feature: add custom psa file

[villadalmine]

Summary

I want to know if it is possible to add

https://docs.rke2.io/security/pod_security_standards?_highlight=psa

After placing this configuration file, rke2 will start the kube-apiserver with the following flag --admission-control-config-file which will be set to the path of the PSA config file.

If you want to override the default pod security standard configuration file, you can pass pod-security-admission-config-file: to the RKE2 config file.

so , the idea is add an option in defaults/main.yaml like

Validate system configuration against the selected benchmark

(Supported value is "cis-1.23" or eventually "cis-1.6" if you are running RKE2 prior 1.25)

rke2_cis_profile: ""

now the actual one or last one is cis

A rough mapping of RKE2 versions to CIS benchmark versions is as follows:

CIS Benchmark | Applicable RKE2 Minors | Profile Flag -- | -- | -- 1.5 | 1.15-1.18 | cis-1.5 1.6 | 1.19-1.22 | cis-1.6 1.23 | 1.23 | cis-1.23 1.24 | 1.24 | cis-1.23 1.7 | 1.25-1.28 | cis-1.23, cis 1.8 | 1.29+ | cis

so, if i want to use my own flavor instead the provided by defautl by rke2

i need to add something like

rke2_custom_cis_profile: "true"

and then a template where could be done by jinja file or fixed values provided as input

and add extra config.yaml value with
pod-security-admission-config-file:

It is just an idea about how to mantain a dynamic psa file.

Regards

Rino

Issue Type

Feature Idea