diff --git a/bootstrap/api/v1alpha1/conversion.go b/bootstrap/api/v1alpha1/conversion.go index 5e9985e7..8003d962 100644 --- a/bootstrap/api/v1alpha1/conversion.go +++ b/bootstrap/api/v1alpha1/conversion.go @@ -47,6 +47,10 @@ func (src *RKE2Config) ConvertTo(dstRaw conversion.Hub) error { dst.Spec.AgentConfig.AirGappedChecksum = restored.Spec.AgentConfig.AirGappedChecksum } + if restored.Spec.AgentConfig.PodSecurityAdmissionConfigFile != "" { + dst.Spec.AgentConfig.PodSecurityAdmissionConfigFile = restored.Spec.AgentConfig.PodSecurityAdmissionConfigFile + } + return nil } @@ -102,6 +106,10 @@ func (src *RKE2ConfigTemplate) ConvertTo(dstRaw conversion.Hub) error { dst.Spec.Template.Spec.AgentConfig.AirGappedChecksum = restored.Spec.Template.Spec.AgentConfig.AirGappedChecksum } + if restored.Spec.Template.Spec.AgentConfig.PodSecurityAdmissionConfigFile != "" { + dst.Spec.Template.Spec.AgentConfig.PodSecurityAdmissionConfigFile = restored.Spec.Template.Spec.AgentConfig.PodSecurityAdmissionConfigFile + } + return nil } diff --git a/bootstrap/api/v1alpha1/zz_generated.conversion.go b/bootstrap/api/v1alpha1/zz_generated.conversion.go index 0f082514..8fdf408a 100644 --- a/bootstrap/api/v1alpha1/zz_generated.conversion.go +++ b/bootstrap/api/v1alpha1/zz_generated.conversion.go @@ -418,6 +418,7 @@ func autoConvert_v1beta1_RKE2AgentConfig_To_v1alpha1_RKE2AgentConfig(in *v1beta1 out.ContainerRuntimeEndpoint = in.ContainerRuntimeEndpoint out.Snapshotter = in.Snapshotter out.CISProfile = CISProfile(in.CISProfile) + // WARNING: in.PodSecurityAdmissionConfigFile requires manual conversion: does not exist in peer-type out.ResolvConf = (*v1.ObjectReference)(unsafe.Pointer(in.ResolvConf)) out.ProtectKernelDefaults = in.ProtectKernelDefaults out.SystemDefaultRegistry = in.SystemDefaultRegistry diff --git a/bootstrap/api/v1beta1/rke2config_types.go b/bootstrap/api/v1beta1/rke2config_types.go index 18cc0215..b8316f89 100644 --- a/bootstrap/api/v1beta1/rke2config_types.go +++ b/bootstrap/api/v1beta1/rke2config_types.go @@ -106,6 +106,11 @@ type RKE2AgentConfig struct { //+optional CISProfile CISProfile `json:"cisProfile,omitempty"` + // PodSecurityPolicyConfigFile contains the path to the PodSecurityPolicy configuration file. The file can be passed through + // spec.Files field. + //+optional + PodSecurityAdmissionConfigFile string `json:"podSecurityAdmissionConfigFile,omitempty"` + // ResolvConf is a reference to a ConfigMap containing resolv.conf content for the node. //+optional ResolvConf *corev1.ObjectReference `json:"resolvConf,omitempty"` diff --git a/bootstrap/config/crd/bases/bootstrap.cluster.x-k8s.io_rke2configs.yaml b/bootstrap/config/crd/bases/bootstrap.cluster.x-k8s.io_rke2configs.yaml index eacf84e4..e8fc05a1 100644 --- a/bootstrap/config/crd/bases/bootstrap.cluster.x-k8s.io_rke2configs.yaml +++ b/bootstrap/config/crd/bases/bootstrap.cluster.x-k8s.io_rke2configs.yaml @@ -834,6 +834,11 @@ spec: type: string type: array type: object + podSecurityAdmissionConfigFile: + description: |- + PodSecurityPolicyConfigFile contains the path to the PodSecurityPolicy configuration file. The file can be passed