Merge pull request #221 from rancherfederal/jcox10-add-psa-config

Jcox10 add psa config

README.md

@@ -16,6 +16,17 @@ Build a Kubernetes cluster using RKE2 via Ansible
 |________________________________________________________|
 ```
 
+Unofficial Rancher Government Repository
+---------
+
+Support: Please note that the code provided in this repository is not supported under any official support subscriptions. While we strive to ensure the quality and functionality of our code, we provide it on an "as-is" basis and make no guarantees regarding its performance.
+
+Issues: We understand that issues may arise, and while we do not offer formal support, we will address reported issues on a "best effort" basis. We encourage users to report any problems or bugs they encounter, and we will do our best to address them in a timely manner.
+
+Contributions: Contributions to this repository are welcome! If you have improvements or fixes, please feel free to submit a pull request. We appreciate your efforts to improve the quality and effectiveness of this code.
+
+Thank you for your understanding and cooperation.
+
 Ansible RKE2 (RKE Government) Playbook
 ---------
 [![LINT](https://github.com/rancherfederal/rke2-ansible/actions/workflows/ci.yml/badge.svg)](https://github.com/rancherfederal/rke2-ansible/actions/workflows/ci.yml)

ansible_header.j2

@@ -0,0 +1,3 @@
+## This is an Ansible managed file, contents will be overwritten ##
+
+{{ file_contents }}

inventory/sample/group_vars/rke2_servers.yml

@@ -45,3 +45,9 @@ rke2_config: {}
 # See https://docs.rke2.io/helm/#automatically-deploying-manifests-and-helm-charts
 # Add manifest files by specifying the directory path on the control host
 # manifest_config_file_path: "{{ playbook_dir }}/sample_files/manifest/"
+
+# See https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates#exempting-required-rancher-namespaces
+# Available in RKE2 1.25+
+# Add a pod security admission config file by specifying the file path on the control host
+# Requires config.yaml to include `- admission-control-config-file=/etc/rancher/rke2/pod-security-admission-config.yaml` in order for this to be honored
+# pod_security_admission_config_file_path: "{{ playbook_dir }}/sample_files/pod-security-admission-config.yaml"

roles/rke2_common/defaults/main.yml

@@ -5,6 +5,7 @@ rke2_images_urls: []
 rke2_channel: stable
 audit_policy_config_file_path: ""
 registry_config_file_path: ""
+pod_security_admission_config_file_path: ""
 add_iptables_rules: false
 rke2_common_yum_repo:
   name: rancher-rke2-common

roles/rke2_common/tasks/images_tarball_install.yml

@@ -23,12 +23,12 @@
 
 - name: Download images tar files url
   ansible.builtin.get_url:
-    url: "{{item}}"
+    url: "{{ item }}"
     dest: "/var/lib/rancher/rke2/agent/images"
     mode: "0644"
   when:
     - rke2_images_urls != []
-  with_items: "{{rke2_images_urls}}"
+  with_items: "{{ rke2_images_urls }}"
 
 - name: Add images tar.gz to needed directory if provided
   ansible.builtin.copy:

roles/rke2_server/tasks/add-pod-security-admission-config.yml

@@ -0,0 +1,45 @@
+---
+- name: Create the /etc/rancher/rke2 config dir
+  ansible.builtin.file:
+    path: /etc/rancher/rke2
+    state: directory
+    recurse: yes
+
+- name: Add pod security admission config file
+  vars:
+    file_contents: "{{ lookup('file', pod_security_admission_config_file_path) }}"
+  ansible.builtin.template:
+    src: ansible_header.j2
+    dest: "/etc/rancher/rke2/pod-security-admission-config.yaml"
+    mode: '0640'
+    owner: root
+    group: root
+  when:
+    - pod_security_admission_config_file_path is defined
+    - pod_security_admission_config_file_path|length != 0
+  notify: Restart rke2-server
+
+- name: Remove pod security admission config file
+  when:
+    - pod_security_admission_config_file_path is not defined or pod_security_admission_config_file_path|length == 0
+  block:
+    - name: Check that the PSA config file exists
+      ansible.builtin.stat:
+        path: "/etc/rancher/rke2/pod-security-admission-config.yaml"
+      register: stat_result
+
+    - name: "Check that the PSA config file has ansible managed comments"
+      ansible.builtin.lineinfile:
+        name: "/etc/rancher/rke2/pod-security-admission-config.yaml"
+        line: '## This is an Ansible managed file, contents will be overwritten ##'
+        state: present
+      check_mode: yes
+      register: ansible_managed_check
+      when: stat_result.stat.exists | bool is true
+
+    - name: Remove the PSA config file if exists and has ansible managed comments
+      ansible.builtin.file:
+        path: "/etc/rancher/rke2/pod-security-admission-config.yaml"
+        state: absent
+      when:
+        - ansible_managed_check.changed | bool is false

roles/rke2_server/tasks/main.yml

@@ -7,6 +7,9 @@
     name: rke2_common
     tasks_from: main
 
+- name: Include task file add-pod-security-admission-config.yml
+  ansible.builtin.include_tasks: add-pod-security-admission-config.yml
+
 - name: Setup initial server
   ansible.builtin.include_tasks: first_server.yml
   when: inventory_hostname in groups['rke2_servers'][0]

sample_files/pod-security-admission-config.yaml

@@ -0,0 +1,62 @@
+# This sample list was generated from:
+# https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates#exempting-required-rancher-namespaces
+# For security reasons, this list should be as concise as possible
+# only include active namespaces that need to be except from a restricted profile.
+
+---
+apiVersion: apiserver.config.k8s.io/v1
+kind: AdmissionConfiguration
+plugins:
+  - name: PodSecurity
+    configuration:
+      apiVersion: pod-security.admission.config.k8s.io/v1
+      kind: PodSecurityConfiguration
+      defaults:
+        enforce: "restricted"
+        enforce-version: "latest"
+        audit: "restricted"
+        audit-version: "latest"
+        warn: "restricted"
+        warn-version: "latest"
+      exemptions:
+        usernames: []
+        runtimeClasses: []
+        namespaces: [calico-apiserver,
+                     calico-system,
+                     cattle-alerting,
+                     cattle-csp-adapter-system,
+                     cattle-elemental-system,
+                     cattle-epinio-system,
+                     cattle-externalip-system,
+                     cattle-fleet-local-system,
+                     cattle-fleet-system,
+                     cattle-gatekeeper-system,
+                     cattle-global-data,
+                     cattle-global-nt,
+                     cattle-impersonation-system,
+                     cattle-istio,
+                     cattle-istio-system,
+                     cattle-logging,
+                     cattle-logging-system,
+                     cattle-monitoring-system,
+                     cattle-neuvector-system,
+                     cattle-prometheus,
+                     cattle-provisioning-capi-system,
+                     cattle-resources-system,
+                     cattle-sriov-system,
+                     cattle-system,
+                     cattle-ui-plugin-system,
+                     cattle-windows-gmsa-system,
+                     cert-manager,
+                     cis-operator-system,
+                     fleet-default,
+                     ingress-nginx,
+                     istio-system,
+                     kube-node-lease,
+                     kube-public,
+                     kube-system,
+                     longhorn-system,
+                     local-path-storage,
+                     rancher-alerting-drivers,
+                     security-scan,
+                     tigera-operator]