variable

Fix wrong referenced variable on bgp_peers

Fix bgp_peeras field to be a string

Set default value for bgp_peeras

Signed-off-by: bo.jiang <bo.jiang@daocloud.io>

Signed-off-by: bo.jiang <bo.jiang@daocloud.io>

* [cri-o] use cri-o from upstream instead of kubic/OBS

* [cri-o] add proper molecule coverage

* [skopeo] download skopeo from upstream build

* [cri-o] clean up legacy deployments

* disable cri-o per-distribution variables

* fix-ensure-package-in-coreos

* clean blank line

To block merging pull requests which contain typo automatically.

* Support kubeadm patches in v1beta3

* Update kubeadm patches sample files in inventory

* Fix pre-commit syntax

* Set kubeadm_patches  enabled to false in sample inventory

Signed-off-by: eminaktas <eminaktas34@gmail.com>

Signed-off-by: eminaktas <eminaktas34@gmail.com>

When a machine that use dhclient and resolvconf reboots, this will make /etc/resolv.conf
remain close to the one before reboot

Signed-off-by: eminaktas <eminaktas34@gmail.com>

Signed-off-by: eminaktas <eminaktas34@gmail.com>

Signed-off-by: cleverhu <shouping.hu@daocloud.io>

Signed-off-by: cleverhu <shouping.hu@daocloud.io>

* add retries for restart of kube-apiserver

* change var name

* feat: add kubelet systemd service hardening option

* refactor: move variable name to kubelet_secure_addresses

Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com>

* docs: add diagram about kubelet_secure_addresses variable

Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com>

* fix-kube-vip-strict-arp

* fix-kube-vip-strict-arp

* Add the option to enable default Pod Security Configuration

Enable Pod Security in all namespaces by default with the option to
exempt some namespaces. Without the change only namespaces explicitly
configured will receive the admission plugin treatment.

* Fix the PR according to code review comments

* Revert the latest changes

- leave the empty file when kube_pod_security_use_default, but add comment explaining the empty file
- don't attempt magic at conditionally adding PodSecurity to kube_apiserver_admission_plugins_needs_configuration

* Disable DNSStubListener for Flatcar Linux

* Fix missing "Flatcar" condition of os_family

Signed-off-by: bo.jiang <bo.jiang@daocloud.io>

Signed-off-by: bo.jiang <bo.jiang@daocloud.io>

* docs(hardening): add SeccompDefault admission plugin to kubelet feature gates

* fix(kubelet-config): enable config through kubelet_feature_gates

* feat(kubelet): add kubelet_seccomp_default variable

The commit 1ce2f04f tried to merge multiple SUSE OS checks including
"openSUSE Leap" and "openSUSE Tumbleweed" into a single SUSE, but
that was a perfect change.
Then the commit c16efc9a tried to fix it for "openSUSE Leap", but it
didn't take care of "openSUSE Tumbleweed".
Then this adds "openSUSE Tumbleweed" to the OS check.

Co-authored-by: Kenichi Omichi <ken1ohmichi@gmail.com>

* feat: make kubernetes owner parametrized

* docs: update hardening guide with configuration for CIS 1.1.19

* fix: set etcd data directory permissions to be compliant to CIS 1.1.12

* extra admission controls now don't have a version in their file names
  eventratelimit.v1beta2.yaml.j2 -> eventratelimit.yaml.j2
* cri_socket variable includes the unix:// prefix to be conformat with
  upstream