through + spec.Files field. + type: string protectKernelDefaults: description: |- ProtectKernelDefaults defines Kernel tuning behavior. If true, error if kernel tunables are different than kubelet defaults. diff --git a/bootstrap/config/crd/bases/bootstrap.cluster.x-k8s.io_rke2configtemplates.yaml b/bootstrap/config/crd/bases/bootstrap.cluster.x-k8s.io_rke2configtemplates.yaml index 2c74e38a..b5abe247 100644 --- a/bootstrap/config/crd/bases/bootstrap.cluster.x-k8s.io_rke2configtemplates.yaml +++ b/bootstrap/config/crd/bases/bootstrap.cluster.x-k8s.io_rke2configtemplates.yaml @@ -817,6 +817,11 @@ spec: type: string type: array type: object + podSecurityAdmissionConfigFile: + description: |- + PodSecurityPolicyConfigFile contains the path to the PodSecurityPolicy configuration file. The file can be passed through + spec.Files field. + type: string protectKernelDefaults: description: |- ProtectKernelDefaults defines Kernel tuning behavior. If true, error if kernel tunables are different than kubelet defaults. diff --git a/controlplane/api/v1alpha1/conversion.go b/controlplane/api/v1alpha1/conversion.go index 8db5bebe..d2133e99 100644 --- a/controlplane/api/v1alpha1/conversion.go +++ b/controlplane/api/v1alpha1/conversion.go @@ -22,8 +22,8 @@ import ( apiconversion "k8s.io/apimachinery/pkg/conversion" utilconversion "sigs.k8s.io/cluster-api/util/conversion" - bootstrapv1beta1 "github.com/rancher/cluster-api-provider-rke2/bootstrap/api/v1beta1" bootstrapv1alpha1 "github.com/rancher/cluster-api-provider-rke2/bootstrap/api/v1alpha1" + bootstrapv1beta1 "github.com/rancher/cluster-api-provider-rke2/bootstrap/api/v1beta1" controlplanev1 "github.com/rancher/cluster-api-provider-rke2/controlplane/api/v1beta1" "sigs.k8s.io/controller-runtime/pkg/conversion" ) @@ -53,6 +53,10 @@ func (src *RKE2ControlPlane) ConvertTo(dstRaw conversion.Hub) error { dst.Spec.AgentConfig.AirGappedChecksum = restored.Spec.AgentConfig.AirGappedChecksum } + if restored.Spec.AgentConfig.PodSecurityAdmissionConfigFile != "" { + dst.Spec.AgentConfig.PodSecurityAdmissionConfigFile = restored.Spec.AgentConfig.PodSecurityAdmissionConfigFile + } + dst.Spec.MachineTemplate = restored.Spec.MachineTemplate dst.Status = restored.Status @@ -125,6 +129,10 @@ func (src *RKE2ControlPlaneTemplate) ConvertTo(dstRaw conversion.Hub) error { dst.Spec.Template.Spec.AgentConfig.AirGappedChecksum = restored.Spec.Template.Spec.AgentConfig.AirGappedChecksum } + if restored.Spec.Template.Spec.AgentConfig.PodSecurityAdmissionConfigFile != "" { + dst.Spec.Template.Spec.AgentConfig.PodSecurityAdmissionConfigFile = restored.Spec.Template.Spec.AgentConfig.PodSecurityAdmissionConfigFile + } + dst.Spec.Template = restored.Spec.Template dst.Status = restored.Status @@ -206,9 +214,9 @@ func Convert_v1beta1_RKE2ControlPlaneStatus_To_v1alpha1_RKE2ControlPlaneTemplate } func Convert_v1beta1_RKE2ConfigSpec_To_v1alpha1_RKE2ConfigSpec(in *bootstrapv1beta1.RKE2ConfigSpec, out *bootstrapv1alpha1.RKE2ConfigSpec, s apiconversion.Scope) error { - return bootstrapv1alpha1.Convert_v1beta1_RKE2ConfigSpec_To_v1alpha1_RKE2ConfigSpec(in, out, s) + return