diff --git a/test/infrastructure/docker/templates/clusterclass-quick-start.yaml b/test/infrastructure/docker/templates/clusterclass-quick-start.yaml index cfc71f3baf5a..5a8f9b54a2d6 100644 --- a/test/infrastructure/docker/templates/clusterclass-quick-start.yaml +++ b/test/infrastructure/docker/templates/clusterclass-quick-start.yaml @@ -149,6 +149,14 @@ spec: extraArgs: { enable-hostpath-provisioner: 'true' } apiServer: certSANs: [localhost, 127.0.0.1, 0.0.0.0] + extraArgs: + admission-control-config-file: /etc/kubernetes/kube-apiserver-admission-pss.yaml + extraVolumes: + - name: admission-pss + hostPath: /etc/kubernetes/kube-apiserver-admission-pss.yaml + mountPath: /etc/kubernetes/kube-apiserver-admission-pss.yaml + readOnly: true + pathType: "File" initConfiguration: nodeRegistration: criSocket: unix:///var/run/containerd/containerd.sock @@ -165,6 +173,27 @@ spec: # kind will implement systemd support in: https://github.com/kubernetes-sigs/kind/issues/1726 cgroup-driver: cgroupfs eviction-hard: 'nodefs.available<0%,nodefs.inodesFree<0%,imagefs.available<0%' + files: + - content: | + apiVersion: apiserver.config.k8s.io/v1 + kind: AdmissionConfiguration + plugins: + - name: PodSecurity + configuration: + apiVersion: pod-security.admission.config.k8s.io/v1beta1 + kind: PodSecurityConfiguration + defaults: + enforce: "baseline" + enforce-version: "latest" + audit: "restricted" + audit-version: "latest" + warn: "restricted" + warn-version: "latest" + exemptions: + usernames: [] + runtimeClasses: [] + namespaces: [kube-system] + path: /etc/kubernetes/kube-apiserver-admission-pss.yaml --- apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 kind: DockerMachineTemplate