From 9c3d614ffd2ad2d061f918f51a5a2a126d6d2b6a Mon Sep 17 00:00:00 2001 From: Josep Manel Andres Moscardo Date: Mon, 9 Oct 2023 13:28:08 +0200 Subject: [PATCH 1/2] new podnodeselector plugin configuration --- docs/hardening.md | 5 +++++ roles/kubernetes/control-plane/defaults/main/main.yml | 2 ++ roles/kubernetes/control-plane/tasks/kubeadm-setup.yml | 9 +++++++++ .../control-plane/templates/podnodeselector.yaml.j2 | 2 ++ 4 files changed, 18 insertions(+) create mode 100644 roles/kubernetes/control-plane/templates/podnodeselector.yaml.j2 diff --git a/docs/hardening.md b/docs/hardening.md index b485c036cc6..77a010047ae 100644 --- a/docs/hardening.md +++ b/docs/hardening.md @@ -54,6 +54,11 @@ kube_apiserver_enable_admission_plugins: - PodNodeSelector - PodSecurity kube_apiserver_admission_control_config_file: true +# Creates config file for PodNodeSelector +# kube_apiserver_admission_plugins_needs_configuration: [PodNodeSelector] +# Define the default node selector, by default all the workloads will be scheduled on nodes +# with label network=srv1 +# kube_apiserver_admission_plugins_podnodeselector_default_node_selector: "network=srv1" # EventRateLimit plugin configuration kube_apiserver_admission_event_rate_limits: limit_1: diff --git a/roles/kubernetes/control-plane/defaults/main/main.yml b/roles/kubernetes/control-plane/defaults/main/main.yml index 2a9eda14a51..307387b6630 100644 --- a/roles/kubernetes/control-plane/defaults/main/main.yml +++ b/roles/kubernetes/control-plane/defaults/main/main.yml @@ -138,6 +138,8 @@ kube_webhook_token_auth_url_skip_tls_verify: false kube_webhook_authorization: false kube_webhook_authorization_url_skip_tls_verify: false +# Default podnodeselector +kube_apiserver_admission_plugins_podnodeselector_default_node_selector: "" ## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/ ## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...) diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml index fade43c2632..48f49216b19 100644 --- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml +++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml @@ -107,6 +107,15 @@ - kube_apiserver_admission_control_config_file - item in kube_apiserver_admission_plugins_needs_configuration loop: "{{ kube_apiserver_enable_admission_plugins }}" + +- name: Kubeadm | Configure default cluster podnodeslector + template: + src: "podnodeselector.yaml.j2" + dest: "{{ kube_config_dir }}/admission-controls/podnodeselector.yaml" + mode: 0640 + when: + - kube_apiserver_admission_plugins_podnodeselector_default_node_selector is defined + - kube_apiserver_admission_plugins_podnodeselector_default_node_selector | length > 0 - name: Kubeadm | Check apiserver.crt SANs vars: diff --git a/roles/kubernetes/control-plane/templates/podnodeselector.yaml.j2 b/roles/kubernetes/control-plane/templates/podnodeselector.yaml.j2 new file mode 100644 index 00000000000..0a8dd8a69a1 --- /dev/null +++ b/roles/kubernetes/control-plane/templates/podnodeselector.yaml.j2 @@ -0,0 +1,2 @@ +podNodeSelectorPluginConfig: + clusterDefaultNodeSelector: {{ kube_apiserver_admission_plugins_podnodeselector_default_node_selector }} \ No newline at end of file From 8247e23125873f49d1a2c9ede83000e89e5da9ef Mon Sep 17 00:00:00 2001 From: Josep Manel Andres Moscardo Date: Mon, 9 Oct 2023 13:34:09 +0200 Subject: [PATCH 2/2] fixing spaces --- roles/kubernetes/control-plane/tasks/kubeadm-setup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml index 48f49216b19..abebd82d3c4 100644 --- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml +++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml @@ -107,7 +107,7 @@ - kube_apiserver_admission_control_config_file - item in kube_apiserver_admission_plugins_needs_configuration loop: "{{ kube_apiserver_enable_admission_plugins }}" - + - name: Kubeadm | Configure default cluster podnodeslector template: src: "podnodeselector.yaml.j2"