diff --git a/README.md b/README.md index 20d0f805..a6dc3363 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,17 @@ Build a Kubernetes cluster using RKE2 via Ansible |________________________________________________________| ``` +Unofficial Rancher Government Repository +--------- + +Support: Please note that the code provided in this repository is not supported under any official support subscriptions. While we strive to ensure the quality and functionality of our code, we provide it on an "as-is" basis and make no guarantees regarding its performance. + +Issues: We understand that issues may arise, and while we do not offer formal support, we will address reported issues on a "best effort" basis. We encourage users to report any problems or bugs they encounter, and we will do our best to address them in a timely manner. + +Contributions: Contributions to this repository are welcome! If you have improvements or fixes, please feel free to submit a pull request. We appreciate your efforts to improve the quality and effectiveness of this code. + +Thank you for your understanding and cooperation. + Ansible RKE2 (RKE Government) Playbook --------- [![LINT](https://github.com/rancherfederal/rke2-ansible/actions/workflows/ci.yml/badge.svg)](https://github.com/rancherfederal/rke2-ansible/actions/workflows/ci.yml) diff --git a/ansible_header.j2 b/ansible_header.j2 new file mode 100644 index 00000000..0377d97b --- /dev/null +++ b/ansible_header.j2 @@ -0,0 +1,3 @@ +## This is an Ansible managed file, contents will be overwritten ## + +{{ file_contents }} diff --git a/inventory/sample/group_vars/rke2_servers.yml b/inventory/sample/group_vars/rke2_servers.yml index 08c9bb32..d451b625 100644 --- a/inventory/sample/group_vars/rke2_servers.yml +++ b/inventory/sample/group_vars/rke2_servers.yml @@ -45,3 +45,9 @@ rke2_config: {} # See https://docs.rke2.io/helm/#automatically-deploying-manifests-and-helm-charts # Add manifest files by specifying the directory path on the control host # manifest_config_file_path: "{{ playbook_dir }}/sample_files/manifest/" + +# See https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates#exempting-required-rancher-namespaces +# Available in RKE2 1.25+ +# Add a pod security admission config file by specifying the file path on the control host +# Requires config.yaml to include `- admission-control-config-file=/etc/rancher/rke2/pod-security-admission-config.yaml` in order for this to be honored +# pod_security_admission_config_file_path: "{{ playbook_dir }}/sample_files/pod-security-admission-config.yaml" diff --git a/roles/rke2_common/defaults/main.yml b/roles/rke2_common/defaults/main.yml index 72569a28..9c7caf2c 100644 --- a/roles/rke2_common/defaults/main.yml +++ b/roles/rke2_common/defaults/main.yml @@ -5,6 +5,7 @@ rke2_images_urls: [] rke2_channel: stable audit_policy_config_file_path: "" registry_config_file_path: "" +pod_security_admission_config_file_path: "" add_iptables_rules: false rke2_common_yum_repo: name: rancher-rke2-common diff --git a/roles/rke2_common/tasks/images_tarball_install.yml b/roles/rke2_common/tasks/images_tarball_install.yml index f16ea251..191c97fe 100644 --- a/roles/rke2_common/tasks/images_tarball_install.yml +++ b/roles/rke2_common/tasks/images_tarball_install.yml @@ -23,12 +23,12 @@ - name: Download images tar files url ansible.builtin.get_url: - url: "{{item}}" + url: "{{ item }}" dest: "/var/lib/rancher/rke2/agent/images" mode: "0644" when: - rke2_images_urls != [] - with_items: "{{rke2_images_urls}}" + with_items: "{{ rke2_images_urls }}" - name: Add images tar.gz to needed directory if provided ansible.builtin.copy: diff --git a/roles/rke2_server/tasks/add-pod-security-admission-config.yml b/roles/rke2_server/tasks/add-pod-security-admission-config.yml new file mode 100644 index 00000000..4b7a1937 --- /dev/null +++ b/roles/rke2_server/tasks/add-pod-security-admission-config.yml @@ -0,0 +1,45 @@ +--- +- name: Create the /etc/rancher/rke2 config dir + ansible.builtin.file: + path: /etc/rancher/rke2 + state: directory + recurse: yes + +- name: Add pod security admission config file + vars: + file_contents: "{{ lookup('file', pod_security_admission_config_file_path) }}" + ansible.builtin.template: + src: ansible_header.j2 + dest: "/etc/rancher/rke2/pod-security-admission-config.yaml" + mode: '0640' + owner: root + group: root + when: + - pod_security_admission_config_file_path is defined + - pod_security_admission_config_file_path|length != 0 + notify: Restart rke2-server + +- name: Remove pod security admission config file + when: + - pod_security_admission_config_file_path is not defined or pod_security_admission_config_file_path|length == 0 + block: + - name: Check that the PSA config file exists + ansible.builtin.stat: + path: "/etc/rancher/rke2/pod-security-admission-config.yaml" + register: stat_result + + - name: "Check that the PSA config file has ansible managed comments" + ansible.builtin.lineinfile: + name: "/etc/rancher/rke2/pod-security-admission-config.yaml" + line: '## This is an Ansible managed file, contents will be overwritten ##' + state: present + check_mode: yes + register: ansible_managed_check + when: stat_result.stat.exists | bool is true + + - name: Remove the PSA config file if exists and has ansible managed comments + ansible.builtin.file: + path: "/etc/rancher/rke2/pod-security-admission-config.yaml" + state: absent + when: + - ansible_managed_check.changed | bool is false diff --git a/roles/rke2_server/tasks/main.yml b/roles/rke2_server/tasks/main.yml index e0efd786..b9654eaf 100644 --- a/roles/rke2_server/tasks/main.yml +++ b/roles/rke2_server/tasks/main.yml @@ -7,6 +7,9 @@ name: rke2_common tasks_from: main +- name: Include task file add-pod-security-admission-config.yml + ansible.builtin.include_tasks: add-pod-security-admission-config.yml + - name: Setup initial server ansible.builtin.include_tasks: first_server.yml when: inventory_hostname in groups['rke2_servers'][0] diff --git a/sample_files/pod-security-admission-config.yaml b/sample_files/pod-security-admission-config.yaml new file mode 100644 index 00000000..6aaaa5a8 --- /dev/null +++ b/sample_files/pod-security-admission-config.yaml @@ -0,0 +1,62 @@ +# This sample list was generated from: +# https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates#exempting-required-rancher-namespaces +# For security reasons, this list should be as concise as possible +# only include active namespaces that need to be except from a restricted profile. + +--- +apiVersion: apiserver.config.k8s.io/v1 +kind: AdmissionConfiguration +plugins: + - name: PodSecurity + configuration: + apiVersion: pod-security.admission.config.k8s.io/v1 + kind: PodSecurityConfiguration + defaults: + enforce: "restricted" + enforce-version: "latest" + audit: "restricted" + audit-version: "latest" + warn: "restricted" + warn-version: "latest" + exemptions: + usernames: [] + runtimeClasses: [] + namespaces: [calico-apiserver, + calico-system, + cattle-alerting, + cattle-csp-adapter-system, + cattle-elemental-system, + cattle-epinio-system, + cattle-externalip-system, + cattle-fleet-local-system, + cattle-fleet-system, + cattle-gatekeeper-system, + cattle-global-data, + cattle-global-nt, + cattle-impersonation-system, + cattle-istio, + cattle-istio-system, + cattle-logging, + cattle-logging-system, + cattle-monitoring-system, + cattle-neuvector-system, + cattle-prometheus, + cattle-provisioning-capi-system, + cattle-resources-system, + cattle-sriov-system, + cattle-system, + cattle-ui-plugin-system, + cattle-windows-gmsa-system, + cert-manager, + cis-operator-system, + fleet-default, + ingress-nginx, + istio-system, + kube-node-lease, + kube-public, + kube-system, + longhorn-system, + local-path-storage, + rancher-alerting-drivers, + security-scan, + tigera-operator]