bootstrapv1alpha1.Convert_v1beta1_RKE2ConfigSpec_To_v1alpha1_RKE2ConfigSpec(in, out, s) } func Convert_v1alpha1_RKE2ConfigSpec_To_v1beta1_RKE2ConfigSpec(in *bootstrapv1alpha1.RKE2ConfigSpec, out *bootstrapv1beta1.RKE2ConfigSpec, s apiconversion.Scope) error { - return bootstrapv1alpha1.Convert_v1alpha1_RKE2ConfigSpec_To_v1beta1_RKE2ConfigSpec(in, out, s) + return bootstrapv1alpha1.Convert_v1alpha1_RKE2ConfigSpec_To_v1beta1_RKE2ConfigSpec(in, out, s) } diff --git a/controlplane/config/crd/bases/controlplane.cluster.x-k8s.io_rke2controlplanes.yaml b/controlplane/config/crd/bases/controlplane.cluster.x-k8s.io_rke2controlplanes.yaml index 54491220..102ef4c3 100644 --- a/controlplane/config/crd/bases/controlplane.cluster.x-k8s.io_rke2controlplanes.yaml +++ b/controlplane/config/crd/bases/controlplane.cluster.x-k8s.io_rke2controlplanes.yaml @@ -1479,6 +1479,11 @@ spec: type: string type: array type: object + podSecurityAdmissionConfigFile: + description: |- + PodSecurityPolicyConfigFile contains the path to the PodSecurityPolicy configuration file. The file can be passed through + spec.Files field. + type: string protectKernelDefaults: description: |- ProtectKernelDefaults defines Kernel tuning behavior. If true, error if kernel tunables are different than kubelet defaults. diff --git a/controlplane/config/crd/bases/controlplane.cluster.x-k8s.io_rke2controlplanetemplates.yaml b/controlplane/config/crd/bases/controlplane.cluster.x-k8s.io_rke2controlplanetemplates.yaml index 8adafa11..64d4b4e8 100644 --- a/controlplane/config/crd/bases/controlplane.cluster.x-k8s.io_rke2controlplanetemplates.yaml +++ b/controlplane/config/crd/bases/controlplane.cluster.x-k8s.io_rke2controlplanetemplates.yaml @@ -309,6 +309,11 @@ spec: type: string type: array type: object + podSecurityAdmissionConfigFile: + description: |- + PodSecurityPolicyConfigFile contains the path to the PodSecurityPolicy configuration file. The file can be passed through + spec.Files field. + type: string protectKernelDefaults: description: |- ProtectKernelDefaults defines Kernel tuning behavior. If true, error if kernel tunables are different than kubelet defaults. diff --git a/pkg/rke2/config.go b/pkg/rke2/config.go index 73736953..d32751f1 100644 --- a/pkg/rke2/config.go +++ b/pkg/rke2/config.go @@ -368,34 +368,34 @@ func newRKE2ServerConfig(opts ServerConfigOpts) (*ServerConfig, []bootstrapv1.Fi } type rke2AgentConfig struct { - ContainerRuntimeEndpoint string `json:"container-runtime-endpoint,omitempty"` - CloudProviderConfig string `json:"cloud-provider-config,omitempty"` - CloudProviderName string `json:"cloud-provider-name,omitempty"` - DataDir string `json:"data-dir,omitempty"` - ImageCredentialProviderConfig string `json:"image-credential-provider-config,omitempty"` - ImageCredentialProviderBinDir string `json:"image-credential-provider-bin-dir,omitempty"` - KubeProxyArgs []string `json:"kube-proxy-arg,omitempty"` - KubeProxyExtraEnv map[string]string `json:"kube-proxy-extra-env,omitempty"` - KubeProxyExtraMounts map[string]string `json:"kube-proxy-extra-mount,omitempty"` - KubeProxyImage string `json:"kube-proxy-image,omitempty"` - KubeletArgs []string `json:"kubelet-arg,omitempty"` - KubeletPath string `json:"kubelet-path,omitempty"` - LbServerPort int `json:"lb-server-port,omitempty"` - NodeLabels []string `json:"node-label,omitempty"` - NodeTaints []string `json:"node-taint,omitempty"` - Profile string `json:"profile,omitempty"` - ProtectKernelDefaults bool `json:"protect-kernel-defaults,omitempty"` - ResolvConf string `json:"resolv-conf,omitempty"` - RuntimeImage string `json:"runtime-image,omitempty"` - Selinux bool `json:"selinux,omitempty"` - Server string `json:"server,omitempty"` - Snapshotter string `json:"snapshotter,omitempty"` - Token string `json:"token,omitempty"` + ContainerRuntimeEndpoint string `json:"container-runtime-endpoint,omitempty"` + CloudProviderConfig string `json:"cloud-provider-config,omitempty"` + CloudProviderName string `json:"cloud-provider-name,omitempty"` + DataDir string `json:"data-dir,omitempty"` + ImageCredentialProviderConfig string `json:"image-credential-provider-config,omitempty"` + ImageCredentialProviderBinDir string `json:"image-credential-provider-bin-dir,omitempty"` + KubeProxyArgs []string `json:"kube-proxy-arg,omitempty"` + KubeProxyExtraEnv map[string]string `json:"kube-proxy-extra-env,omitempty"` + KubeProxyExtraMounts map[string]string `json:"kube-proxy-extra-mount,omitempty"` + KubeProxyImage string `json:"kube-proxy-image,omitempty"` + KubeletArgs []string `json:"kubelet-arg,omitempty"` + KubeletPath string `json:"kubelet-path,omitempty"` + LbServerPort int `json:"lb-server-port,omitempty"` + NodeLabels []string `json:"node-label,omitempty"` + NodeTaints []string `json:"node-taint,omitempty"` + Profile string `json:"profile,omitempty"` + ProtectKernelDefaults bool `json:"protect-kernel-defaults,omitempty"` + PodSecurityAdmissionConfigFile string `json:"pod-security-admission-config-file,omitempty"` // new flag, not present in the RKE2 docs yet + ResolvConf string `json:"resolv-conf,omitempty"` + RuntimeImage string `json:"runtime-image,omitempty"` + Selinux bool `json:"selinux,omitempty"` + Server string `json:"server,omitempty"` + Snapshotter string `json:"snapshotter,omitempty"` + Token string `json:"token,omitempty"` // We don't expose these in the API - PauseImage string `json:"pause-image,omitempty"` - PodSecurityAdmissionConfigFile string `json:"pod-security-admission-config-file,omitempty"` // new flag, not present in the RKE2 docs yet - PrivateRegistry string `json:"private-registry,omitempty"` + PauseImage string `json:"pause-image,omitempty"` + PrivateRegistry string `json:"private-registry,omitempty"` NodeExternalIp string `json:"node-external-ip,omitempty"` NodeIp string `json:"node-ip,omitempty"` @@ -501,6 +501,7 @@ func newRKE2AgentConfig(opts AgentConfigOpts) (*rke2AgentConfig, []bootstrapv1.F rke2AgentConfig.NodeLabels = opts.AgentConfig.NodeLabels rke2AgentConfig.NodeTaints = opts.AgentConfig.NodeTaints rke2AgentConfig.ProtectKernelDefaults = opts.AgentConfig.ProtectKernelDefaults + rke2AgentConfig.PodSecurityAdmissionConfigFile = opts.AgentConfig.PodSecurityAdmissionConfigFile if opts.AgentConfig.ResolvConf != nil { resolvConfCM := &corev1.ConfigMap{}