github/container.training
1
0
Fork 0
mirror of https://github.com/jpetazzo/container.training.git synced 2026-05-06 17:06:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

️ Add AdmissionConfiguration file

Browse Source 
For now we set to warn+audit on baseline pods,
but don't enforce any restriction yet. This way,
it shouldn't break anything, but will still issue
visible warnings for problematic pods.
This commit is contained in:
Jérôme Petazzoni
2026-05-05 11:23:28 +02:00
parent 4334645566
commit f123c8b86d
2 changed files with 37 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
prepare-labs/lib/AdmissionConfiguration.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
configuration:
apiVersion: pod-security.admission.config.k8s.io/v1
kind: PodSecurityConfiguration
defaults:
enforce: "privileged"
enforce-version: "latest"
audit: "baseline"
audit-version: "latest"
warn: "baseline"
warn-version: "latest"
exemptions:
# Array of authenticated usernames to exempt.
usernames: []
# Array of runtime class names to exempt.
runtimeClasses: []
# Array of namespaces to exempt.
namespaces: [ kube-system ]

19
prepare-labs/lib/commands.sh
View File

@@ -595,6 +595,10 @@ _cmd_kubeadm() {
pssh -I "sudo tee /etc/containerd/config.toml" < lib/containerd-config.toml
pssh "sudo systemctl restart containerd"
# Copy the AdmissionConfiguration file.
pssh "sudo mkdir -p /etc/kubernetes"
pssh -I "sudo tee /etc/kubernetes/AdmissionConfiguration.yaml" < lib/AdmissionConfiguration.yaml
# Initialize kube control plane
pssh --timeout 200 "
IPV6=\$(ip -json a | jq -r '.[].addr_info[] | select(.scope==\"global\" and .family==\"inet6\") | .local' | head -n1)
@@ -613,7 +617,7 @@ _cmd_kubeadm() {
kubeadm token generate > /tmp/token &&
cat >/tmp/kubeadm-config.yaml <<EOF
kind: InitConfiguration
apiVersion: kubeadm.k8s.io/v1beta3
apiVersion: kubeadm.k8s.io/v1beta4
bootstrapTokens:
- token: \$(cat /tmp/token)
localAPIEndpoint:
@@ -627,7 +631,7 @@ nodeRegistration:
$IGNORE_IPTABLES
---
kind: JoinConfiguration
apiVersion: kubeadm.k8s.io/v1beta3
apiVersion: kubeadm.k8s.io/v1beta4
discovery:
bootstrapToken:
apiServerEndpoint: \$(cat /etc/name_of_first_node):6443
@@ -645,10 +649,19 @@ apiVersion: kubelet.config.k8s.io/v1beta1
failSwapOn: false
---
kind: ClusterConfiguration
apiVersion: kubeadm.k8s.io/v1beta3
apiVersion: kubeadm.k8s.io/v1beta4
apiServer:
certSANs:
- \$(cat /tmp/ip_address)
extraArgs:
- name: admission-control-config-file
value: /etc/kubernetes/AdmissionConfiguration.yaml
extraVolumes:
- name: admission-control-config-file
hostPath: /etc/kubernetes/AdmissionConfiguration.yaml
mountPath: /etc/kubernetes/AdmissionConfiguration.yaml
readOnly: true
pathType: File
networking:
\$SERVICE_SUBNET
$CLUSTER_CONFIGURATION_KUBERNETESVERSION