Skip to content

Commit

Permalink
Enforce Pod Security Standard restricted
Browse files Browse the repository at this point in the history 
https://kubernetes.io/docs/tutorials/security/cluster-level-pss/

close: #1887

Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
  • Loading branch information
@collivier
collivier committed May 10, 2024
1 parent 47958a0 commit 76cf1ff
Showing 1 changed file with 79 additions and 2 deletions.
81 changes: 79 additions & 2 deletions .github/workflows/actions.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,14 +61,56 @@ jobs:
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Configuration file that can be consumed by the Pod Security Admission Controller
run: |
mkdir -p /tmp/pss
cat <<EOF > /tmp/pss/cluster-level-pss.yaml
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
configuration:
apiVersion: pod-security.admission.config.k8s.io/v1
kind: PodSecurityConfiguration
defaults:
enforce: "restricted"
enforce-version: "latest"
audit: "restricted"
audit-version: "latest"
warn: "restricted"
warn-version: "latest"
exemptions:
usernames: []
runtimeClasses: []
namespaces:
- kube-system
- local-path-storage
EOF
- name: Mirror Setup
run: |
cat << EOF > /tmp/cluster.yml
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
image: kindest/node:v1.29.2@sha256:51a1434a5397193442f0be2a297b488b6c919ce8a3931be0ce822606ea5ca245
kubeadmConfigPatches:
- |
kind: ClusterConfiguration
apiServer:
extraArgs:
admission-control-config-file: /etc/config/cluster-level-pss.yaml
extraVolumes:
- name: accf
hostPath: /etc/config
mountPath: /etc/config
readOnly: false
pathType: "DirectoryOrCreate"
extraMounts:
- hostPath: /tmp/pss
containerPath: /etc/config
readOnly: false
selinuxRelabel: false
propagation: None
containerdConfigPatches:
- |-
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
Expand All @@ -88,11 +130,27 @@ jobs:
# Enabled additional unsafe sysctls to support the negative spec test for sysctls
nodes:
- role: control-plane
image: kindest/node:v1.29.2@sha256:51a1434a5397193442f0be2a297b488b6c919ce8a3931be0ce822606ea5ca245
kubeadmConfigPatches:
- |
kind: KubeletConfiguration
allowedUnsafeSysctls: ["kernel.msg*"]
- |
kind: ClusterConfiguration
apiServer:
extraArgs:
admission-control-config-file: /etc/config/cluster-level-pss.yaml
extraVolumes:
- name: accf
hostPath: /etc/config
mountPath: /etc/config
readOnly: false
pathType: "DirectoryOrCreate"
extraMounts:
- hostPath: /tmp/pss
containerPath: /etc/config
readOnly: false
selinuxRelabel: false
propagation: None
EOF
- name: Mirror Override
if: matrix.spec == 'private_registry_image'
Expand All @@ -102,12 +160,31 @@ jobs:
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
kubeadmConfigPatches:
- |
kind: ClusterConfiguration
apiServer:
extraArgs:
admission-control-config-file: /etc/config/cluster-level-pss.yaml
extraVolumes:
- name: accf
hostPath: /etc/config
mountPath: /etc/config
readOnly: false
pathType: "DirectoryOrCreate"
extraMounts:
- hostPath: /tmp/pss
containerPath: /etc/config
readOnly: false
selinuxRelabel: false
propagation: None
containerdConfigPatches:
- |-
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."registry:5000"]
endpoint = ["http://localhost:5000"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."registry.default.svc.cluster.local:5000"]
endpoint = ["http://localhost:5000"]
EOF
- name: Install Latest Kind
env:
KIND_VERSION: v0.22.0
Expand Down

0 comments on commit 76cf1ff

Please sign in to comment.