: "{{ .podSecurity.enforce }}"
Original file line number Diff line number Diff line change @@ -246,6 +246,52 @@ spec:
246246 - op : add
247247 path : " /spec/template/spec/kubeadmConfigSpec/joinConfiguration/nodeRegistration/taints"
248248 value : []
249+ - name : podSecurityStandard
250+ description : " Adds an admission configuration for PodSecurity to the kube-apiserver."
251+ definitions :
252+ - selector :
253+ apiVersion : controlplane.cluster.x-k8s.io/v1beta1
254+ kind : KubeadmControlPlaneTemplate
255+ matchResources :
256+ controlPlane : true
257+ jsonPatches :
258+ - op : add
259+ path : " /spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs"
260+ value :
261+ admission-control-config-file : " /etc/kubernetes/kube-apiserver-admission-pss.yaml"
262+ - op : add
263+ path : " /spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraVolumes"
264+ value :
265+ - name : admission-pss
266+ hostPath : /etc/kubernetes/kube-apiserver-admission-pss.yaml
267+ mountPath : /etc/kubernetes/kube-apiserver-admission-pss.yaml
268+ readOnly : true
269+ pathType : " File"
270+ - op : add
271+ path : " /spec/template/spec/kubeadmConfigSpec/files"
272+ valueFrom :
273+ template : |
274+ - content: |
275+ apiVersion: apiserver.config.k8s.io/v1
276+ kind: AdmissionConfiguration
277+ plugins:
278+ - name: PodSecurity
279+ configuration:
280+ apiVersion: pod-security.admission.config.k8s.io/v1{{ if semverCompare "< v1.25" .builtin.controlPlane.version }}beta1{{ end }}
281+ kind: PodSecurityConfiguration
282+ defaults:
283+ enforce: "baseline"
284+ enforce-version: "latest"
285+ audit: "baseline"
286+ audit-version: "latest"
287+ warn: "baseline"
288+ warn-version: "latest"
289+ exemptions:
290+ usernames: []
291+ runtimeClasses: []
292+ namespaces: [kube-system]
293+ path: /etc/kubernetes/kube-apiserver-admission-pss.yaml
294+ enabledIf : ' {{ semverCompare ">= v1.24" .builtin.controlPlane.version }}'
249295---
250296apiVersion : infrastructure.cluster.x-k8s.io/v1beta1
251297kind : DockerClusterTemplate
Original file line number Diff line number Diff line change @@ -3,4 +3,8 @@ kind: Namespace
33metadata :
44 labels :
55 control-plane : controller-manager
6+ # CAPD requires the privileged policy because it needs to mount the docker socket using a hostPath.
7+ pod-security.kubernetes.io/enforce : privileged
8+ pod-security.kubernetes.io/warn : privileged
9+ pod-security.kubernetes.io/audit : privileged
610 name : system
Original file line number Diff line number Diff line change @@ -219,7 +219,7 @@ spec:
219219 plugins:
220220 - name: PodSecurity
221221 configuration:
222- apiVersion: pod-security.admission.config.k8s.io/v1beta1
222+ apiVersion: pod-security.admission.config.k8s.io/v1{{ if semverCompare "< v1.25" .builtin.controlPlane.version }}beta1{{ end }}
223223 kind: PodSecurityConfiguration
224224 defaults:
225225 enforce: "{{ .podSecurityStandard.enforce }}"
You can’t perform that action at this time.
0 commit comments