PSP

[morriq]

Based on https://rancher.com/docs/k3s/latest/en/security/hardening_guide/#podsecuritypolicies

PSP is documented, but reading about PSP in k8s documentation shows

FEATURE STATE: Kubernetes v1.21 [deprecated]

and suggests to use https://kubernetes.io/docs/concepts/security/pod-security-standards/

but for now it's not documented in k3s and deprecated PSP showed in k3s documentation has issues with ECK.

So to handle ECK in k3s I must learn PSP which is hard to learn and deprecated.

That's why I don't put any PSP to ansible, you can do it on your own. Useful links:

https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-network-policies.html
elastic/cloud-on-k8s#2817
elastic/cloud-on-k8s#2108

Making PSP is not valid without

        k3s_server:
          etcd-snapshot-schedule-cron: '0 */6 * * *'
          etcd-s3-region: 'eu-central-1'
          etcd-s3-bucket: '{{s3_bucket}}'
          etcd-s3-access-key: '{{s3_access_key}}'
          etcd-s3-secret-key: '{{s3_secret_key}}'
          etcd-s3: yes
          tls-san: '{{ansible_host}}'
          # this lines:
		  kube-apiserver-arg:
             - 'enable-admission-plugins=NodeRestriction,PodSecurityPolicy,ServiceAccount'