What happened?
After enabling hardening policies using hardening.yaml, the path for real file is:
path: {{ kube_config_dir }}/admission-controls/{{ plugin | lower }}.yaml
not
path: {{ kube_config_dir }}/{{ plugin | lower }}.yaml as it is in template.
I suggest just update path in template?
Command i ran to enable additional security policies:
ansible-playbook -v cluster.yml -i inventory/test/hosts.yaml --become --become-user=root -e "@inventory/test/group_vars/k8s_cluster/hardening.yaml" -e "@inventory/test/vars.yaml"
What did you expect to happen?
Path in /etc/kubernetes/admission-controls/admission-controls.yaml is correct and point to real policy. E.g to
/etc/kubernetes/admission-controls/podsecurity.yaml in my case.
How can we reproduce it (as minimally and precisely as possible)?
ansible-playbook -v cluster.yml -i inventory/test/hosts.yaml --become --become-user=root -e "@inventory/test/group_vars/k8s_cluster/hardening.yaml" -e "@inventory/test/vars.yaml"
OS
Linux 6.8.0-48-generic x86_64
PRETTY_NAME="Ubuntu 24.04 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo
Version of Ansible
ansible [core 2.16.13]
Version of Python
ansible [core 2.16.13]
Version of Kubespray (commit)
f9ebd45
Network plugin used
calico
Full inventory with variables
Command used to invoke ansible
ansible-playbook -v cluster.yml -i inventory/test/hosts.yaml --become --become-user=root -e "@inventory/test/group_vars/k8s_cluster/hardening.yaml" -e "@inventory/test/vars.yaml"
Output of ansible run
Anything else we need to know
No response
What happened?
After enabling hardening policies using hardening.yaml, the path for real file is:
path: {{ kube_config_dir }}/admission-controls/{{ plugin | lower }}.yamlnot
path: {{ kube_config_dir }}/{{ plugin | lower }}.yamlas it is in template.I suggest just update path in template?
Command i ran to enable additional security policies:
ansible-playbook -v cluster.yml -i inventory/test/hosts.yaml --become --become-user=root -e "@inventory/test/group_vars/k8s_cluster/hardening.yaml" -e "@inventory/test/vars.yaml"What did you expect to happen?
Path in /etc/kubernetes/admission-controls/admission-controls.yaml is correct and point to real policy. E.g to
/etc/kubernetes/admission-controls/podsecurity.yaml in my case.
How can we reproduce it (as minimally and precisely as possible)?
ansible-playbook -v cluster.yml -i inventory/test/hosts.yaml --become --become-user=root -e "@inventory/test/group_vars/k8s_cluster/hardening.yaml" -e "@inventory/test/vars.yaml"OS
Linux 6.8.0-48-generic x86_64
PRETTY_NAME="Ubuntu 24.04 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo
Version of Ansible
ansible [core 2.16.13]
Version of Python
ansible [core 2.16.13]
Version of Kubespray (commit)
f9ebd45
Network plugin used
calico
Full inventory with variables
Command used to invoke ansible
ansible-playbook -v cluster.yml -i inventory/test/hosts.yaml --become --become-user=root -e "@inventory/test/group_vars/k8s_cluster/hardening.yaml" -e "@inventory/test/vars.yaml"
Output of ansible run
Anything else we need to know
No response