public/rancher-docs
1
0
Fork 0
mirror of https://github.com/rancher/rancher-docs.git synced 2026-05-14 17:13:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d3c5c8d3facdf7d4df366ac772d6cdc1914bbd7d
rancher-docs/docs/reference-guides/rancher-security/psa-restricted-exemptions.md
T
Marty Hernandez Avedon 40936468b4 [2.7.2] #462 Add instructions for how to use PSACT (#489) 
* #462 Add Add instructions for how to use PSACT

* started adding instructions for adding/editing a cluster

* started adding instructions for add/editing a psa template

* instructions for rke2/k3s, note about cis

* updated to include RKE1 instructions

* wording

* nipicky word choice: applied > described

* Apply suggestions from code review

Co-authored-by: Jiaqi Luo <6218999+jiaqiluo@users.noreply.github.com>

* tabs, added suggestion on RKe2 link from thread

* sidebars, correcting language in hardening guide

* link, switching where list of exempt namespaces is placed, corrections - users edit the PSA config, not PSS, to establish restrictions on pods

* update link

* added final save/create instructions

* Apply suggestions from code review

Co-authored-by: Billy Tat <btat@suse.com>

* updated file names

* missing metadata key

* corrected links

* Delete psa-config-template.md

File shouldn't still be in the tree, as it was renamed

* Apply suggestions from code review

Co-authored-by: Jiaqi Luo <6218999+jiaqiluo@users.noreply.github.com>

* syncing RKE1 and 2 hardening guides, title update

* moved sample config file, added -  to list of required exempt namespaces

* added moved config file to sidebars.js

---------

Co-authored-by: Jiaqi Luo <6218999+jiaqiluo@users.noreply.github.com>
Co-authored-by: Billy Tat <btat@suse.com>
2023-03-24 15:04:15 -04:00

2.1 KiB
Raw Blame History

title
title
Sample PodSecurityConfiguration

The following PodSecurityConfiguration contains the required Rancher namespace exemptions for a rancher-restricted cluster to run properly.

apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
  - name: PodSecurity
    configuration:
      apiVersion: pod-security.admission.config.k8s.io/v1
      kind: PodSecurityConfiguration
      defaults:
        enforce: "restricted"
        enforce-version: "latest"
        audit: "restricted"
        audit-version: "latest"
        warn: "restricted"
        warn-version: "latest"
      exemptions:
        usernames: []
        runtimeClasses: []
        namespaces: [calico-apiserver,
                     calico-system,
                     cattle-alerting,
                     cattle-csp-adapter-system,
                     cattle-epinio-system,
                     cattle-externalip-system,
                     cattle-fleet-local-system,
                     cattle-fleet-system,
                     cattle-gatekeeper-system,
                     cattle-global-data,
                     cattle-global-nt,
                     cattle-impersonation-system,
                     cattle-istio,
                     cattle-istio-system,
                     cattle-logging,
                     cattle-logging-system,
                     cattle-monitoring-system,
                     cattle-neuvector-system,
                     cattle-prometheus,
                     cattle-sriov-system,
                     cattle-system,
                     cattle-ui-plugin-system,
                     cattle-windows-gmsa-system,
                     cert-manager,
                     cis-operator-system,
                     fleet-default,
                     ingress-nginx,
                     istio-system,
                     kube-node-lease,
                     kube-public,
                     kube-system,
                     longhorn-system,
                     rancher-alerting-drivers,
                     security-scan,
                     tigera-operator]
Reference in New Issue View Git Blame Copy Permalink