PodSecurity fixes

kubebn · Jul 13, 2022 · 225394d · 225394d
1 parent bf70993
commit 225394d
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 2 deletions.
diff --git a/hetzner/deployments/hcloud-cloud-controller-manager.yaml b/hetzner/deployments/hcloud-cloud-controller-manager.yaml
@@ -34,8 +34,6 @@ spec:
     metadata:
       labels:
         app: hcloud-cloud-controller-manager
-      annotations:
-        scheduler.alpha.kubernetes.io/critical-pod: ''
     spec:
       serviceAccountName: cloud-controller-manager
       dnsPolicy: Default

diff --git a/hetzner/templates/controlplane.yaml.tpl b/hetzner/templates/controlplane.yaml.tpl
@@ -94,6 +94,25 @@ cluster:
       - "${ipv4_local}"
       - "${ipv4_vip}"
       - "${apiDomain}"
+    admissionControl:
+      - name: PodSecurity
+        configuration:
+          apiVersion: pod-security.admission.config.k8s.io/v1alpha1
+          defaults:
+            audit: restricted
+            audit-version: latest
+            enforce: baseline
+            enforce-version: latest
+            warn: restricted
+            warn-version: latest
+          exemptions:
+            namespaces:
+              - kube-system
+              - ingress-nginx
+              - local-path-provisioner
+            runtimeClasses: []
+            usernames: []
+          kind: PodSecurityConfiguration
   controllerManager:
     extraArgs:
         node-cidr-mask-size-ipv4: 24