External-Mirrors/kubespray
2
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-05-07 01:17:39 -02:30
Code Issues Packages Projects Releases Wiki Activity

psp, roles and rbs for PodSecurityPolicy when podsecuritypolicy_enabled is true

Browse Source
This commit is contained in:
Erwan Miran
2018-08-22 18:16:13 +02:00
parent 4eea7f7eb9
commit 80cfeea957
48 changed files with 851 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
roles/kubernetes/master/defaults/main.yml
View File

@@ -32,7 +32,7 @@ audit_log_path: /var/log/audit/kube-apiserver-audit.log
audit_log_maxage: 30
# the num of audit logs to retain
audit_log_maxbackups: 1
# the max size in MB to retain
# the max size in MB to retain
audit_log_maxsize: 100
# policy file
audit_policy_file: "{{ kube_config_dir }}/audit-policy/apiserver-audit-policy.yaml"

6
roles/kubernetes/master/tasks/main.yml
View File

@@ -52,6 +52,12 @@
- kubectl
- upgrade
- name: Disable SecurityContextDeny admission-controller and enable PodSecurityPolicy
set_fact:
kube_apiserver_admission_control: "{{ kube_apiserver_admission_control | default([]) | difference(['SecurityContextDeny']) | union(['PodSecurityPolicy']) | unique }}"
kube_apiserver_enable_admission_plugins: "{{ kube_apiserver_enable_admission_plugins | difference(['SecurityContextDeny']) | union(['PodSecurityPolicy']) | unique }}"
when: podsecuritypolicy_enabled
- name: Include kubeadm setup if enabled
import_tasks: kubeadm-setup.yml
when: kubeadm_enabled|bool|default(false)