rancher · furkatgofurov7 · Oct 24, 2024 · Oct 23, 2024
@@ -0,0 +1,89 @@
+# CIS and Pod Security Admission
+
+In order to set a custom Pod Security Admission policy when CIS profile is selected it's required to create a secret with the policy content and set an appropriate field on the `RKE2ControlPlane` object:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: pod-security-admission-config
+data:
+  pod-security-admission-config.yaml: |
+    apiVersion: apiserver.config.k8s.io/v1
+    kind: AdmissionConfiguration
+    plugins:
+    - name: PodSecurity
+    configuration:
+        apiVersion: pod-security.admission.config.k8s.io/v1beta1
+        kind: PodSecurityConfiguration
+        defaults:
+        enforce: "restricted"
+        enforce-version: "latest"
+        audit: "restricted"
+        audit-version: "latest"
+        warn: "restricted"
+        warn-version: "latest"
+        exemptions:
+        usernames: []
+        runtimeClasses: []
+        namespaces: [kube-system, cis-operator-system, tigera-operator]
+```
+
+```yaml
+apiVersion: controlplane.cluster.x-k8s.io/v1beta1
+kind: RKE2ControlPlane
+metadata:
+  ...
+spec:
+  ...
+  files:
+    - path: /path/to/pod-security-admission-config.yaml
+      contentFrom:
+        secret:
+          name: pod-security-admission-config
+          key: pod-security-admission-config.yaml
+  agentConfig:
+    profile: cis
+    podSecurityAdmissionConfigFile: /path/to/pod-security-admission-config.yaml
+    ...
+```
+
+## Example of PSA to allow Rancher components to run in the cluster:
+
+```yaml 
+apiVersion: apiserver.config.k8s.io/v1
+kind: AdmissionConfiguration
+plugins:
+  - name: PodSecurity
+    configuration:
+      apiVersion: pod-security.admission.config.k8s.io/v1
+      kind: PodSecurityConfiguration
+      defaults:
+        enforce: "restricted"
+        enforce-version: "latest"
+        audit: "restricted"
+        audit-version: "latest"
+        warn: "restricted"
+        warn-version: "latest"
+      exemptions:
+        usernames: []
+        runtimeClasses: []
+        namespaces: [cattle-alerting,
+                     cattle-fleet-local-system,
+                     cattle-fleet-system,
+                     cattle-global-data,
+                     cattle-impersonation-system,
+                     cattle-monitoring-system,
+                     cattle-prometheus,
+                     cattle-resources-system,
+                     cattle-system,
+                     cattle-ui-plugin-system,
+                     cert-manager,
+                     cis-operator-system,
+                     fleet-default,
+                     ingress-nginx,
+                     kube-node-lease,
+                     kube-public,
+                     kube-system,
+                     rancher-alerting-drivers]
+```
@@ -6,6 +6,7 @@
 - [Topics](./02_topics/00.md)
     - [Air-gapped installation](./02_topics/01_air-gapped-installation.md)
     - [Node registration methods](./02_topics/02_node-registration-methods.md)
+    - [CIS and PSA](./02_topics/03_cis-psa.md)
 - [Developer Guide](./03_developer/00.md)
     - [Development](./03_developer/01_development.md)
     - [Releasing](./03_developer/02_releasing.md)