Closed git-ival closed 10 months ago
TODO for QA: create TFP automation ticket for PSACT
Due to the reasons outlined here, we will only be adding PSACT support for Method 1 (set pod_security_configuration) and Method 3 (use extra_args to pass a custom Admission Configuration file) for the provider. No customers are urgently asking for this and the latest version will be released OOB.
Currently the TFP RKE does not support setting PSA configuration on creation of K8s 1.25+ clusters.
kube_api
service block defined in the RKE docs method 1 and 3.Provision an RKE cluster with TF RKE provider v.1.4.3-rc1
kube-api.pod_security_configuration
fieldservices {
kube_api {
pod_security_configuration = "<value>" # privileged or restricted
}
}
Deploy this yaml and verify the pod is rejected.
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
Pass invalid value pod_security_configuration: INVALID
and confirm provider throws an error.
kube-api.extra_args.admission-control-config-file
and set extra_mounts
to mount that file into the kube API server.kube_api {
extra_args = {
admission-control-config-file: "<container-path>/admission.yaml" // path in kube API server container
}
extra_binds = ["<node-path>:<container-path>"]
}
Per method 3, per the docs if the bind mount file does not exist on the node, Docker creates it as a directory. In order to use kube API extra_args
to mount a custom admission configuration file to the API server you must update the Dockerfile for the API server container to touch an empty file. Otherwise, verifying the provider passes the admission-control-config-file
to the node correctly is acceptable. If deployed, deploy the yaml above and verify the pod is rejected.
TF RKE provider node provisioning/hardened clusters.
We have moved our TFP RKE test process to use RCs like Rancher and the TF rancher2 provider. Please test this issue on RC v1.4.3-rc1. I will create additional RCs for all new code in scope.
thaneunsoo said: Tested this issue on v1.4.3-rc1 with the following scenarios
Pass restricted policy via the kube-api.pod_security_configuration field Deploy this yaml and verify the pod is rejected. Pass
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
Pass invalid value pod_security_configuration: INVALID and confirm provider throws an error. Pass
Pass the path to an admission configuration file via kube-api.extra_args.admission-control-config-file and set extra_mounts to mount that file into the kube API server. Pass
Currently the TFP RKE does not support setting PSA configuration on the creation of K8s 1.26 clusters.
In order to accomplish this it seems that a few things are needed:
1.4.4+1.4.8There is an open PR for this: https://github.com/rancher/terraform-provider-rke/pull/397kube_api
service block defined in the RKE documentation