rancherfederal · mddamato · May 22, 2024 · Feb 2, 2024 · May 21, 2024 · May 21, 2024
diff --git a/ansible_header.j2 b/ansible_header.j2
@@ -0,0 +1,3 @@
+## This is an Ansible managed file, contents will be overwritten ##
+
+{{ file_contents }}
diff --git a/inventory/sample/group_vars/rke2_servers.yml b/inventory/sample/group_vars/rke2_servers.yml
@@ -45,3 +45,8 @@ rke2_config: {}
 # See https://docs.rke2.io/helm/#automatically-deploying-manifests-and-helm-charts
 # Add manifest files by specifying the directory path on the control host
 # manifest_config_file_path: "{{ playbook_dir }}/sample_files/manifest/"
+
+# See https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates#exempting-required-rancher-namespaces
+# Available in RKE2 1.25+
+# Add a pod security admission config file by specifying the file path on the control host
+# pod_security_admission_config_file_path: "{{ playbook_dir }}/sample_files/pod-security-admission-config.yaml"
diff --git a/roles/rke2_common/defaults/main.yml b/roles/rke2_common/defaults/main.yml
@@ -1,10 +1,11 @@
 ---
 tarball_dir: "/usr/local"
 rke2_tarball_url: ""
 rke2_images_urls: []
 rke2_channel: stable
 audit_policy_config_file_path: ""
 registry_config_file_path: ""
+pod_security_admission_config_file_path: ""
 add_iptables_rules: false
 rke2_common_yum_repo:
   name: rke2-common

diff --git a/roles/rke2_common/tasks/images_tarball_install.yml b/roles/rke2_common/tasks/images_tarball_install.yml
@@ -1,5 +1,5 @@
 ---
 - name: "Check for images tar.gz in {{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.gz"  # noqa name[template] yaml[line-length]
  ansible.builtin.stat:
    path: "{{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.gz"
    get_checksum: false
@@ -7,7 +7,7 @@
  delegate_to: 127.0.0.1
  become: false

 - name: "Check for images tar.zst in {{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.zst"  # noqa name[template] yaml[line-length]
  ansible.builtin.stat:
    path: "{{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.zst"
    get_checksum: false
@@ -23,12 +23,12 @@
 
 - name: Download images tar files url
   ansible.builtin.get_url:
-    url: "{{item}}"
+    url: "{{ item  }}"
     dest: "/var/lib/rancher/rke2/agent/images"
     mode: "0644"
   when:
     - rke2_images_urls != []
-  with_items: "{{rke2_images_urls}}"
+  with_items: "{{ rke2_images_urls }}"
 
 - name: Add images tar.gz to needed directory if provided
   ansible.builtin.copy:

diff --git a/roles/rke2_server/tasks/add-pod-security-admission-config.yml b/roles/rke2_server/tasks/add-pod-security-admission-config.yml
@@ -0,0 +1,45 @@
+---
+- name: Create the /etc/rancher/rke2 config dir
+  ansible.builtin.file:
+    path: /etc/rancher/rke2
+    state: directory
+    recurse: yes
+
+- name: Add pod security admission config file
+  vars:
+    file_contents: "{{ lookup('file', pod_security_admission_config_file_path) }}"
+  ansible.builtin.template:
+    src: ansible_header.j2
+    dest: "/etc/rancher/rke2/pod-security-admission-config.yaml"
+    mode: '0640'
+    owner: root
+    group: root
+  when:
+    - pod_security_admission_config_file_path is defined
+    - pod_security_admission_config_file_path|length != 0
+  notify: Restart rke2-server
+
+- name: Remove pod security admission config file
+  when:
+    - pod_security_admission_config_file_path is not defined or pod_security_admission_config_file_path|length == 0
+  block:
+    - name: Check that the PSA config file exists
+      ansible.builtin.stat:
+        path: "/etc/rancher/rke2/pod-security-admission-config.yaml"
+      register: stat_result
+
+    - name: "Check that the PSA config file has ansible managed comments"
+      ansible.builtin.lineinfile:
+        name: "/etc/rancher/rke2/pod-security-admission-config.yaml"
+        line: '## This is an Ansible managed file, contents will be overwritten ##'
+        state: present
+      check_mode: yes
+      register: ansible_managed_check
+      when: stat_result.stat.exists | bool is true
+
+    - name: Remove the PSA config file if exists and has ansible managed comments
+      ansible.builtin.file:
+        path: "/etc/rancher/rke2/pod-security-admission-config.yaml"
+        state: absent
+      when:
+        - ansible_managed_check.changed | bool is false
diff --git a/roles/rke2_server/tasks/main.yml b/roles/rke2_server/tasks/main.yml
@@ -7,6 +7,9 @@
     name: rke2_common
     tasks_from: main
 
+- name: Include task file add-pod-security-admission-config.yml
+  ansible.builtin.include_tasks: add-pod-security-admission-config.yml
+
 - name: Setup initial server
   ansible.builtin.include_tasks: first_server.yml
   when: inventory_hostname in groups['rke2_servers'][0]

diff --git a/sample_files/pod-security-admission-config.yaml b/sample_files/pod-security-admission-config.yaml
@@ -0,0 +1,57 @@
+---
+apiVersion: apiserver.config.k8s.io/v1
+kind: AdmissionConfiguration
+plugins:
+  - name: PodSecurity
+    configuration:
+      apiVersion: pod-security.admission.config.k8s.io/v1
+      kind: PodSecurityConfiguration
+      defaults:
+        enforce: "restricted"
+        enforce-version: "latest"
+        audit: "restricted"
+        audit-version: "latest"
+        warn: "restricted"
+        warn-version: "latest"
+      exemptions:
+        usernames: []
+        runtimeClasses: []
+        namespaces: [calico-apiserver,
+                     calico-system,
+                     cattle-alerting,
+                     cattle-csp-adapter-system,
+                     cattle-elemental-system,
+                     cattle-epinio-system,
+                     cattle-externalip-system,
+                     cattle-fleet-local-system,
+                     cattle-fleet-system,
+                     cattle-gatekeeper-system,
+                     cattle-global-data,
+                     cattle-global-nt,
+                     cattle-impersonation-system,
+                     cattle-istio,
+                     cattle-istio-system,
+                     cattle-logging,
+                     cattle-logging-system,
+                     cattle-monitoring-system,
+                     cattle-neuvector-system,
+                     cattle-prometheus,
+                     cattle-provisioning-capi-system,
+                     cattle-resources-system,
+                     cattle-sriov-system,
+                     cattle-system,
+                     cattle-ui-plugin-system,
+                     cattle-windows-gmsa-system,
+                     cert-manager,
+                     cis-operator-system,
+                     fleet-default,
+                     ingress-nginx,
+                     istio-system,
+                     kube-node-lease,
+                     kube-public,
+                     kube-system,
+                     longhorn-system,
+                     local-path-storage,
+                     rancher-alerting-drivers,
+                     security-scan,
+                     tigera-operator]