CAPD: add PodSecurityStandard to quickstart topology for security by …

…default Signed-off-by: Christian Schlotter <[email protected]>
kubernetes-sigs · Apr 7, 2022 · 7c704c5 · 7c704c5
1 parent ac24a5b
commit 7c704c5
Showing 1 changed file with 29 additions and 0 deletions.
diff --git a/test/infrastructure/docker/templates/clusterclass-quick-start.yaml b/test/infrastructure/docker/templates/clusterclass-quick-start.yaml
@@ -149,6 +149,14 @@ spec:
             extraArgs: { enable-hostpath-provisioner: 'true' }
           apiServer:
             certSANs: [localhost, 127.0.0.1, 0.0.0.0]
+            extraArgs:
+              admission-control-config-file: /etc/kubernetes/kube-apiserver-admission-pss.yaml
+            extraVolumes:
+              - name: admission-pss
+                hostPath: /etc/kubernetes/kube-apiserver-admission-pss.yaml
+                mountPath: /etc/kubernetes/kube-apiserver-admission-pss.yaml
+                readOnly: true
+                pathType: "File"
         initConfiguration:
           nodeRegistration:
             criSocket: unix:///var/run/containerd/containerd.sock
@@ -165,6 +173,27 @@ spec:
               # kind will implement systemd support in: https://github.com/kubernetes-sigs/kind/issues/1726
               cgroup-driver: cgroupfs
               eviction-hard: 'nodefs.available<0%,nodefs.inodesFree<0%,imagefs.available<0%'
+        files:
+          - content: |
+              apiVersion: apiserver.config.k8s.io/v1
+              kind: AdmissionConfiguration
+              plugins:
+              - name: PodSecurity
+                configuration:
+                  apiVersion: pod-security.admission.config.k8s.io/v1beta1
+                  kind: PodSecurityConfiguration
+                  defaults:
+                    enforce: "baseline"
+                    enforce-version: "latest"
+                    audit: "restricted"
+                    audit-version: "latest"
+                    warn: "restricted"
+                    warn-version: "latest"
+                  exemptions:
+                    usernames: []
+                    runtimeClasses: []
+                    namespaces: [kube-system]
+            path: /etc/kubernetes/kube-apiserver-admission-pss.yaml
 ---
 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
 kind: DockerMachineTemplate