Open jisnardo opened 2 weeks ago
I see the same error in Job apply-system-agent-upgrader-on-clusername-wrk-cjmrg-lvk-93166
(combined from similar events): Error creating: pods "apply-system-agent-upgrader-on-clusername-wrk-cjmrg-lvk-cm7d4" is forbidden: violates PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true, hostIPC=true), privileged (container "upgrade" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "upgrade" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "upgrade" must set securityContext.capabilities.drop=["ALL"]; container "upgrade" must not include "CAP_SYS_BOOT" in securityContext.capabilities.add), restricted volume types (volume "host-root" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "upgrade" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "upgrade" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Problem Solved by injecting Excluded namespaces to kube-apiserver-args. Of course, you need to find a way to put these values to cluster spec during the cluster creation. This is just an example to show it works.
cat <<EOF > /var/lib/rancher/rke2/etc/config-files/rancher-psa.yaml
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
configuration:
apiVersion: pod-security.admission.config.k8s.io/v1
kind: PodSecurityConfiguration
defaults:
enforce: "restricted"
enforce-version: "latest"
audit: "restricted"
audit-version: "latest"
warn: "restricted"
warn-version: "latest"
exemptions:
usernames: []
runtimeClasses: []
namespaces: [cattle-alerting,
cattle-fleet-local-system,
cattle-fleet-system,
cattle-global-data,
cattle-impersonation-system,
cattle-monitoring-system,
cattle-prometheus,
cattle-resources-system,
cattle-system,
cattle-ui-plugin-system,
cert-manager,
cis-operator-system,
fleet-default,
ingress-nginx,
kube-node-lease,
kube-public,
kube-system,
rancher-alerting-drivers]
EOF
apiVersion: provisioning.cattle.io/v1
kind: Cluster
metadata:
name: # Define cluster name
spec:
rkeConfig:
machineSelectorConfig:
- config:
kube-apiserver-arg:
- admission-control-config-file=/var/lib/rancher/rke2/etc/config-files/rancher-psa.yaml
profile: cis
Thanks @ferhatguneri, now the question is how "find a way to put these values to cluster spec during the cluster creation". Meanwhile a cheating way could be postRKE2Commands while expecting an option.
Rancher Server Setup
Information about the Cluster
Kubernetes version: v1.30.4+rke2r1
Cluster Type (Local/Downstream): Downstream
Hosted = on premise
Infrastructure Provider = vSphere
User Information
Describe the bug
To Reproduce
Result
Events started to appear at Rancher.
Expected Result
No impact, hardening applied.
Screenshots
n/a
Additional context
Related: https://github.com/rancher/fleet/issues/2887
Thanks in advance.