PodSecurity fixes

2025-10-30 01:52:18 +00:00 · 2022-07-13 16:09:15 +03:00
parent bf709933a3
commit 225394da8b
2 changed files with 19 additions and 2 deletions
--- a/hetzner/deployments/hcloud-cloud-controller-manager.yaml
+++ b/hetzner/deployments/hcloud-cloud-controller-manager.yaml
@@ -34,8 +34,6 @@ spec:
    metadata:
      labels:
        app: hcloud-cloud-controller-manager
-      annotations:
-        scheduler.alpha.kubernetes.io/critical-pod: ''
    spec:
      serviceAccountName: cloud-controller-manager
      dnsPolicy: Default
--- a/hetzner/templates/controlplane.yaml.tpl
+++ b/hetzner/templates/controlplane.yaml.tpl
@@ -94,6 +94,25 @@ cluster:
      - "${ipv4_local}"
      - "${ipv4_vip}"
      - "${apiDomain}"
+    admissionControl:
+      - name: PodSecurity
+        configuration:
+          apiVersion: pod-security.admission.config.k8s.io/v1alpha1
+          defaults:
+            audit: restricted
+            audit-version: latest
+            enforce: baseline
+            enforce-version: latest
+            warn: restricted
+            warn-version: latest
+          exemptions:
+            namespaces:
+              - kube-system
+              - ingress-nginx
+              - local-path-provisioner
+            runtimeClasses: []
+            usernames: []
+          kind: PodSecurityConfiguration
  controllerManager:
    extraArgs:
        node-cidr-mask-size-ipv4: 24