From c624512d2942a0bc79ddaa930651961cd3bda032 Mon Sep 17 00:00:00 2001 From: Denis Patrakeev Date: Fri, 24 Jan 2025 18:40:40 +0300 Subject: [PATCH] [hotfix] add hardening prod k8s (!8) Co-authored-by: denis.patrakeev Reviewed-on: https://git.avroid.tech/K8s/k8s-deploy/pulls/8 --- env/avroid_prod/k8s-avroid-office.prod.local/README.md | 2 +- .../inventory/hardening.yaml | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 env/avroid_prod/k8s-avroid-office.prod.local/inventory/hardening.yaml diff --git a/env/avroid_prod/k8s-avroid-office.prod.local/README.md b/env/avroid_prod/k8s-avroid-office.prod.local/README.md index 93d4862..7774cc0 100644 --- a/env/avroid_prod/k8s-avroid-office.prod.local/README.md +++ b/env/avroid_prod/k8s-avroid-office.prod.local/README.md @@ -98,7 +98,7 @@ export VENVDIR=kubespray-venv export KUBESPRAYDIR=kubespray source $VENVDIR/bin/activate cd $KUBESPRAYDIR -ansible-playbook cluster.yml -i ../inventory/inventory.ini -bkK -v +ansible-playbook cluster.yml -i ../inventory/inventory.ini -e "@../inventory/hardening.yaml" -bK -v ``` ### 5. Копируем конфиг для подключения к кластеру через kubectl diff --git a/env/avroid_prod/k8s-avroid-office.prod.local/inventory/hardening.yaml b/env/avroid_prod/k8s-avroid-office.prod.local/inventory/hardening.yaml new file mode 100644 index 0000000..ec53cb5 --- /dev/null +++ b/env/avroid_prod/k8s-avroid-office.prod.local/inventory/hardening.yaml @@ -0,0 +1,10 @@ +--- +# https://github.com/kubernetes-sigs/kubespray/blob/master/docs/operations/hardening.md +# list of admission plugins that needs to be configured +# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/ +kube_apiserver_enable_admission_plugins: + - ServiceAccount + - NodeRestriction + - ResourceQuota + - PodNodeSelector +kube_apiserver_admission_control_config_file: true