kubespray

Commit Graph

Author	SHA1	Message	Date
Vaibhav Goel	a2f03c559a	Fixed the incorrect links in kubespray/docs (#10159 )	2023-05-30 19:35:47 -07:00
James	07d45e6b62	Kubelet csr approver (#9877 ) * chore(helm-apps): fix README example README shows a non-working example according to the specs for this role. * Add support for kubelet-csr-approver Co-Authored-By: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * Add tests for kubelet-csr-approver Co-Authored-By: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * Add Documentation for Kubelet CSR Approver Co-Authored-By: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> --------- Co-authored-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>	2023-05-10 17:49:09 -07:00
Kay Yan	c98e1d1b5b	add-kube-profile-to-scheduler (#9993 )	2023-04-17 18:54:58 -07:00
Arthur Outhenin-Chalandre	4a6eb7eaa2	enable back kubelet_authorization_mode_webhook by default (#9662 ) In `6db6c8678c`, this was disabled becaue kubesrpay gave too much permissions that were not needed. This commit re-enable back this option by default and also removes the extra permissions that kubespray gave that were in fact not needed. Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>	2023-01-16 23:56:32 -08:00
William Turner	eeb376460d	Fix inconsistent handling of admission plugin list (#9407 ) * Fix inconsistent handling of admission plugin list * Adjust hardening doc with the normalized admission plugin list * Add pre-check for admission plugins format change * Ignore checking admission plugins value when variable is not defined	2022-10-26 00:28:37 -07:00
Kenichi Omichi	63b27ea067	Fix YAML format in hardening.md (#9387 ) When trying to add a hardening CI job by copying configuration from hardening.md, yamllint CI job deleted invalid format. This fixes it for maintaining the CI job.	2022-10-12 23:49:01 -07:00
Cristian Calin	6db6c8678c	disable kubelet_authorization_mode_webhook by default (#9238 )	2022-08-31 04:53:00 -07:00
Alessio Greggi	acb6f243fd	feat: add kubelet systemd service hardening option (#9194 ) * feat: add kubelet systemd service hardening option * refactor: move variable name to kubelet_secure_addresses Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com> * docs: add diagram about kubelet_secure_addresses variable Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com>	2022-08-30 11:18:55 -07:00
Tomas Zvala	30c77ea4c1	Add the option to enable default Pod Security Configuration (#9017 ) * Add the option to enable default Pod Security Configuration Enable Pod Security in all namespaces by default with the option to exempt some namespaces. Without the change only namespaces explicitly configured will receive the admission plugin treatment. * Fix the PR according to code review comments * Revert the latest changes - leave the empty file when kube_pod_security_use_default, but add comment explaining the empty file - don't attempt magic at conditionally adding PodSecurity to kube_apiserver_admission_plugins_needs_configuration	2022-08-18 01:16:36 -07:00
Alessio Greggi	3ce5458f32	hardening: Add `SeccompDefault` admission plugin for kubelet (#9074 ) * docs(hardening): add SeccompDefault admission plugin to kubelet feature gates * fix(kubelet-config): enable config through kubelet_feature_gates * feat(kubelet): add kubelet_seccomp_default variable	2022-07-19 00:50:07 -07:00
Alessio Greggi	97b4d79ed5	feat: make kubernetes owner parametrized (#8952 ) * feat: make kubernetes owner parametrized * docs: update hardening guide with configuration for CIS 1.1.19 * fix: set etcd data directory permissions to be compliant to CIS 1.1.12	2022-06-17 01:34:32 -07:00
Alessio Greggi	d22204a59f	docs: add hardening guide (#8868 )	2022-05-29 12:36:50 -07:00

12 Commits (f3332af3f2f26ecc46c9b88a538e70bf9225fb80)