From 252a2040e4b7ed067b4a9479e11f0615e1cbdc7c Mon Sep 17 00:00:00 2001 From: Jason Cox Date: Fri, 2 Feb 2024 10:19:27 -0700 Subject: [PATCH 1/7] add pod security admission config --- inventory/sample/group_vars/rke2_servers.yml | 5 ++ roles/rke2_common/defaults/main.yml | 1 + .../add-pod-security-admission-config.yml | 16 ++++++ roles/rke2_common/tasks/main.yml | 4 ++ .../pod-security-admission-config.yaml | 57 +++++++++++++++++++ 5 files changed, 83 insertions(+) create mode 100644 roles/rke2_common/tasks/add-pod-security-admission-config.yml create mode 100644 sample_files/pod-security-admission-config.yaml diff --git a/inventory/sample/group_vars/rke2_servers.yml b/inventory/sample/group_vars/rke2_servers.yml index 08c9bb32..c08256ca 100644 --- a/inventory/sample/group_vars/rke2_servers.yml +++ b/inventory/sample/group_vars/rke2_servers.yml @@ -45,3 +45,8 @@ rke2_config: {} # See https://docs.rke2.io/helm/#automatically-deploying-manifests-and-helm-charts # Add manifest files by specifying the directory path on the control host # manifest_config_file_path: "{{ playbook_dir }}/sample_files/manifest/" + +# See https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates#exempting-required-rancher-namespaces +# Available in RKE2 1.25+ +# Add a pod security admission config file by specifying the file path on the control host +# pod_security_admission_config_file_path: "{{ playbook_dir }}/sample_files/pod-security-admission-config.yaml" diff --git a/roles/rke2_common/defaults/main.yml b/roles/rke2_common/defaults/main.yml index 71eca998..7f60489f 100644 --- a/roles/rke2_common/defaults/main.yml +++ b/roles/rke2_common/defaults/main.yml @@ -3,6 +3,7 @@ tarball_dir: "/usr/local" rke2_channel: stable audit_policy_config_file_path: "" registry_config_file_path: "" +pod_security_admission_config_file_path: "" add_iptables_rules: false rke2_common_yum_repo: name: rke2-common diff --git a/roles/rke2_common/tasks/add-pod-security-admission-config.yml b/roles/rke2_common/tasks/add-pod-security-admission-config.yml new file mode 100644 index 00000000..1f572e69 --- /dev/null +++ b/roles/rke2_common/tasks/add-pod-security-admission-config.yml @@ -0,0 +1,16 @@ +--- +- name: Create the /etc/rancher/rke2 config dir + ansible.builtin.file: + path: /etc/rancher/rke2 + state: directory + recurse: yes + +- name: Add pod security admission config file + ansible.builtin.copy: + src: "{{ pod_security_admission_config_file_path }}" + dest: "/etc/rancher/rke2/pod-security-admission-config.yaml" + mode: '0640' + owner: root + group: root + when: caller_role_name == "server" + notify: Restart rke2-server diff --git a/roles/rke2_common/tasks/main.yml b/roles/rke2_common/tasks/main.yml index 56840b3c..f7e1f9c7 100644 --- a/roles/rke2_common/tasks/main.yml +++ b/roles/rke2_common/tasks/main.yml @@ -70,6 +70,10 @@ ansible.builtin.include_tasks: add-registry-config.yml when: registry_config_file_path | length > 0 +- name: Include task file add-pod-security-admission-config.yml + ansible.builtin.include_tasks: add-pod-security-admission-config.yml + when: pod_security_admission_config_file_path | length > 0 + - name: Run CIS-Hardening Tasks ansible.builtin.include_role: name: rke2_common diff --git a/sample_files/pod-security-admission-config.yaml b/sample_files/pod-security-admission-config.yaml new file mode 100644 index 00000000..d3ee1b28 --- /dev/null +++ b/sample_files/pod-security-admission-config.yaml @@ -0,0 +1,57 @@ +--- +apiVersion: apiserver.config.k8s.io/v1 +kind: AdmissionConfiguration +plugins: + - name: PodSecurity + configuration: + apiVersion: pod-security.admission.config.k8s.io/v1 + kind: PodSecurityConfiguration + defaults: + enforce: "restricted" + enforce-version: "latest" + audit: "restricted" + audit-version: "latest" + warn: "restricted" + warn-version: "latest" + exemptions: + usernames: [] + runtimeClasses: [] + namespaces: [calico-apiserver, + calico-system, + cattle-alerting, + cattle-csp-adapter-system, + cattle-elemental-system, + cattle-epinio-system, + cattle-externalip-system, + cattle-fleet-local-system, + cattle-fleet-system, + cattle-gatekeeper-system, + cattle-global-data, + cattle-global-nt, + cattle-impersonation-system, + cattle-istio, + cattle-istio-system, + cattle-logging, + cattle-logging-system, + cattle-monitoring-system, + cattle-neuvector-system, + cattle-prometheus, + cattle-provisioning-capi-system, + cattle-resources-system, + cattle-sriov-system, + cattle-system, + cattle-ui-plugin-system, + cattle-windows-gmsa-system, + cert-manager, + cis-operator-system, + fleet-default, + ingress-nginx, + istio-system, + kube-node-lease, + kube-public, + kube-system, + longhorn-system, + local-path-storage, + rancher-alerting-drivers, + security-scan, + tigera-operator] \ No newline at end of file From 9c4122fed13ac678162d6b992d92de844cdd0507 Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Tue, 21 May 2024 15:33:47 -0400 Subject: [PATCH 2/7] adding remove functionality and header --- ansible_header.j2 | 3 ++ .../add-pod-security-admission-config.yml | 16 ------- roles/rke2_common/tasks/main.yml | 4 -- .../add-pod-security-admission-config.yml | 45 +++++++++++++++++++ roles/rke2_server/tasks/main.yml | 3 ++ 5 files changed, 51 insertions(+), 20 deletions(-) create mode 100644 ansible_header.j2 delete mode 100644 roles/rke2_common/tasks/add-pod-security-admission-config.yml create mode 100644 roles/rke2_server/tasks/add-pod-security-admission-config.yml diff --git a/ansible_header.j2 b/ansible_header.j2 new file mode 100644 index 00000000..0377d97b --- /dev/null +++ b/ansible_header.j2 @@ -0,0 +1,3 @@ +## This is an Ansible managed file, contents will be overwritten ## + +{{ file_contents }} diff --git a/roles/rke2_common/tasks/add-pod-security-admission-config.yml b/roles/rke2_common/tasks/add-pod-security-admission-config.yml deleted file mode 100644 index 1f572e69..00000000 --- a/roles/rke2_common/tasks/add-pod-security-admission-config.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -- name: Create the /etc/rancher/rke2 config dir - ansible.builtin.file: - path: /etc/rancher/rke2 - state: directory - recurse: yes - -- name: Add pod security admission config file - ansible.builtin.copy: - src: "{{ pod_security_admission_config_file_path }}" - dest: "/etc/rancher/rke2/pod-security-admission-config.yaml" - mode: '0640' - owner: root - group: root - when: caller_role_name == "server" - notify: Restart rke2-server diff --git a/roles/rke2_common/tasks/main.yml b/roles/rke2_common/tasks/main.yml index 4bb92a67..78502759 100644 --- a/roles/rke2_common/tasks/main.yml +++ b/roles/rke2_common/tasks/main.yml @@ -74,10 +74,6 @@ ansible.builtin.include_tasks: add-registry-config.yml when: registry_config_file_path | length > 0 -- name: Include task file add-pod-security-admission-config.yml - ansible.builtin.include_tasks: add-pod-security-admission-config.yml - when: pod_security_admission_config_file_path | length > 0 - - name: Run CIS-Hardening Tasks ansible.builtin.include_role: name: rke2_common diff --git a/roles/rke2_server/tasks/add-pod-security-admission-config.yml b/roles/rke2_server/tasks/add-pod-security-admission-config.yml new file mode 100644 index 00000000..79200cd0 --- /dev/null +++ b/roles/rke2_server/tasks/add-pod-security-admission-config.yml @@ -0,0 +1,45 @@ +--- +- name: Create the /etc/rancher/rke2 config dir + ansible.builtin.file: + path: /etc/rancher/rke2 + state: directory + recurse: yes + +- name: Add pod security admission config file + vars: + file_contents: "{{ lookup('file', pod_security_admission_config_file_path) }}" + ansible.builtin.template: + src: ansible_header.j2 + dest: "/etc/rancher/rke2/pod-security-admission-config.yaml" + mode: '0640' + owner: