From d0a0d1f3a07f00272de492e3d7a428b7a2972ecc Mon Sep 17 00:00:00 2001
From: Andrew Rynhard <andrew@andrewrynhard.com>
Date: Fri, 23 Nov 2018 16:50:17 -0800
Subject: [PATCH] feat(init): enable PSP admission plugin (#230)

---
 src/initramfs/cmd/init/pkg/security/cis/cis.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/initramfs/cmd/init/pkg/security/cis/cis.go b/src/initramfs/cmd/init/pkg/security/cis/cis.go
index 4e8d4eeed..a063fd067 100644
--- a/src/initramfs/cmd/init/pkg/security/cis/cis.go
+++ b/src/initramfs/cmd/init/pkg/security/cis/cis.go
@@ -106,11 +106,10 @@ func EnforceTLSRequirements(cfg *kubeadmapi.InitConfiguration) error {
 
 // EnforceAdmissionPluginsRequirements enforces CIS requirements for admission plugins.
 // TODO(andrewrynhard): Include any extra user specified plugins.
-// TODO(andrewrynhard): Enable PodSecurityPolicy.
 // TODO(andrewrynhard): Enable EventRateLimit.
 func EnforceAdmissionPluginsRequirements(cfg *kubeadmapi.InitConfiguration) error {
 	// nolint: lll
-	cfg.APIServerExtraArgs["enable-admission-plugins"] = "AlwaysPullImages,SecurityContextDeny,DenyEscalatingExec,NamespaceLifecycle,ServiceAccount,NodeRestriction,LimitRanger,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota"
+	cfg.APIServerExtraArgs["enable-admission-plugins"] = "AlwaysPullImages,PodSecurityPolicy,DenyEscalatingExec,NamespaceLifecycle,ServiceAccount,NodeRestriction,LimitRanger,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota"
 
 	return nil
 }