feat: add cis recommendations and hardening options

defaults/main.yml

@@ -15,6 +15,7 @@ k3s_node_name: "{{ ansible_hostname }}"
 k3s_node_ip: "{{ ansible_default_ipv4.address }}"
 k3s_init_log_enabled: False
 k3s_selinux_enabled: False
+k3s_protect_kernel_defaults: False
 
 k3s_server: True
 k3s_server_bind_ip: "0.0.0.0"

molecule/requirements.yml

@@ -3,4 +3,7 @@ collections:
   - name: https://gitea.rknet.org/ansible/xoxys.general/releases/download/v2.1.1/xoxys-general-2.1.1.tar.gz
   - name: community.general
 
-roles: []
+roles:
+  - src: https://gitea.rknet.org/ansible/xoxys.kernel
+    scm: git
+    version: main

molecule/rocky9/converge.yml

@@ -2,6 +2,19 @@
 - name: Converge
   hosts: all
   vars:
+    kernel_custom_config:
+      - file: 90-kubelet
+        content:
+          - name: vm.panic_on_oom
+            value: 0
+          - name: vm.overcommit_memory
+            value: 1
+          - name: kernel.panic
+            value: 10
+          - name: kernel.panic_on_oops
+            value: 1
+          - name: kernel.keys.root_maxbytes
+            value: 25000000
     k3s_reset: False
     k3s_packages_extra:
       - https://github.com/k3s-io/k3s-selinux/releases/download/v1.2.stable.2/k3s-selinux-1.2-2.el8.noarch.rpm
@@ -18,6 +31,7 @@
       #   dest: hcloud-ccm.yaml
     k3s_init_log_enabled: True
     k3s_selinux_enabled: True
+    k3s_protect_kernel_defaults: True
     # k3s_server_resource_creations:
     #   - kind: Secret
     #     name: hcloud
@@ -36,4 +50,5 @@
       set_fact:
         k3s_node_ip: "{{ ansible_default_ipv4.address }}"
   roles:
+    - role: xoxys.kernel
     - role: xoxys.k3s

templates/_internal/apiserver-arg.yaml.j2

@@ -3,6 +3,7 @@
 - authorization-mode=Node,RBAC
 - profiling=0
 - service-account-lookup=true
+- request-timeout=300s
 - tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 - admission-control-config-file={{ __k3s_config_dir }}/server/admission-config.yaml
 {% if k3s_server_admission_plugins | length > 0 %}

templates/_internal/kube-controller-manager-arg.yaml.j2

@@ -0,0 +1,2 @@
+- terminated-pod-gc-threshold=10
+- use-service-account-credentials=true

templates/etc/rancher/k3s/config.yaml.j2

@@ -1,6 +1,7 @@
 #jinja2: lstrip_blocks: True
 ---
 {% set __k3s_kube_apiserver_arg = lookup('template', '_internal/apiserver-arg.yaml.j2') | from_yaml %}
+{% set __k3s_kube_controller_manager_arg = lookup('template', '_internal/kube-controller-manager-arg.yaml.j2') | from_yaml %}
 {% set __k3s_kubelet_arg = lookup('template', '_internal/kubelet-arg.yaml.j2') | from_yaml %}
 {% set __k3s_node_taint = lookup('template', '_internal/node-taint.yaml.j2') | from_yaml %}
 token: "{{ k3s_token }}"
@@ -15,6 +16,7 @@ kubelet-arg:
   {{ __k3s_kubelet_arg | to_nice_yaml(indent=2) | indent(2, False) }}
 {% endif %}
 selinux: {{ k3s_selinux_enabled | bool | lower }}
+protect-kernel-defaults: {{ k3s_protect_kernel_defaults | bool | lower }}
 
 {% if k3s_server | bool %}
 bind-address: "{{ k3s_server_bind_ip }}"
@@ -29,6 +31,10 @@ disable:
 kube-apiserver-arg:
   {{ __k3s_kube_apiserver_arg | to_nice_yaml(indent=2) | indent(2, False) }}
 {% endif %}
+{% if __k3s_kube_controller_manager_arg is iterable %}
+kube-controller-manager-arg:
+  {{ __k3s_kube_controller_manager_arg | to_nice_yaml(indent=2) | indent(2, False) }}
+{% endif %}
 {% if not k3s_server_flannel_backend_enabled | bool %}
 flannel-backend: "none"
 {% endif %}

templates/etc/rancher/k3s/kubelet.yaml.j2

@@ -4,3 +4,5 @@ apiVersion: kubelet.config.k8s.io/v1beta1
 kind: KubeletConfiguration
 shutdownGracePeriod: 30s
 shutdownGracePeriodCriticalPods: 10s
+streamingConnectionIdleTimeout: 5m
+makeIPTablesUtilChains: True