feat: add cis recommendations and hardening options
All checks were successful
continuous-integration/drone Build is passing

This commit is contained in:
Robert Kaussow 2023-01-29 16:46:24 +01:00
parent d34e069578
commit 515130cd11
Signed by: xoxys
GPG Key ID: 4E692A2EAECC03C0
7 changed files with 31 additions and 1 deletions

View File

@ -15,6 +15,7 @@ k3s_node_name: "{{ ansible_hostname }}"
k3s_node_ip: "{{ ansible_default_ipv4.address }}" k3s_node_ip: "{{ ansible_default_ipv4.address }}"
k3s_init_log_enabled: False k3s_init_log_enabled: False
k3s_selinux_enabled: False k3s_selinux_enabled: False
k3s_protect_kernel_defaults: False
k3s_server: True k3s_server: True
k3s_server_bind_ip: "0.0.0.0" k3s_server_bind_ip: "0.0.0.0"

View File

@ -3,4 +3,7 @@ collections:
- name: https://gitea.rknet.org/ansible/xoxys.general/releases/download/v2.1.1/xoxys-general-2.1.1.tar.gz - name: https://gitea.rknet.org/ansible/xoxys.general/releases/download/v2.1.1/xoxys-general-2.1.1.tar.gz
- name: community.general - name: community.general
roles: [] roles:
- src: https://gitea.rknet.org/ansible/xoxys.kernel
scm: git
version: main

View File

@ -2,6 +2,19 @@
- name: Converge - name: Converge
hosts: all hosts: all
vars: vars:
kernel_custom_config:
- file: 90-kubelet
content:
- name: vm.panic_on_oom
value: 0
- name: vm.overcommit_memory
value: 1
- name: kernel.panic
value: 10
- name: kernel.panic_on_oops
value: 1
- name: kernel.keys.root_maxbytes
value: 25000000
k3s_reset: False k3s_reset: False
k3s_packages_extra: k3s_packages_extra:
- https://github.com/k3s-io/k3s-selinux/releases/download/v1.2.stable.2/k3s-selinux-1.2-2.el8.noarch.rpm - https://github.com/k3s-io/k3s-selinux/releases/download/v1.2.stable.2/k3s-selinux-1.2-2.el8.noarch.rpm
@ -18,6 +31,7 @@
# dest: hcloud-ccm.yaml # dest: hcloud-ccm.yaml
k3s_init_log_enabled: True k3s_init_log_enabled: True
k3s_selinux_enabled: True k3s_selinux_enabled: True
k3s_protect_kernel_defaults: True
# k3s_server_resource_creations: # k3s_server_resource_creations:
# - kind: Secret # - kind: Secret
# name: hcloud # name: hcloud
@ -36,4 +50,5 @@
set_fact: set_fact:
k3s_node_ip: "{{ ansible_default_ipv4.address }}" k3s_node_ip: "{{ ansible_default_ipv4.address }}"
roles: roles:
- role: xoxys.kernel
- role: xoxys.k3s - role: xoxys.k3s

View File

@ -3,6 +3,7 @@
- authorization-mode=Node,RBAC - authorization-mode=Node,RBAC
- profiling=0 - profiling=0
- service-account-lookup=true - service-account-lookup=true
- request-timeout=300s
- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- admission-control-config-file={{ __k3s_config_dir }}/server/admission-config.yaml - admission-control-config-file={{ __k3s_config_dir }}/server/admission-config.yaml
{% if k3s_server_admission_plugins | length > 0 %} {% if k3s_server_admission_plugins | length > 0 %}

View File

@ -0,0 +1,2 @@
- terminated-pod-gc-threshold=10
- use-service-account-credentials=true

View File

@ -1,6 +1,7 @@
#jinja2: lstrip_blocks: True #jinja2: lstrip_blocks: True
--- ---
{% set __k3s_kube_apiserver_arg = lookup('template', '_internal/apiserver-arg.yaml.j2') | from_yaml %} {% set __k3s_kube_apiserver_arg = lookup('template', '_internal/apiserver-arg.yaml.j2') | from_yaml %}
{% set __k3s_kube_controller_manager_arg = lookup('template', '_internal/kube-controller-manager-arg.yaml.j2') | from_yaml %}
{% set __k3s_kubelet_arg = lookup('template', '_internal/kubelet-arg.yaml.j2') | from_yaml %} {% set __k3s_kubelet_arg = lookup('template', '_internal/kubelet-arg.yaml.j2') | from_yaml %}
{% set __k3s_node_taint = lookup('template', '_internal/node-taint.yaml.j2') | from_yaml %} {% set __k3s_node_taint = lookup('template', '_internal/node-taint.yaml.j2') | from_yaml %}
token: "{{ k3s_token }}" token: "{{ k3s_token }}"
@ -15,6 +16,7 @@ kubelet-arg:
{{ __k3s_kubelet_arg | to_nice_yaml(indent=2) | indent(2, False) }} {{ __k3s_kubelet_arg | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif %} {% endif %}
selinux: {{ k3s_selinux_enabled | bool | lower }} selinux: {{ k3s_selinux_enabled | bool | lower }}
protect-kernel-defaults: {{ k3s_protect_kernel_defaults | bool | lower }}
{% if k3s_server | bool %} {% if k3s_server | bool %}
bind-address: "{{ k3s_server_bind_ip }}" bind-address: "{{ k3s_server_bind_ip }}"
@ -29,6 +31,10 @@ disable:
kube-apiserver-arg: kube-apiserver-arg:
{{ __k3s_kube_apiserver_arg | to_nice_yaml(indent=2) | indent(2, False) }} {{ __k3s_kube_apiserver_arg | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif %} {% endif %}
{% if __k3s_kube_controller_manager_arg is iterable %}
kube-controller-manager-arg:
{{ __k3s_kube_controller_manager_arg | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif %}
{% if not k3s_server_flannel_backend_enabled | bool %} {% if not k3s_server_flannel_backend_enabled | bool %}
flannel-backend: "none" flannel-backend: "none"
{% endif %} {% endif %}

View File

@ -4,3 +4,5 @@ apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration kind: KubeletConfiguration
shutdownGracePeriod: 30s shutdownGracePeriod: 30s
shutdownGracePeriodCriticalPods: 10s shutdownGracePeriodCriticalPods: 10s
streamingConnectionIdleTimeout: 5m
makeIPTablesUtilChains: True