Merge branch 'add-psa-config' of https://github.com/jcox10/rke2-ansible…

… into jcox10-add-psa-config
rancherfederal · May 21, 2024 · 4ae0e59 · 4ae0e59
2 parents 1ac92b0 + 252a204
commit 4ae0e59
Show file tree

Hide file tree

Showing 5 changed files with 83 additions and 0 deletions.
diff --git a/inventory/sample/group_vars/rke2_servers.yml b/inventory/sample/group_vars/rke2_servers.yml
@@ -45,3 +45,8 @@ rke2_config: {}
 # See https://docs.rke2.io/helm/#automatically-deploying-manifests-and-helm-charts
 # Add manifest files by specifying the directory path on the control host
 # manifest_config_file_path: "{{ playbook_dir }}/sample_files/manifest/"
+
+# See https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates#exempting-required-rancher-namespaces
+# Available in RKE2 1.25+
+# Add a pod security admission config file by specifying the file path on the control host
+# pod_security_admission_config_file_path: "{{ playbook_dir }}/sample_files/pod-security-admission-config.yaml"
diff --git a/roles/rke2_common/defaults/main.yml b/roles/rke2_common/defaults/main.yml
@@ -5,6 +5,7 @@ rke2_images_urls: []
 rke2_channel: stable
 audit_policy_config_file_path: ""
 registry_config_file_path: ""
+pod_security_admission_config_file_path: ""
 add_iptables_rules: false
 rke2_common_yum_repo:
   name: rke2-common

diff --git a/roles/rke2_common/tasks/add-pod-security-admission-config.yml b/roles/rke2_common/tasks/add-pod-security-admission-config.yml
@@ -0,0 +1,16 @@
+---
+- name: Create the /etc/rancher/rke2 config dir
+  ansible.builtin.file:
+    path: /etc/rancher/rke2
+    state: directory
+    recurse: yes
+
+- name: Add pod security admission config file
+  ansible.builtin.copy:
+    src: "{{ pod_security_admission_config_file_path }}"
+    dest: "/etc/rancher/rke2/pod-security-admission-config.yaml"
+    mode: '0640'
+    owner: root
+    group: root
+  when: caller_role_name == "server"
+  notify: Restart rke2-server
diff --git a/roles/rke2_common/tasks/main.yml b/roles/rke2_common/tasks/main.yml
@@ -74,6 +74,10 @@
   ansible.builtin.include_tasks: add-registry-config.yml
   when: registry_config_file_path | length > 0
 
+- name: Include task file add-pod-security-admission-config.yml
+  ansible.builtin.include_tasks: add-pod-security-admission-config.yml
+  when: pod_security_admission_config_file_path | length > 0
+
 - name: Run CIS-Hardening Tasks
   ansible.builtin.include_role:
     name: rke2_common

diff --git a/sample_files/pod-security-admission-config.yaml b/sample_files/pod-security-admission-config.yaml
@@ -0,0 +1,57 @@
+---
+apiVersion: apiserver.config.k8s.io/v1
+kind: AdmissionConfiguration
+plugins:
+  - name: PodSecurity
+    configuration:
+      apiVersion: pod-security.admission.config.k8s.io/v1
+      kind: PodSecurityConfiguration
+      defaults:
+        enforce: "restricted"
+        enforce-version: "latest"
+        audit: "restricted"
+        audit-version: "latest"
+        warn: "restricted"
+        warn-version: "latest"
+      exemptions:
+        usernames: []
+        runtimeClasses: []
+        namespaces: [calico-apiserver,
+                     calico-system,
+                     cattle-alerting,
+                     cattle-csp-adapter-system,
+                     cattle-elemental-system,
+                     cattle-epinio-system,
+                     cattle-externalip-system,
+                     cattle-fleet-local-system,
+                     cattle-fleet-system,
+                     cattle-gatekeeper-system,
+                     cattle-global-data,
+                     cattle-global-nt,
+                     cattle-impersonation-system,
+                     cattle-istio,
+                     cattle-istio-system,
+                     cattle-logging,
+                     cattle-logging-system,
+                     cattle-monitoring-system,
+                     cattle-neuvector-system,
+                     cattle-prometheus,
+                     cattle-provisioning-capi-system,
+                     cattle-resources-system,
+                     cattle-sriov-system,
+                     cattle-system,
+                     cattle-ui-plugin-system,
+                     cattle-windows-gmsa-system,
+                     cert-manager,
+                     cis-operator-system,
+                     fleet-default,
+                     ingress-nginx,
+                     istio-system,
+                     kube-node-lease,
+                     kube-public,
+                     kube-system,
+                     longhorn-system,
+                     local-path-storage,
+                     rancher-alerting-drivers,
+                     security-scan,
+                     tigera-operator]