mirrors/talos
1
0
Fork 0
mirror of https://github.com/siderolabs/talos.git synced 2025-08-31 03:21:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat(init): enable PSP admission plugin (#230)

Browse Source
This commit is contained in:
Andrew Rynhard 2018-11-23 16:50:17 -08:00 committed by GitHub
parent f870acdae1
commit d0a0d1f3a0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/initramfs/cmd/init/pkg/security/cis/cis.go
View File

@ -106,11 +106,10 @@ func EnforceTLSRequirements(cfg *kubeadmapi.InitConfiguration) error {
// EnforceAdmissionPluginsRequirements enforces CIS requirements for admission plugins. // EnforceAdmissionPluginsRequirements enforces CIS requirements for admission plugins.
// TODO(andrewrynhard): Include any extra user specified plugins. // TODO(andrewrynhard): Include any extra user specified plugins.
// TODO(andrewrynhard): Enable PodSecurityPolicy.
// TODO(andrewrynhard): Enable EventRateLimit. // TODO(andrewrynhard): Enable EventRateLimit.
func EnforceAdmissionPluginsRequirements(cfg *kubeadmapi.InitConfiguration) error { func EnforceAdmissionPluginsRequirements(cfg *kubeadmapi.InitConfiguration) error {
// nolint: lll // nolint: lll
cfg.APIServerExtraArgs["enable-admission-plugins"] = "AlwaysPullImages,SecurityContextDeny,DenyEscalatingExec,NamespaceLifecycle,ServiceAccount,NodeRestriction,LimitRanger,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota" cfg.APIServerExtraArgs["enable-admission-plugins"] = "AlwaysPullImages,PodSecurityPolicy,DenyEscalatingExec,NamespaceLifecycle,ServiceAccount,NodeRestriction,LimitRanger,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota"
return nil return nil
} }