From 30c77ea4c1205c8e7a9496dcd5cd13e5c1d10940 Mon Sep 17 00:00:00 2001
From: Tomas Zvala <Foxlik@users.noreply.github.com>
Date: Thu, 18 Aug 2022 10:16:36 +0200
Subject: [PATCH] Add the option to enable default Pod Security Configuration
 (#9017)

* Add the option to enable default Pod Security Configuration

Enable Pod Security in all namespaces by default with the option to
exempt some namespaces. Without the change only namespaces explicitly
configured will receive the admission plugin treatment.

* Fix the PR according to code review comments

* Revert the latest changes

- leave the empty file when kube_pod_security_use_default, but add comment explaining the empty file
- don't attempt magic at conditionally adding PodSecurity to kube_apiserver_admission_plugins_needs_configuration
---
 docs/hardening.md                               |  5 +++++
 .../control-plane/defaults/main/main.yml        | 12 ++++++++++++
 .../control-plane/templates/podsecurity.yaml.j2 | 17 +++++++++++++++++
 roles/kubernetes/control-plane/vars/main.yaml   |  2 +-
 4 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 roles/kubernetes/control-plane/templates/podsecurity.yaml.j2

diff --git a/docs/hardening.md b/docs/hardening.md
index 510f7cf12..df757df32 100644
--- a/docs/hardening.md
+++ b/docs/hardening.md
@@ -89,6 +89,11 @@ kubelet_seccomp_default: true
 # additional configurations
 kube_owner: root
 kube_cert_group: root
+
+# create a default Pod Security Configuration and deny running of insecure pods
+# kube_system namespace is exempted by default
+kube_pod_security_use_default: true
+kube_pod_security_default_enforce: restricted
 ```
 
 Let's take a deep look to the resultant **kubernetes** configuration:
diff --git a/roles/kubernetes/control-plane/defaults/main/main.yml b/roles/kubernetes/control-plane/defaults/main/main.yml
index c53743207..32cabb91e 100644
--- a/roles/kubernetes/control-plane/defaults/main/main.yml
+++ b/roles/kubernetes/control-plane/defaults/main/main.yml
@@ -104,6 +104,18 @@ kube_apiserver_admission_control_config_file: false
 #   cache_size: <cache_size_value>
 kube_apiserver_admission_event_rate_limits: {}
 
+kube_pod_security_use_default: false
+kube_pod_security_default_enforce: baseline
+kube_pod_security_default_enforce_version: latest
+kube_pod_security_default_audit: restricted
+kube_pod_security_default_audit_version: latest
+kube_pod_security_default_warn: restricted
+kube_pod_security_default_warn_version: latest
+kube_pod_security_exemptions_usernames: []
+kube_pod_security_exemptions_runtime_class_names: []
+kube_pod_security_exemptions_namespaces:
+  - kube-system
+
 # 1.10+ list of disabled admission plugins
 kube_apiserver_disable_admission_plugins: []
 
diff --git a/roles/kubernetes/control-plane/templates/podsecurity.yaml.j2 b/roles/kubernetes/control-plane/templates/podsecurity.yaml.j2
new file mode 100644
index 000000000..5d39576ff
--- /dev/null
+++ b/roles/kubernetes/control-plane/templates/podsecurity.yaml.j2
@@ -0,0 +1,17 @@
+{% if kube_pod_security_use_default %}
+apiVersion: pod-security.admission.config.k8s.io/v1beta1
+kind: PodSecurityConfiguration
+defaults:
+  enforce: "{{ kube_pod_security_default_enforce }}"
+  enforce-version: "{{ kube_pod_security_default_enforce_version }}"
+  audit: "{{ kube_pod_security_default_audit }}"
+  audit-version: "{{ kube_pod_security_default_audit_version }}"
+  warn: "{{ kube_pod_security_default_warn }}"
+  warn-version: "{{ kube_pod_security_default_warn_version }}"
+exemptions:
+  usernames: {{ kube_pod_security_exemptions_usernames|to_json }}
+  runtimeClasses: {{ kube_pod_security_exemptions_runtime_class_names|to_json }}
+  namespaces: {{ kube_pod_security_exemptions_namespaces|to_json }}
+{% else %}
+# This file is intentinally left empty as kube_pod_security_use_default={{ kube_pod_security_use_default }}
+{% endif %}
diff --git a/roles/kubernetes/control-plane/vars/main.yaml b/roles/kubernetes/control-plane/vars/main.yaml
index 57a39f784..f888d6b0c 100644
--- a/roles/kubernetes/control-plane/vars/main.yaml
+++ b/roles/kubernetes/control-plane/vars/main.yaml
@@ -1,3 +1,3 @@
 ---
 # list of admission plugins that needs to be configured
-kube_apiserver_admission_plugins_needs_configuration: [EventRateLimit]
+kube_apiserver_admission_plugins_needs_configuration: [EventRateLimit, PodSecurity]
-- 
GitLab