From f123c8b86d844e17a2bc109e05d08557bdd9373f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Petazzoni?= <jerome.petazzoni@gmail.com>
Date: Tue, 5 May 2026 11:23:28 +0200
Subject: [PATCH] =?UTF-8?q?=E2=9E=95=EF=B8=8F=20Add=20AdmissionConfigurati?=
 =?UTF-8?q?on=20file?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

For now we set to warn+audit on baseline pods,
but don't enforce any restriction yet. This way,
it shouldn't break anything, but will still issue
visible warnings for problematic pods.
---
 prepare-labs/lib/AdmissionConfiguration.yaml | 21 ++++++++++++++++++++
 prepare-labs/lib/commands.sh                 | 19 +++++++++++++++---
 2 files changed, 37 insertions(+), 3 deletions(-)
 create mode 100644 prepare-labs/lib/AdmissionConfiguration.yaml

diff --git a/prepare-labs/lib/AdmissionConfiguration.yaml b/prepare-labs/lib/AdmissionConfiguration.yaml
new file mode 100644
index 00000000..af080ccb
--- /dev/null
+++ b/prepare-labs/lib/AdmissionConfiguration.yaml
@@ -0,0 +1,21 @@
+apiVersion: apiserver.config.k8s.io/v1
+kind: AdmissionConfiguration
+plugins:
+- name: PodSecurity
+  configuration:
+    apiVersion: pod-security.admission.config.k8s.io/v1
+    kind: PodSecurityConfiguration
+    defaults:
+      enforce: "privileged"
+      enforce-version: "latest"
+      audit: "baseline"
+      audit-version: "latest"
+      warn: "baseline"
+      warn-version: "latest"
+    exemptions:
+      # Array of authenticated usernames to exempt.
+      usernames: []
+      # Array of runtime class names to exempt.
+      runtimeClasses: []
+      # Array of namespaces to exempt.
+      namespaces: [ kube-system ]
diff --git a/prepare-labs/lib/commands.sh b/prepare-labs/lib/commands.sh
index 223d4cc3..f2ed982d 100644
--- a/prepare-labs/lib/commands.sh
+++ b/prepare-labs/lib/commands.sh
@@ -595,6 +595,10 @@ _cmd_kubeadm() {
     pssh -I "sudo tee /etc/containerd/config.toml" < lib/containerd-config.toml
     pssh "sudo systemctl restart containerd"
 
+    # Copy the AdmissionConfiguration file.
+    pssh "sudo mkdir -p /etc/kubernetes"
+    pssh -I "sudo tee /etc/kubernetes/AdmissionConfiguration.yaml" < lib/AdmissionConfiguration.yaml
+
     # Initialize kube control plane
     pssh --timeout 200 "
     IPV6=\$(ip -json a | jq -r '.[].addr_info[] | select(.scope==\"global\" and .family==\"inet6\") | .local' | head -n1)
@@ -613,7 +617,7 @@ _cmd_kubeadm() {
         kubeadm token generate > /tmp/token &&
         cat >/tmp/kubeadm-config.yaml <<EOF
 kind: InitConfiguration
-apiVersion: kubeadm.k8s.io/v1beta3
+apiVersion: kubeadm.k8s.io/v1beta4
 bootstrapTokens:
 - token: \$(cat /tmp/token)
 localAPIEndpoint:
@@ -627,7 +631,7 @@ nodeRegistration:
   $IGNORE_IPTABLES
 ---
 kind: JoinConfiguration
-apiVersion: kubeadm.k8s.io/v1beta3
+apiVersion: kubeadm.k8s.io/v1beta4
 discovery:
   bootstrapToken:
     apiServerEndpoint: \$(cat /etc/name_of_first_node):6443
@@ -645,10 +649,19 @@ apiVersion: kubelet.config.k8s.io/v1beta1
 failSwapOn: false
 ---
 kind: ClusterConfiguration
-apiVersion: kubeadm.k8s.io/v1beta3
+apiVersion: kubeadm.k8s.io/v1beta4
 apiServer:
   certSANs:
   - \$(cat /tmp/ip_address)
+  extraArgs:
+  - name: admission-control-config-file
+    value: /etc/kubernetes/AdmissionConfiguration.yaml
+  extraVolumes:
+  - name: admission-control-config-file
+    hostPath: /etc/kubernetes/AdmissionConfiguration.yaml
+    mountPath: /etc/kubernetes/AdmissionConfiguration.yaml
+    readOnly: true
+    pathType: File  
 networking:
   \$SERVICE_SUBNET
 $CLUSTER_CONFIGURATION_KUBERNETESVERSION