Securing k3s deployment

tasks/cluster_k3s.yml

@@ -122,6 +122,16 @@
   when:
     - kubernetes_server|bool
 
+- name: Configure Pod Security
+  ansible.builtin.copy:
+    src: "etc/kubernetes/psa.yaml"
+    dest: "/etc/kubernetes/psa.yaml"
+    group: root
+    owner: root
+    mode: 0644
+  when:
+    - kubernetes_master|bool
+
 - name: Audit policies directory
   ansible.builtin.file:
     path: "/etc/kubernetes/policies"
@@ -164,6 +174,38 @@
 - name: Configure first controler
 #  run_once: true
   block:
+  - name: Create k3s directories
+    ansible.builtin.file:
+      path: "{{ item }}"
+      state: directory
+      owner: root
+      group: root
+      mode: 0700
+    with_items:
+      - "/etc/rancher"
+      - "/etc/rancher/k3s"
+      - "/etc/rancher/k3s/config.yaml.d"
+      - "/var/lib/rancher"
+      - "/var/lib/rancher/k3s"
+      - "/var/lib/rancher/k3s/server"
+      - "/var/lib/rancher/k3s/server/manifests"
+    when:
+      - kubernetes_master|bool
+
+  - name: Deploy Network Policies
+    ansible.builtin.template:
+      src: "{{ item }}.j2"
+      dest: "{{ item }}"
+      owner: root
+      group: root
+      mode: 0600
+    with_items:
+      - "var/lib/rancher/k3s/server/manifests/np-00-intra-namespace.yaml.j2"
+      - "var/lib/rancher/k3s/server/manifests/np-01-default-network-dns-policy.yaml.j2"
+      - "var/lib/rancher/k3s/server/manifests/np-03-metrics-server-traefik.yaml.j2"
+    when:
+      - kubernetes_master|bool
+
   - name: Deploy systemd service
     ansible.builtin.template:
       src: "{{ item }}.j2"
@@ -205,7 +247,7 @@
     - kubernetes_master|bool
     - vars['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined
 
-
+# chmod -R 600 /var/lib/rancher/k3s/server/tls/*.crt
 
 # Manque kubernetes_server_token, kubernetes_master url