root + group: root + when: + - pod_security_admission_config_file_path is defined + - pod_security_admission_config_file_path|length != 0 + notify: Restart rke2-server + +- name: Remove pod security admission config file + block: + - name: Check that the PSA config file exists + ansible.builtin.stat: + path: "/etc/rancher/rke2/pod-security-admission-config.yaml" + register: stat_result + + - name: "Check that the PSA config file has ansible managed comments" + lineinfile: + name: "/etc/rancher/rke2/pod-security-admission-config.yaml" + line: '## This is an Ansible managed file, contents will be overwritten ##' + state: present + check_mode: yes + register: ansible_managed_check + when: stat_result.stat.exists + + - name: Remove the PSA config file if exists and has ansible managed comments + ansible.builtin.file: + path: "/etc/rancher/rke2/pod-security-admission-config.yaml" + state: absent + when: + - ansible_managed_check.changed == false + when: + - pod_security_admission_config_file_path is not defined or pod_security_admission_config_file_path|length == 0 \ No newline at end of file diff --git a/roles/rke2_server/tasks/main.yml b/roles/rke2_server/tasks/main.yml index e0efd786..b9654eaf 100644 --- a/roles/rke2_server/tasks/main.yml +++ b/roles/rke2_server/tasks/main.yml @@ -7,6 +7,9 @@ name: rke2_common tasks_from: main +- name: Include task file add-pod-security-admission-config.yml + ansible.builtin.include_tasks: add-pod-security-admission-config.yml + - name: Setup initial server ansible.builtin.include_tasks: first_server.yml when: inventory_hostname in groups['rke2_servers'][0] From 495e453678618200ced05850ba5a9469cfaefaf3 Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Tue, 21 May 2024 15:38:04 -0400 Subject: [PATCH 3/7] fixing linting --- .../tasks/add-pod-security-admission-config.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/rke2_server/tasks/add-pod-security-admission-config.yml b/roles/rke2_server/tasks/add-pod-security-admission-config.yml index 79200cd0..8df2c2dd 100644 --- a/roles/rke2_server/tasks/add-pod-security-admission-config.yml +++ b/roles/rke2_server/tasks/add-pod-security-admission-config.yml @@ -7,16 +7,16 @@ - name: Add pod security admission config file vars: - file_contents: "{{ lookup('file', pod_security_admission_config_file_path) }}" + file_contents: "{{ lookup('file', pod_security_admission_config_file_path) }}" ansible.builtin.template: src: ansible_header.j2 dest: "/etc/rancher/rke2/pod-security-admission-config.yaml" mode: '0640' owner: root group: root - when: - - pod_security_admission_config_file_path is defined - - pod_security_admission_config_file_path|length != 0 + when: + - pod_security_admission_config_file_path is defined + - pod_security_admission_config_file_path|length != 0 notify: Restart rke2-server - name: Remove pod security admission config file @@ -40,6 +40,6 @@ path: "/etc/rancher/rke2/pod-security-admission-config.yaml" state: absent when: - - ansible_managed_check.changed == false + - ansible_managed_check.changed == false when: - - pod_security_admission_config_file_path is not defined or pod_security_admission_config_file_path|length == 0 \ No newline at end of file + - pod_security_admission_config_file_path is not defined or pod_security_admission_config_file_path|length == 0 From b0c6736412f520acc97d163dbe321f3181fded7e Mon Sep 17 00:00:00 2001 From: Michael DAmato Date: Tue, 21 May 2024 17:56:18 -0400 Subject: [PATCH 4/7] fix lint --- .../tasks/images_tarball_install.yml | 4 +- .../add-pod-security-admission-config.yml | 90 +++++++------- .../pod-security-admission-config.yaml | 114 +++++++++--------- 3 files changed, 104 insertions(+), 104 deletions(-) diff --git a/roles/rke2_common/tasks/images_tarball_install.yml b/roles/rke2_common/tasks/images_tarball_install.yml index f16ea251..4682d9a6 100644 --- a/roles/rke2_common/tasks/images_tarball_install.yml +++ b/roles/rke2_common/tasks/images_tarball_install.yml @@ -23,12 +23,12 @@ - name: Download images tar files url ansible.builtin.get_url: - url: "{{item}}" + url: "{{ item }}" dest: "/var/lib/rancher/rke2/agent/images" mode: "0644" when: - rke2_images_urls != [] - with_items: "{{rke2_images_urls}}" + with_items: "{{ rke2_images_urls }}" - name: Add images tar.gz to needed directory if provided ansible.builtin.copy: diff --git a/roles/rke2_server/tasks/add-pod-security-admission-config.yml b/roles/rke2_server/tasks/add-pod-security-admission-config.yml index 8df2c2dd..4b7a1937 100644 --- a/roles/rke2_server/tasks/add-pod-security-admission-config.yml +++ b/roles/rke2_server/tasks/add-pod-security-admission-config.yml @@ -1,45 +1,45 @@ ---- -- name: Create the /etc/rancher/rke2 config dir - ansible.builtin.file: - path: /etc/rancher/rke2 - state: directory - recurse: yes - -- name: Add pod security admission config file - vars: - file_contents: "{{ lookup('file', pod_security_admission_config_file_path) }}" - ansible.builtin.template: - src: ansible_header.j2 - dest: "/etc/rancher/rke2/pod-security-admission-config.yaml" - mode: '0640' - owner: root - group: root - when: - - pod_security_admission_config_file_path is defined - - pod_security_admission_config_file_path|length != 0 - notify: Restart rke2-server - -- name: Remove pod security admission config file - block: - - name: Check that the PSA config file exists - ansible.builtin.stat: - path: "/etc/rancher/rke2/pod-security-admission-config.yaml" - register: stat_result - - - name: "Check that the PSA config file has ansible managed comments" - lineinfile: - name: "/etc/rancher/rke2/pod-security-admission-config.yaml" - line: '## This is an Ansible managed file, contents will be overwritten ##' - state: present - check_mode: yes - register: ansible_managed_check - when: stat_result.stat.exists - - - name: Remove the PSA config file if exists and has ansible managed comments - ansible.builtin.file: - path: "/etc/rancher/rke2/pod-security-admission-config.yaml" - state: absent - when: - - ansible_managed_check.changed == false - when: - - pod_security_admission_config_file_path is not defined or pod_security_admission_config_file_path|length == 0 +--- +- name: Create the /etc/rancher/rke2 config dir + ansible.builtin.file: + path: /etc/rancher/rke2 + state: directory + recurse: yes + +- name: Add pod security admission config file + vars: + file_contents: "{{ lookup('file', pod_security_admission_config_file_path) }}" + ansible.builtin.template: + src: ansible_header.j2 + dest: "/etc/rancher/rke2/pod-security-admission-config.yaml" + mode: '0640' + owner: root + group: root + when: + - pod_security_admission_config_file_path is defined + - pod_security_admission_config_file_path|length != 0 + notify: Restart rke2-server + +- name: Remove pod security admission config file + when: + - pod_security_admission_config_file_path is not defined or pod_security_admission_config_file_path|length == 0 + block: + - name: Check that the PSA config file exists + ansible.builtin.stat: + path: "/etc/rancher/rke2/pod-security-admission-config.yaml" + register: stat_result + + - name: "Check that the PSA config file has ansible managed comments" + ansible.builtin.lineinfile: + name: "/etc/rancher/rke2/pod-security-admission-config.yaml" + line: '## This is an Ansible managed file, contents will be overwritten ##' + state: present + check_mode: yes + register: ansible_managed_check + when: stat_result.stat.exists | bool is true + + - name: Remove the PSA config file if exists and has ansible managed comments + ansible.builtin.file: + path: "/etc/rancher/rke2/pod-security-admission-config.yaml" + state: absent + when: + - ansible_managed_check.changed | bool is false diff --git a/sample_files/pod-security-admission-config.yaml