From 515130cd11d9109518873a84a615ed53cd59ba61 Mon Sep 17 00:00:00 2001
From: Robert Kaussow <mail@thegeeklab.de>
Date: Sun, 29 Jan 2023 16:46:24 +0100
Subject: [PATCH] feat: add cis recommendations and hardening options

---
 defaults/main.yml                                 |  1 +
 molecule/requirements.yml                         |  5 ++++-
 molecule/rocky9/converge.yml                      | 15 +++++++++++++++
 templates/_internal/apiserver-arg.yaml.j2         |  1 +
 .../_internal/kube-controller-manager-arg.yaml.j2 |  2 ++
 templates/etc/rancher/k3s/config.yaml.j2          |  6 ++++++
 templates/etc/rancher/k3s/kubelet.yaml.j2         |  2 ++
 7 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 templates/_internal/kube-controller-manager-arg.yaml.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index ba464f7..4259442 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -15,6 +15,7 @@ k3s_node_name: "{{ ansible_hostname }}"
 k3s_node_ip: "{{ ansible_default_ipv4.address }}"
 k3s_init_log_enabled: False
 k3s_selinux_enabled: False
+k3s_protect_kernel_defaults: False
 
 k3s_server: True
 k3s_server_bind_ip: "0.0.0.0"
diff --git a/molecule/requirements.yml b/molecule/requirements.yml
index 46da115..507c3aa 100644
--- a/molecule/requirements.yml
+++ b/molecule/requirements.yml
@@ -3,4 +3,7 @@ collections:
   - name: https://gitea.rknet.org/ansible/xoxys.general/releases/download/v2.1.1/xoxys-general-2.1.1.tar.gz
   - name: community.general
 
-roles: []
+roles:
+  - src: https://gitea.rknet.org/ansible/xoxys.kernel
+    scm: git
+    version: main
diff --git a/molecule/rocky9/converge.yml b/molecule/rocky9/converge.yml
index 6f16f1b..bff9e93 100644
--- a/molecule/rocky9/converge.yml
+++ b/molecule/rocky9/converge.yml
@@ -2,6 +2,19 @@
 - name: Converge
   hosts: all
   vars:
+    kernel_custom_config:
+      - file: 90-kubelet
+        content:
+          - name: vm.panic_on_oom
+            value: 0
+          - name: vm.overcommit_memory
+            value: 1
+          - name: kernel.panic
+            value: 10
+          - name: kernel.panic_on_oops
+            value: 1
+          - name: kernel.keys.root_maxbytes
+            value: 25000000
     k3s_reset: False
     k3s_packages_extra:
       - https://github.com/k3s-io/k3s-selinux/releases/download/v1.2.stable.2/k3s-selinux-1.2-2.el8.noarch.rpm
@@ -18,6 +31,7 @@
       #   dest: hcloud-ccm.yaml
     k3s_init_log_enabled: True
     k3s_selinux_enabled: True
+    k3s_protect_kernel_defaults: True
     # k3s_server_resource_creations:
     #   - kind: Secret
     #     name: hcloud
@@ -36,4 +50,5 @@
       set_fact:
         k3s_node_ip: "{{ ansible_default_ipv4.address }}"
   roles:
+    - role: xoxys.kernel
     - role: xoxys.k3s
diff --git a/templates/_internal/apiserver-arg.yaml.j2 b/templates/_internal/apiserver-arg.yaml.j2
index 70f91d4..cb67e26 100644
--- a/templates/_internal/apiserver-arg.yaml.j2
+++ b/templates/_internal/apiserver-arg.yaml.j2
@@ -3,6 +3,7 @@
 - authorization-mode=Node,RBAC
 - profiling=0
 - service-account-lookup=true
+- request-timeout=300s
 - tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 - admission-control-config-file={{ __k3s_config_dir }}/server/admission-config.yaml
 {% if k3s_server_admission_plugins | length > 0 %}
diff --git a/templates/_internal/kube-controller-manager-arg.yaml.j2 b/templates/_internal/kube-controller-manager-arg.yaml.j2
new file mode 100644
index 0000000..090601b
--- /dev/null
+++ b/templates/_internal/kube-controller-manager-arg.yaml.j2
@@ -0,0 +1,2 @@
+- terminated-pod-gc-threshold=10
+- use-service-account-credentials=true
diff --git a/templates/etc/rancher/k3s/config.yaml.j2 b/templates/etc/rancher/k3s/config.yaml.j2
index 8722707..2a12d2c 100644
--- a/templates/etc/rancher/k3s/config.yaml.j2
+++ b/templates/etc/rancher/k3s/config.yaml.j2
@@ -1,6 +1,7 @@
 #jinja2: lstrip_blocks: True
 ---
 {% set __k3s_kube_apiserver_arg = lookup('template', '_internal/apiserver-arg.yaml.j2') | from_yaml %}
+{% set __k3s_kube_controller_manager_arg = lookup('template', '_internal/kube-controller-manager-arg.yaml.j2') | from_yaml %}
 {% set __k3s_kubelet_arg = lookup('template', '_internal/kubelet-arg.yaml.j2') | from_yaml %}
 {% set __k3s_node_taint = lookup('template', '_internal/node-taint.yaml.j2') | from_yaml %}
 token: "{{ k3s_token }}"
@@ -15,6 +16,7 @@ kubelet-arg:
   {{ __k3s_kubelet_arg | to_nice_yaml(indent=2) | indent(2, False) }}
 {% endif %}
 selinux: {{ k3s_selinux_enabled | bool | lower }}
+protect-kernel-defaults: {{ k3s_protect_kernel_defaults | bool | lower }}
 
 {% if k3s_server | bool %}
 bind-address: "{{ k3s_server_bind_ip }}"
@@ -29,6 +31,10 @@ disable:
 kube-apiserver-arg:
   {{ __k3s_kube_apiserver_arg | to_nice_yaml(indent=2) | indent(2, False) }}
 {% endif %}
+{% if __k3s_kube_controller_manager_arg is iterable %}
+kube-controller-manager-arg:
+  {{ __k3s_kube_controller_manager_arg | to_nice_yaml(indent=2) | indent(2, False) }}
+{% endif %}
 {% if not k3s_server_flannel_backend_enabled | bool %}
 flannel-backend: "none"
 {% endif %}
diff --git a/templates/etc/rancher/k3s/kubelet.yaml.j2 b/templates/etc/rancher/k3s/kubelet.yaml.j2
index c2b85ee..4cf3e69 100644
--- a/templates/etc/rancher/k3s/kubelet.yaml.j2
+++ b/templates/etc/rancher/k3s/kubelet.yaml.j2
@@ -4,3 +4,5 @@ apiVersion: kubelet.config.k8s.io/v1beta1
 kind: KubeletConfiguration
 shutdownGracePeriod: 30s
 shutdownGracePeriodCriticalPods: 10s
+streamingConnectionIdleTimeout: 5m
+makeIPTablesUtilChains: True