Skip to content

Commit

Permalink
Enforce Pod Security Standard restricted
Browse files Browse the repository at this point in the history
  • Loading branch information
collivier committed Nov 13, 2024
1 parent 531e9a1 commit 694adbf
Showing 1 changed file with 89 additions and 4 deletions.
93 changes: 89 additions & 4 deletions .github/workflows/actions.yml
Original file line number Diff line number Diff line change
Expand Up @@ -70,14 +70,60 @@ jobs:
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Configuration file that can be consumed by the Pod Security Admission Controller
run: |
export CLUSTER=$(uuidgen)
echo "export CLUSTER=$CLUSTER"
echo "export CLUSTER=$CLUSTER" > cluster.env
mkdir -p /shared/pss
cat <<EOF > /shared/pss/cluster-level-pss.$CLUSTER.yaml
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
configuration:
apiVersion: pod-security.admission.config.k8s.io/v1
kind: PodSecurityConfiguration
defaults:
enforce: "restricted"
enforce-version: "latest"
audit: "restricted"
audit-version: "latest"
warn: "restricted"
warn-version: "latest"
exemptions:
usernames: []
runtimeClasses: []
namespaces:
- kube-system
- local-path-storage
EOF
- name: Mirror Setup
run: |
source cluster.env
cat << EOF > /tmp/cluster.yml
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
image: kindest/node:v1.29.2@sha256:51a1434a5397193442f0be2a297b488b6c919ce8a3931be0ce822606ea5ca245
kubeadmConfigPatches:
- |
kind: ClusterConfiguration
apiServer:
extraArgs:
admission-control-config-file: /shared/pss/cluster-level-pss.$CLUSTER.yaml
extraVolumes:
- name: accf
hostPath: /shared/pss
mountPath: /shared/pss
readOnly: false
pathType: "DirectoryOrCreate"
extraMounts:
- hostPath: /shared/pss
containerPath: /shared/pss
readOnly: false
selinuxRelabel: false
propagation: None
containerdConfigPatches:
- |-
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
Expand All @@ -90,27 +136,63 @@ jobs:
- name: sysctls specs kind config override
if: matrix.spec == 'sysctls'
run: |
source cluster.env
cat << EOF > /tmp/cluster.yml
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
# Enabled additional unsafe sysctls to support the negative spec test for sysctls
nodes:
- role: control-plane
image: kindest/node:v1.29.2@sha256:51a1434a5397193442f0be2a297b488b6c919ce8a3931be0ce822606ea5ca245
kubeadmConfigPatches:
- |
kind: KubeletConfiguration
allowedUnsafeSysctls: ["kernel.msg*"]
- |
kind: ClusterConfiguration
apiServer:
extraArgs:
admission-control-config-file: /shared/pss/cluster-level-pss.$CLUSTER.yaml
extraVolumes:
- name: accf
hostPath: /shared/pss
mountPath: /shared/pss
readOnly: false
pathType: "DirectoryOrCreate"
extraMounts:
- hostPath: /shared/pss
containerPath: /shared/pss
readOnly: false
selinuxRelabel: false
propagation: None
EOF
- name: Mirror Override
if: matrix.spec == 'private_registry_image'
run: |
source cluster.env
cat << EOF > /tmp/cluster.yml
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
kubeadmConfigPatches:
- |
kind: ClusterConfiguration
apiServer:
extraArgs:
admission-control-config-file: /shared/pss/cluster-level-pss.$CLUSTER.yaml
extraVolumes:
- name: accf
hostPath: /shared/pss
mountPath: /shared/pss
readOnly: false
pathType: "DirectoryOrCreate"
extraMounts:
- hostPath: /shared/pss
containerPath: /shared/pss
readOnly: false
selinuxRelabel: false
propagation: None
containerdConfigPatches:
- |-
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."registry:5000"]
Expand All @@ -132,8 +214,7 @@ jobs:
- name: Create Kind Cluster
run: |
cat /tmp/cluster.yml
export CLUSTER=$(uuidgen)
echo "export CLUSTER=$CLUSTER" > cluster.env
source cluster.env
echo kind create cluster --name $CLUSTER --config=/tmp/cluster.yml --kubeconfig ./$CLUSTER.conf --retain
kind --version
kind create cluster --name $CLUSTER --config=/tmp/cluster.yml --kubeconfig ./$CLUSTER.conf --retain
Expand Down Expand Up @@ -213,6 +294,7 @@ jobs:
kind delete cluster --name $CLUSTER
docker container prune -f || true
docker volume prune -f || true
rm -f /shared/pss/cluster-level-pss.$CLUSTER.yaml /tmp/cluster.yml
continue-on-error: true
- name: upload artifact
if: ${{ always() }}
Expand Down Expand Up @@ -434,6 +516,7 @@ jobs:
docker container prune -f || true
docker volume prune -f || true
docker network prune -f || true
rm -f /tmp/cluster.yml
continue-on-error: true
- name: upload artifact
if: ${{ always() }}
Expand Down Expand Up @@ -516,6 +599,7 @@ jobs:
docker container prune -f || true
docker volume prune -f || true
docker network prune -f || true
rm -f /tmp/cluster.yml
continue-on-error: true
- name: upload artifact
if: ${{ always() }}
Expand Down Expand Up @@ -598,6 +682,7 @@ jobs:
docker container prune -f || true
docker volume prune -f || true
docker network prune -f || true
rm -f /tmp/cluster.yml
continue-on-error: true
- name: upload artifact
if: ${{ always() }}
Expand Down

0 comments on commit 694adbf

Please sign in to comment.