feat: enable Pod Security Admission by default

As Talos 1.1 supports Kubernetes 1.22-1.24, we can finally enable Pod Security Admission by default: ```yaml apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration plugins: - configuration: apiVersion: pod-security.admission.config.k8s.io/v1alpha1 defaults: audit: restricted audit-version: latest enforce: baseline enforce-version: latest warn: restricted warn-version: latest exemptions: namespaces: - kube-system runtimeClasses: [] usernames: [] kind: PodSecurityConfiguration name: PodSecurity path: "" ``` Signed-off-by: Andrey Smirnov <[email protected]>
siderolabs · Apr 11, 2022 · 9dace93 · 9dace93
1 parent c382cb8
commit 9dace93
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 8 deletions.
diff --git a/Makefile b/Makefile
@@ -33,7 +33,7 @@ KUBECTL_URL ?= https://storage.googleapis.com/kubernetes-release/release/v1.24.0
 KUBESTR_URL ?= https://github.com/kastenhq/kubestr/releases/download/v0.4.31/kubestr_0.4.31_Linux_amd64.tar.gz
 CLUSTERCTL_VERSION ?= 1.1.3
 CLUSTERCTL_URL ?= https://github.com/kubernetes-sigs/cluster-api/releases/download/v$(CLUSTERCTL_VERSION)/clusterctl-$(OPERATING_SYSTEM)-amd64
-D2CTL_URL ?= https://github.com/siderolabs/day-two/releases/download/v0.1.0-alpha.1/d2ctl-$(OPERATING_SYSTEM)-amd64
+D2CTL_URL ?= https://github.com/siderolabs/day-two/releases/download/v0.1.0-alpha.2/d2ctl-$(OPERATING_SYSTEM)-amd64
 PULUMI_URL ?= https://get.pulumi.com/releases/sdk/pulumi-v3.26.1-$(OPERATING_SYSTEM)-x64.tar.gz
 TESTPKGS ?= github.com/talos-systems/talos/...
 RELEASES ?= v0.14.3 v1.0.0

diff --git a/hack/release.toml b/hack/release.toml
@@ -44,6 +44,37 @@ created for Talos nodes. This allows to use IPv6 addresses in Kubernetes network
 
 If `talosctl cluster create` fails to work on Linux due to the lack of IPv6 support,
 please use the flag `--disable-docker-ipv6` to revert the change.
+"""
+
+    [notes.pod-security]
+        title = "Pod Security Admission"
+        description="""\
+[Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) controller is enabled by default with the following policy:
+
+```yaml
+apiVersion: apiserver.config.k8s.io/v1
+kind: AdmissionConfiguration
+plugins:
+- configuration:
+    apiVersion: pod-security.admission.config.k8s.io/v1alpha1
+    defaults:
+      audit: restricted
+      audit-version: latest
+      enforce: baseline
+      enforce-version: latest
+      warn: restricted
+      warn-version: latest
+    exemptions:
+      namespaces:
+      - kube-system
+      runtimeClasses: []
+      usernames: []
+    kind: PodSecurityConfiguration
+  name: PodSecurity
+  path: ""
+```
+
+The policy is part of the Talos machine configuration, and it can be modified to suite your needs.
 """
 
 [make_deps]

diff --git a/hack/test/day-two/config.yaml b/hack/test/day-two/config.yaml
@@ -1,15 +1,17 @@
 charts:
   loki:
     namespace: loki
+    podSecurityLevel: privileged
     repo: https://grafana.github.io/helm-charts
     chart: loki-stack
-    valuesPath: hack/test/day-two/loki-values.yaml      
+    valuesPath: hack/test/day-two/loki-values.yaml
 
   metallb:
     namespace: metallb
+    podSecurityLevel: privileged
     repo: https://metallb.github.io/metallb
     chart: metallb
-    valuesPath: hack/test/day-two/metallb-values.yaml      
+    valuesPath: hack/test/day-two/metallb-values.yaml
 
   ingress-nginx:
     namespace: ingress
@@ -20,11 +22,13 @@ charts:
 
   rook:
     namespace: rook-ceph
+    podSecurityLevel: privileged
     repo: https://charts.rook.io/release
     chart: rook-ceph
 
   ceph:
     namespace: rook-ceph
+    podSecurityLevel: privileged
     repo: https://charts.rook.io/release
     chart: rook-ceph-cluster
     depends:

diff --git a/pkg/machinery/config/contract.go b/pkg/machinery/config/contract.go
@@ -24,7 +24,8 @@ type VersionContract struct {
 // Well-known Talos version contracts.
 var (
 	TalosVersionCurrent = (*VersionContract)(nil)
-	TalosVersion0_15    = &VersionContract{0, 15}
+	TalosVersion1_1     = &VersionContract{1, 1}
+	TalosVersion1_0     = &VersionContract{1, 0}
 	TalosVersion0_14    = &VersionContract{0, 14}
 	TalosVersion0_13    = &VersionContract{0, 13}
 	TalosVersion0_12    = &VersionContract{0, 12}
@@ -106,5 +107,5 @@ func (contract *VersionContract) PodSecurityPolicyEnabled() bool {
 
 // PodSecurityAdmissionEnabled returns true if pod security admission should be enabled by default.
 func (contract *VersionContract) PodSecurityAdmissionEnabled() bool {
-	return false // TODO: enable by default once Talos support Kubernetes 1.22+ only
+	return contract.Greater(TalosVersion1_0)
 }
diff --git a/pkg/machinery/config/contract_test.go b/pkg/machinery/config/contract_test.go
@@ -55,11 +55,25 @@ func TestContractCurrent(t *testing.T) {
 	assert.True(t, contract.SupportsECDSASHA256())
 	assert.True(t, contract.ClusterDiscoveryEnabled())
 	assert.False(t, contract.PodSecurityPolicyEnabled())
-	assert.False(t, contract.PodSecurityAdmissionEnabled())
+	assert.True(t, contract.PodSecurityAdmissionEnabled())
+}
+
+func TestContract1_1(t *testing.T) {
+	contract := config.TalosVersion1_1
+
+	assert.True(t, contract.SupportsAggregatorCA())
+	assert.True(t, contract.SupportsECDSAKeys())
+	assert.True(t, contract.SupportsServiceAccount())
+	assert.True(t, contract.SupportsRBACFeature())
+	assert.True(t, contract.SupportsDynamicCertSANs())
+	assert.True(t, contract.SupportsECDSASHA256())
+	assert.True(t, contract.ClusterDiscoveryEnabled())
+	assert.False(t, contract.PodSecurityPolicyEnabled())
+	assert.True(t, contract.PodSecurityAdmissionEnabled())
 }
 
-func TestContract0_15(t *testing.T) {
-	contract := config.TalosVersion0_15
+func TestContract1_0(t *testing.T) {
+	contract := config.TalosVersion1_0
 
 	assert.True(t, contract.SupportsAggregatorCA())
 	assert.True(t, contract.SupportsECDSAKeys())