diff --git a/inventory/sample/group_vars/rke2_servers.yml b/inventory/sample/group_vars/rke2_servers.yml index c08256c..d451b62 100644 --- a/inventory/sample/group_vars/rke2_servers.yml +++ b/inventory/sample/group_vars/rke2_servers.yml @@ -49,4 +49,5 @@ rke2_config: {} # See https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates#exempting-required-rancher-namespaces # Available in RKE2 1.25+ # Add a pod security admission config file by specifying the file path on the control host +# Requires config.yaml to include `- admission-control-config-file=/etc/rancher/rke2/pod-security-admission-config.yaml` in order for this to be honored # pod_security_admission_config_file_path: "{{ playbook_dir }}/sample_files/pod-security-admission-config.yaml" diff --git a/sample_files/pod-security-admission-config.yaml b/sample_files/pod-security-admission-config.yaml index fbde7fa..280749c 100644 --- a/sample_files/pod-security-admission-config.yaml +++ b/sample_files/pod-security-admission-config.yaml @@ -1,3 +1,7 @@ +#This sample list was generated from: +#https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates#exempting-required-rancher-namespaces +#For security reasons, this list should be as concise as possible - only include active namespaces that need to be except from a restricted profile. + --- apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration