search

siderolabs / terraform-provider-talos

Mozilla Public License 2.0
123 stars 17 forks source link

How to disable default apiServer.admissionControl policy #163

Closed den-is closed 4 months ago

den-is commented 4 months ago

I'm trying to disable default PodSecurityAdmission policy, so kindly enabled by the Talos team.

I've tried to pass empty array value to plain yaml configuration.

yamlencode({
    cluster = {
      apiServer = {
        admissionControl = []
      }
      # omitted
    }
    # omitted
}

Tried to apply actual patchesJson6902 patch (which works for my test/non-tf deploys)

- op: replace
  path: /cluster/apiServer/admissionControl
  value: []
data "talos_machine_configuration" "controlplane" {
  # omitted
  config_patches = [
    local.controlplane_config_patch,
    file("${path.module}/patches/disable-pod-security-admission.yaml")
  ]
}

Nothing seems to be working, except manually removing it using talosctl. Each time I reapply terrafrom policy returns.

smira commented 4 months ago

There is no easy way at the moment with strategic merge patches, but you can use a partial patch to change all policies to 'privileged' which will effectively disable it.

den-is commented 4 months ago

@smira wrong answer :)

Strategic Merge Patch indeed is not working, but JSON Patch (RFC6902) did actually work.

My bad. I pushed an empty patch file. After actually providing:

- op: replace
  path: /cluster/apiServer/admissionControl
  value: []

Everything worked