From 18218d1d115882ac4c64f8b87b0d5b72526cf313 Mon Sep 17 00:00:00 2001 From: Alexandr Demicev Date: Wed, 23 Oct 2024 16:01:25 +0200 Subject: [PATCH] Add a CIS and PSA configuration docs Signed-off-by: Alexandr Demicev --- docs/book/src/02_topics/03_cis-psa.md | 89 +++++++++++++++++++++++++++ docs/book/src/SUMMARY.md | 1 + 2 files changed, 90 insertions(+) create mode 100644 docs/book/src/02_topics/03_cis-psa.md diff --git a/docs/book/src/02_topics/03_cis-psa.md b/docs/book/src/02_topics/03_cis-psa.md new file mode 100644 index 00000000..2aee9013 --- /dev/null +++ b/docs/book/src/02_topics/03_cis-psa.md @@ -0,0 +1,89 @@ +# CIS and Pod Security Admission + +In order to set a custom Pod Security Admission policy when CIS profile is selected it's required to create a secret with the policy content and set an appropriate field on the `RKE2ControlPlane` object: + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: pod-security-admission-config +data: + pod-security-admission-config.yaml: | + apiVersion: apiserver.config.k8s.io/v1 + kind: AdmissionConfiguration + plugins: + - name: PodSecurity + configuration: + apiVersion: pod-security.admission.config.k8s.io/v1beta1 + kind: PodSecurityConfiguration + defaults: + enforce: "restricted" + enforce-version: "latest" + audit: "restricted" + audit-version: "latest" + warn: "restricted" + warn-version: "latest" + exemptions: + usernames: [] + runtimeClasses: [] + namespaces: [kube-system, cis-operator-system, tigera-operator] +``` + +```yaml +apiVersion: controlplane.cluster.x-k8s.io/v1beta1 +kind: RKE2ControlPlane +metadata: + ... +spec: + ... + files: + - path: /path/to/pod-security-admission-config.yaml + contentFrom: + secret: + name: pod-security-admission-config + key: pod-security-admission-config.yaml + agentConfig: + profile: cis + podSecurityAdmissionConfigFile: /path/to/pod-security-admission-config.yaml + ... +``` + +## Example of PSA to allow Rancher components to run in the cluster: + +```yaml +apiVersion: apiserver.config.k8s.io/v1 +kind: AdmissionConfiguration +plugins: + - name: PodSecurity + configuration: + apiVersion: pod-security.admission.config.k8s.io/v1 + kind: PodSecurityConfiguration + defaults: + enforce: "restricted" + enforce-version: "latest" + audit: "restricted" + audit-version: "latest" + warn: "restricted" + warn-version: "latest" + exemptions: + usernames: [] + runtimeClasses: [] + namespaces: [cattle-alerting, + cattle-fleet-local-system, + cattle-fleet-system, + cattle-global-data, + cattle-impersonation-system, + cattle-monitoring-system, + cattle-prometheus, + cattle-resources-system, + cattle-system, + cattle-ui-plugin-system, + cert-manager, + cis-operator-system, + fleet-default, + ingress-nginx, + kube-node-lease, + kube-public, + kube-system, + rancher-alerting-drivers] +``` \ No newline at end of file diff --git a/docs/book/src/SUMMARY.md b/docs/book/src/SUMMARY.md index 37ff51a3..047a765f 100644 --- a/docs/book/src/SUMMARY.md +++ b/docs/book/src/SUMMARY.md @@ -6,6 +6,7 @@ - [Topics](./02_topics/00.md) - [Air-gapped installation](./02_topics/01_air-gapped-installation.md) - [Node registration methods](./02_topics/02_node-registration-methods.md) + - [CIS and PSA](./02_topics/03_cis-psa.md) - [Developer Guide](./03_developer/00.md) - [Development](./03_developer/01_development.md) - [Releasing](./03_developer/02_releasing.md)