[hotfix] add hardening prod k8s (!8)

Co-authored-by: denis.patrakeev <denis.patrakeev@avroid.tech> Reviewed-on: https://git.avroid.tech/K8s/k8s-deploy/pulls/8
2025-01-24 18:40:40 +03:00
parent b5078e3261
commit c624512d29
2 changed files with 11 additions and 1 deletions
--- a/env/avroid_prod/k8s-avroid-office.prod.local/README.md
+++ b/env/avroid_prod/k8s-avroid-office.prod.local/README.md
@@ -98,7 +98,7 @@ export VENVDIR=kubespray-venv
 export KUBESPRAYDIR=kubespray
 source $VENVDIR/bin/activate
 cd $KUBESPRAYDIR
-ansible-playbook cluster.yml -i ../inventory/inventory.ini -bkK -v
+ansible-playbook cluster.yml -i ../inventory/inventory.ini -e "@../inventory/hardening.yaml" -bK -v
 ```

 ### 5. Копируем конфиг для подключения к кластеру через kubectl
--- a/env/avroid_prod/k8s-avroid-office.prod.local/inventory/hardening.yaml
+++ b/env/avroid_prod/k8s-avroid-office.prod.local/inventory/hardening.yaml
@@ -0,0 +1,10 @@
+---
+# https://github.com/kubernetes-sigs/kubespray/blob/master/docs/operations/hardening.md
+# list of admission plugins that needs to be configured
+# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
+kube_apiserver_enable_admission_plugins:
+  - ServiceAccount
+  - NodeRestriction
+  - ResourceQuota
+  - PodNodeSelector
+kube_apiserver_admission_control_config_file: true