This message was deleted Rancher Users #k3s

Join Slack

This message was deleted.

# k3s

adamant-kite-43734

07/24/2023, 4:32 PM

This message was deleted.

eager-refrigerator-66976

07/24/2023, 4:37 PM

oh, perhaps this https://docs.k3s.io/security/hardening-guide#pod-security ?

eager-refrigerator-66976

07/24/2023, 6:19 PM

tried ☝️ but it doesn’t seem it worked…

eager-refrigerator-66976

07/24/2023, 6:20 PM

I’ve tried this:

Copy code

apiVersion: <http://apiserver.config.k8s.io/v1|apiserver.config.k8s.io/v1>
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
  configuration:
    apiVersion: <http://pod-security.admission.config.k8s.io/v1beta1|pod-security.admission.config.k8s.io/v1beta1>
    kind: PodSecurityConfiguration
    defaults:
      enforce: "privileged"
      enforce-version: "latest"
      audit: "privileged"
      audit-version: "latest"
      warn: "privileged"
      warn-version: "latest"
    exemptions:
      usernames: []
      runtimeClasses: []
      namespaces: []

nutritious-tomato-14686

07/24/2023, 8:54 PM

Not working in what way? Setting all levels to "privileged" is the equivalent of not setting any kind of PSA.

eager-refrigerator-66976

07/24/2023, 8:55 PM

yeah exactly, that is what I was expecting but i still have pods having issues due to permissions

eager-refrigerator-66976

07/24/2023, 8:56 PM

on rke2 clusters I just added

defaultPodSecurityAdmissionConfigurationTemplateName: rancher-privileged

and that worked

eager-refrigerator-66976

07/24/2023, 8:56 PM

but for k3s standalone I don’t see how to set it up

nutritious-tomato-14686

07/24/2023, 8:56 PM

You could just not set up any PSAs

nutritious-tomato-14686

07/24/2023, 8:57 PM

Or was this a stepping stone to adding more restrictive PSAs later?

eager-refrigerator-66976

07/24/2023, 8:57 PM

nope, I want to disable it I am using kyverno for managing policies

eager-refrigerator-66976

07/24/2023, 8:58 PM

so I wan’t to disable PSA if that’s possible or set it to privileged to not block anything on pod security level

nutritious-tomato-14686

07/24/2023, 8:58 PM

If you don't want PSAs on k3s standalone, just don't pass the

--kube-apiserver-arg="admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml"

argument on startup

nutritious-tomato-14686

07/24/2023, 8:59 PM

By default standalone K3s has no PSAs installed

eager-refrigerator-66976

07/24/2023, 9:00 PM

oh… ok, then I might have some other issue because I didn’t have initially

--kube-apiserver-arg="admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml"

I’ve added it to try to force

privileged

because I was assuming that k3s does

restricted

by default

eager-refrigerator-66976

07/24/2023, 9:01 PM

which case I was looking in wrong direction

nutritious-tomato-14686

07/24/2023, 9:01 PM

Ah no, K3s is not secure or hardened by default

eager-refrigerator-66976

07/24/2023, 9:02 PM

👍 thanks, then my problem is somewhere else.

nutritious-tomato-14686

07/24/2023, 9:02 PM

Just to complete the thought, standalone RKE2 does have default policies depending on the

cis

flag, you can find info about that here: https://docs.rke2.io/security/pod_security_standards

eager-refrigerator-66976

07/24/2023, 9:03 PM

oh yeah I am aware of this, thanks for sharing 👍

👍 1

12 Views

Open in Slack

Previous Next