From 694adbfc627b47616cf1482ee2571b469a2def66 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Ollivier?= Date: Fri, 10 May 2024 14:11:09 +0200 Subject: [PATCH] Enforce Pod Security Standard restricted MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://kubernetes.io/docs/tutorials/security/cluster-level-pss/ close: #1887 Signed-off-by: Cédric Ollivier --- .github/workflows/actions.yml | 93 +++++++++++++++++++++++++++++++++-- 1 file changed, 89 insertions(+), 4 deletions(-) diff --git a/.github/workflows/actions.yml b/.github/workflows/actions.yml index bd152ce3a..fe457955c 100644 --- a/.github/workflows/actions.yml +++ b/.github/workflows/actions.yml @@ -70,14 +70,60 @@ jobs: uses: actions/checkout@v3 with: fetch-depth: 0 + - name: Configuration file that can be consumed by the Pod Security Admission Controller + run: | + export CLUSTER=$(uuidgen) + echo "export CLUSTER=$CLUSTER" + echo "export CLUSTER=$CLUSTER" > cluster.env + mkdir -p /shared/pss + cat < /shared/pss/cluster-level-pss.$CLUSTER.yaml + apiVersion: apiserver.config.k8s.io/v1 + kind: AdmissionConfiguration + plugins: + - name: PodSecurity + configuration: + apiVersion: pod-security.admission.config.k8s.io/v1 + kind: PodSecurityConfiguration + defaults: + enforce: "restricted" + enforce-version: "latest" + audit: "restricted" + audit-version: "latest" + warn: "restricted" + warn-version: "latest" + exemptions: + usernames: [] + runtimeClasses: [] + namespaces: + - kube-system + - local-path-storage + EOF - name: Mirror Setup run: | + source cluster.env cat << EOF > /tmp/cluster.yml kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes: - role: control-plane - image: kindest/node:v1.29.2@sha256:51a1434a5397193442f0be2a297b488b6c919ce8a3931be0ce822606ea5ca245 + kubeadmConfigPatches: + - | + kind: ClusterConfiguration + apiServer: + extraArgs: + admission-control-config-file: /shared/pss/cluster-level-pss.$CLUSTER.yaml + extraVolumes: + - name: accf + hostPath: /shared/pss + mountPath: /shared/pss + readOnly: false + pathType: "DirectoryOrCreate" + extraMounts: + - hostPath: /shared/pss + containerPath: /shared/pss + readOnly: false + selinuxRelabel: false + propagation: None containerdConfigPatches: - |- [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"] @@ -90,6 +136,7 @@ jobs: - name: sysctls specs kind config override if: matrix.spec == 'sysctls' run: | + source cluster.env cat << EOF > /tmp/cluster.yml kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 @@ -97,20 +144,55 @@ jobs: # Enabled additional unsafe sysctls to support the negative spec test for sysctls nodes: - role: control-plane - image: kindest/node:v1.29.2@sha256:51a1434a5397193442f0be2a297b488b6c919ce8a3931be0ce822606ea5ca245 kubeadmConfigPatches: - | kind: KubeletConfiguration allowedUnsafeSysctls: ["kernel.msg*"] + - | + kind: ClusterConfiguration + apiServer: + extraArgs: + admission-control-config-file: /shared/pss/cluster-level-pss.$CLUSTER.yaml + extraVolumes: + - name: accf + hostPath: /shared/pss + mountPath: /shared/pss + readOnly: false + pathType: "DirectoryOrCreate" + extraMounts: + - hostPath: /shared/pss + containerPath: /shared/pss + readOnly: false + selinuxRelabel: false + propagation: None EOF - name: Mirror Override if: matrix.spec == 'private_registry_image' run: | + source cluster.env cat << EOF > /tmp/cluster.yml kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes: - role: control-plane + kubeadmConfigPatches: + - | + kind: ClusterConfiguration + apiServer: + extraArgs: + admission-control-config-file: /shared/pss/cluster-level-pss.$CLUSTER.yaml + extraVolumes: + - name: accf + hostPath: /shared/pss + mountPath: /shared/pss + readOnly: false + pathType: "DirectoryOrCreate" + extraMounts: + - hostPath: /shared/pss + containerPath: /shared/pss + readOnly: false + selinuxRelabel: false + propagation: None containerdConfigPatches: - |- [plugins."io.containerd.grpc.v1.cri".registry.mirrors."registry:5000"] @@ -132,8 +214,7 @@ jobs: - name: Create Kind Cluster run: | cat /tmp/cluster.yml - export CLUSTER=$(uuidgen) - echo "export CLUSTER=$CLUSTER" > cluster.env + source cluster.env echo kind create cluster --name $CLUSTER --config=/tmp/cluster.yml --kubeconfig ./$CLUSTER.conf --retain kind --version kind create cluster --name $CLUSTER --config=/tmp/cluster.yml --kubeconfig ./$CLUSTER.conf --retain @@ -213,6 +294,7 @@ jobs: kind delete cluster --name $CLUSTER docker container prune -f || true docker volume prune -f || true + rm -f /shared/pss/cluster-level-pss.$CLUSTER.yaml /tmp/cluster.yml continue-on-error: true - name: upload artifact if: ${{ always() }} @@ -434,6 +516,7 @@ jobs: docker container prune -f || true docker volume prune -f || true docker network prune -f || true + rm -f /tmp/cluster.yml continue-on-error: true - name: upload artifact if: ${{ always() }} @@ -516,6 +599,7 @@ jobs: docker container prune -f || true docker volume prune -f || true docker network prune -f || true + rm -f /tmp/cluster.yml continue-on-error: true - name: upload artifact if: ${{ always() }} @@ -598,6 +682,7 @@ jobs: docker container prune -f || true docker volume prune -f || true docker network prune -f || true + rm -f /tmp/cluster.yml continue-on-error: true - name: upload artifact if: ${{ always() }}