b/sample_files/pod-security-admission-config.yaml index d3ee1b28..fbde7fa1 100644 --- a/sample_files/pod-security-admission-config.yaml +++ b/sample_files/pod-security-admission-config.yaml @@ -1,57 +1,57 @@ ---- -apiVersion: apiserver.config.k8s.io/v1 -kind: AdmissionConfiguration -plugins: - - name: PodSecurity - configuration: - apiVersion: pod-security.admission.config.k8s.io/v1 - kind: PodSecurityConfiguration - defaults: - enforce: "restricted" - enforce-version: "latest" - audit: "restricted" - audit-version: "latest" - warn: "restricted" - warn-version: "latest" - exemptions: - usernames: [] - runtimeClasses: [] - namespaces: [calico-apiserver, - calico-system, - cattle-alerting, - cattle-csp-adapter-system, - cattle-elemental-system, - cattle-epinio-system, - cattle-externalip-system, - cattle-fleet-local-system, - cattle-fleet-system, - cattle-gatekeeper-system, - cattle-global-data, - cattle-global-nt, - cattle-impersonation-system, - cattle-istio, - cattle-istio-system, - cattle-logging, - cattle-logging-system, - cattle-monitoring-system, - cattle-neuvector-system, - cattle-prometheus, - cattle-provisioning-capi-system, - cattle-resources-system, - cattle-sriov-system, - cattle-system, - cattle-ui-plugin-system, - cattle-windows-gmsa-system, - cert-manager, - cis-operator-system, - fleet-default, - ingress-nginx, - istio-system, - kube-node-lease, - kube-public, - kube-system, - longhorn-system, - local-path-storage, - rancher-alerting-drivers, - security-scan, - tigera-operator] \ No newline at end of file +--- +apiVersion: apiserver.config.k8s.io/v1 +kind: AdmissionConfiguration +plugins: + - name: PodSecurity + configuration: + apiVersion: pod-security.admission.config.k8s.io/v1 + kind: PodSecurityConfiguration + defaults: + enforce: "restricted" + enforce-version: "latest" + audit: "restricted" + audit-version: "latest" + warn: "restricted" + warn-version: "latest" + exemptions: + usernames: [] + runtimeClasses: [] + namespaces: [calico-apiserver, + calico-system, + cattle-alerting, + cattle-csp-adapter-system, + cattle-elemental-system, + cattle-epinio-system, + cattle-externalip-system, + cattle-fleet-local-system, + cattle-fleet-system, + cattle-gatekeeper-system, + cattle-global-data, + cattle-global-nt, + cattle-impersonation-system, + cattle-istio, + cattle-istio-system, + cattle-logging, + cattle-logging-system, + cattle-monitoring-system, + cattle-neuvector-system, + cattle-prometheus, + cattle-provisioning-capi-system, + cattle-resources-system, + cattle-sriov-system, + cattle-system, + cattle-ui-plugin-system, + cattle-windows-gmsa-system, + cert-manager, + cis-operator-system, + fleet-default, + ingress-nginx, + istio-system, + kube-node-lease, + kube-public, + kube-system, + longhorn-system, + local-path-storage, + rancher-alerting-drivers, + security-scan, + tigera-operator] From a7ab49a5e396f31c9a27a2d462a592a81b540836 Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Tue, 21 May 2024 20:32:26 -0400 Subject: [PATCH 5/7] updating documentation --- inventory/sample/group_vars/rke2_servers.yml | 1 + sample_files/pod-security-admission-config.yaml | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/inventory/sample/group_vars/rke2_servers.yml b/inventory/sample/group_vars/rke2_servers.yml index c08256ca..d451b625 100644 --- a/inventory/sample/group_vars/rke2_servers.yml +++ b/inventory/sample/group_vars/rke2_servers.yml @@ -49,4 +49,5 @@ rke2_config: {} # See https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates#exempting-required-rancher-namespaces # Available in RKE2 1.25+ # Add a pod security admission config file by specifying the file path on the control host +# Requires config.yaml to include `- admission-control-config-file=/etc/rancher/rke2/pod-security-admission-config.yaml` in order for this to be honored # pod_security_admission_config_file_path: "{{ playbook_dir }}/sample_files/pod-security-admission-config.yaml" diff --git a/sample_files/pod-security-admission-config.yaml b/sample_files/pod-security-admission-config.yaml index fbde7fa1..280749ca 100644 --- a/sample_files/pod-security-admission-config.yaml +++ b/sample_files/pod-security-admission-config.yaml @@ -1,3 +1,7 @@ +#This sample list was generated from: +#https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates#exempting-required-rancher-namespaces +#For security reasons, this list should be as concise as possible - only include active namespaces that need to be except from a restricted profile. + --- apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration From fd187eea33be5f1a3fe5d558c9f2ceb28db0ead8 Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Wed, 22 May 2024 09:28:07 -0400 Subject: [PATCH 6/7] formatting --- roles/rke2_common/tasks/images_tarball_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/rke2_common/tasks/images_tarball_install.yml b/roles/rke2_common/tasks/images_tarball_install.yml index 4682d9a6..191c97fe 100644 --- a/roles/rke2_common/tasks/images_tarball_install.yml +++ b/roles/rke2_common/tasks/images_tarball_install.yml @@ -23,7 +23,7 @@ - name: Download images tar files url ansible.builtin.get_url: - url: "{{ item }}" + url: "{{ item }}" dest: "/var/lib/rancher/rke2/agent/images" mode: "0644" when: From d7fee24fe3a720470e3f72c56cc1ee611be69a52 Mon Sep 17 00:00:00 2001 From: Mike DAmato Date: Wed, 22 May 2024 10:00:37 -0400 Subject: [PATCH 7/7] fix lint again --- README.md | 11 +++++++++++ sample_files/pod-security-admission-config.yaml | 7 ++++--- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 20d0f805..a6dc3363 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,17 @@ Build a Kubernetes cluster using RKE2 via Ansible |________________________________________________________| ``` +Unofficial Rancher Government Repository +--------- + +Support: Please note that the code provided in this repository is not supported under any official support subscriptions. While we strive to ensure the quality and functionality of our code, we provide it on an "as-is" basis and make no guarantees regarding its performance. + +Issues: We understand that issues may arise, and while we do not offer formal support, we will address reported issues on a "best effort" basis. We encourage users to report any problems or bugs they encounter, and we will do our best to address them in a timely manner. + +Contributions: Contributions to this repository are welcome! If you have improvements or fixes, please feel free to submit a pull request. We appreciate your efforts to improve the quality and effectiveness of this code. + +Thank you for your understanding and cooperation. + Ansible RKE2 (RKE Government) Playbook --------- [![LINT](https://github.com/rancherfederal/rke2-ansible/actions/workflows/ci.yml/badge.svg)](https://github.com/rancherfederal/rke2-ansible/actions/workflows/ci.yml) diff --git a/sample_files/pod-security-admission-config.yaml b/sample_files/pod-security-admission-config.yaml index 280749ca..6aaaa5a8 100644 --- a/sample_files/pod-security-admission-config.yaml +++ b/sample_files/pod-security-admission-config.yaml @@ -1,6 +1,7 @@ -#This sample list was generated from: -#https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates#exempting-required-rancher-namespaces -#For security reasons, this list should be as concise as possible - only include active namespaces that need to be except from a restricted profile. +# This sample list was generated from: +# https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates#exempting-required-rancher-namespaces +# For security reasons, this list should be as concise as possible +# only include active namespaces that need to be except from a restricted profile. --- apiVersion: apiserver.config.k8s.io/v1