Enable PodSecurityPolicy and configure auditing

tasks/files/etc/kubernetes/audit-policy.yaml

@@ -0,0 +1,70 @@
+audit/audit-policy.yaml 
+
+apiVersion: audit.k8s.io/v1 # This is required.
+kind: Policy
+# Don't generate audit events for all requests in RequestReceived stage.
+omitStages:
+  - "RequestReceived"
+rules:
+  # Log pod changes at RequestResponse level
+  - level: RequestResponse
+    resources:
+    - group: ""
+      # Resource "pods" doesn't match requests to any subresource of pods,
+      # which is consistent with the RBAC policy.
+      resources: ["pods"]
+  # Log "pods/log", "pods/status" at Metadata level
+  - level: Metadata
+    resources:
+    - group: ""
+      resources: ["pods/log", "pods/status"]
+
+  # Don't log requests to a configmap called "controller-leader"
+  - level: None
+    resources:
+    - group: ""
+      resources: ["configmaps"]
+      resourceNames: ["controller-leader"]
+
+  # Don't log watch requests by the "system:kube-proxy" on endpoints or services
+  - level: None
+    users: ["system:kube-proxy"]
+    verbs: ["watch"]
+    resources:
+    - group: "" # core API group
+      resources: ["endpoints", "services"]
+
+  # Don't log authenticated requests to certain non-resource URL paths.
+  - level: None
+    userGroups: ["system:authenticated"]
+    nonResourceURLs:
+    - "/api*" # Wildcard matching.
+    - "/version"
+
+  # Log the request body of configmap changes in kube-system.
+  - level: Request
+    resources:
+    - group: "" # core API group
+      resources: ["configmaps"]
+    # This rule only applies to resources in the "kube-system" namespace.
+    # The empty string "" can be used to select non-namespaced resources.
+    namespaces: ["kube-system"]
+
+  # Log configmap and secret changes in all other namespaces at the Metadata level.
+  - level: Metadata
+    resources:
+    - group: "" # core API group
+      resources: ["secrets", "configmaps"]
+
+  # Log all other resources in core and extensions at the Request level.
+  - level: Request
+    resources:
+    - group: "" # core API group
+    - group: "extensions" # Version of group should NOT be included.
+
+  # A catch-all rule to log all other requests at the Metadata level.
+  - level: Metadata
+    # Long-running requests like watches that fall under this rule will not
+    # generate an audit event in RequestReceived.
+    omitStages:
+      - "RequestReceived"

tasks/install_server.yml

@@ -141,6 +141,16 @@
   when:
     - kubernetes_master|bool
 
+- name: Configure kubelet service
+  file:
+    src: "etc/kubernetes/audit-policy.yaml"
+    dest: "/etc/kubernetes/audit-policy.yaml"
+    group: root
+    owner: root
+    mode: 0644
+  when:
+    - kubernetes_master|bool
+
 - name: Deploy initial kubeadm config
   template:
     src: kubeadm-config.yaml.j2

templates/kubeadm-config.yaml.j2

@@ -78,7 +78,9 @@ controlPlaneEndpoint: "{{ ansible_default_ipv4.address }}:6443"
 {% endif %}
 apiServer:
   extraArgs:
+    enable-admission-plugins: NodeRestriction,PodSecurityPolicy
     authorization-mode: "Node,RBAC"
+    audit-policy-file: "/etc/kubernetes/audit-policy.yaml"
     audit-log-path: "/var/log/apiserver/audit.log"
     audit-log-maxage: "30"
     audit-log-maxbackup: "10"