feat: make kubernetes owner parametrized (#8952)

* feat: make kubernetes owner parametrized

* docs: update hardening guide with configuration for CIS 1.1.19

* fix: set etcd data directory permissions to be compliant to CIS 1.1.12
This commit is contained in:
Alessio Greggi 2022-06-17 10:34:32 +02:00 committed by GitHub
parent 890fad389d
commit 97b4d79ed5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
17 changed files with 40 additions and 14 deletions

View file

@ -84,6 +84,10 @@ kubelet_rotate_certificates: true
kubelet_streaming_connection_idle_timeout: "5m"
kubelet_make_iptables_util_chains: true
kubelet_feature_gates: ["RotateKubeletServerCertificate=true"]
# additional configurations
kube_owner: root
kube_cert_group: root
```
Let's take a deep look to the resultant **kubernetes** configuration:

View file

@ -25,6 +25,9 @@ local_release_dir: "/tmp/releases"
# Random shifts for retrying failed ops like pushing/downloading
retry_stagger: 5
# This is the user that owns tha cluster installation.
kube_owner: kube
# This is the group that the cert creation scripts chgrp the
# cert files to. Not really changeable...
kube_cert_group: kube-cert

View file

@ -1,4 +1,5 @@
---
kube_owner: kube
kube_cert_group: kube-cert
etcd_data_dir: "/var/lib/etcd"

View file

@ -13,3 +13,4 @@
shell: "{{ user.shell|default(omit) }}"
name: "{{ user.name }}"
system: "{{ user.system|default(omit) }}"
when: kube_owner != "root"

View file

@ -35,7 +35,7 @@
file:
path: /etc/cni/net.d
state: directory
owner: kube
owner: "{{ kube_owner }}"
mode: 0755
- name: Setup CNI
copy:

View file

@ -36,7 +36,7 @@
file:
path: /etc/cni/net.d
state: directory
owner: kube
owner: "{{ kube_owner }}"
mode: 0755
- name: Setup CNI
copy:

View file

@ -1614,5 +1614,5 @@ download_defaults:
version: None
url: None
unarchive: false
owner: kube
owner: "{{ kube_owner }}"
mode: None

View file

@ -1,4 +1,7 @@
---
# Set etcd user
etcd_owner: etcd
# Set to false to only do certificate management
etcd_cluster_setup: true
etcd_events_cluster_setup: false

View file

@ -4,7 +4,7 @@
path: "{{ etcd_cert_dir }}"
group: "{{ etcd_cert_group }}"
state: directory
owner: kube
owner: "{{ etcd_owner }}"
mode: "{{ etcd_cert_dir_mode }}"
recurse: yes
@ -81,7 +81,7 @@
dest: "{{ item.item }}"
content: "{{ item.content | b64decode }}"
group: "{{ etcd_cert_group }}"
owner: kube
owner: "{{ etcd_owner }}"
mode: 0640
with_items: "{{ etcd_master_certs.results }}"
when:
@ -111,7 +111,7 @@
dest: "{{ item.item }}"
content: "{{ item.content | b64decode }}"
group: "{{ etcd_cert_group }}"
owner: kube
owner: "{{ etcd_owner }}"
mode: 0640
with_items: "{{ etcd_master_node_certs.results }}"
when:
@ -165,6 +165,6 @@
path: "{{ etcd_cert_dir }}"
group: "{{ etcd_cert_group }}"
state: directory
owner: kube
owner: "{{ etcd_owner }}"
mode: "{{ etcd_cert_dir_mode }}"
recurse: yes

View file

@ -1,4 +1,7 @@
---
# Set etcd user/group
etcd_owner: etcd
# Note: This does not set up DNS entries. It simply adds the following DNS
# entries to the certificate
etcd_cert_alt_names:

View file

@ -16,3 +16,10 @@
import_role:
name: etcdctl
when: etcd_deployment_type == "kubeadm"
- name: Set ownership for etcd data directory
file:
path: "{{ etcd_data_dir }}"
owner: "{{ etcd_owner }}"
group: "{{ etcd_owner }}"
mode: 0700

View file

@ -22,6 +22,7 @@ common_required_pkgs:
# GCE docker repository
disable_ipv6_dns: false
kube_owner: kube
kube_cert_group: kube-cert
kube_config_dir: /etc/kubernetes
kube_cert_dir: "{{ kube_config_dir }}/ssl"

View file

@ -3,7 +3,7 @@
file:
path: "{{ item }}"
state: directory
owner: kube
owner: "{{ kube_owner }}"
mode: 0755
when: inventory_hostname in groups['k8s_cluster']
become: true
@ -71,7 +71,7 @@
file:
path: "{{ item }}"
state: directory
owner: kube
owner: "{{ kube_owner }}"
mode: 0755
with_items:
- "/etc/cni/net.d"

View file

@ -153,6 +153,9 @@ kube_cert_compat_dir: "/etc/kubernetes/pki"
# This is where all of the bearer tokens will be stored
kube_token_dir: "{{ kube_config_dir }}/tokens"
# This is the user that owns tha cluster installation.
kube_owner: kube
# This is the group that the cert creation scripts chgrp the
# cert files to. Not really changeable...
kube_cert_group: kube-cert

View file

@ -4,7 +4,7 @@
src: "cni-canal.conflist.j2"
dest: "/etc/cni/net.d/canal.conflist.template"
mode: 0644
owner: kube
owner: "{{ kube_owner }}"
register: canal_conflist
notify: reset_canal_cni

View file

@ -4,7 +4,7 @@
path: /opt/cni/bin
state: directory
mode: 0755
owner: kube
owner: "{{ kube_owner }}"
recurse: true
- name: CNI | Copy cni plugins

View file

@ -7,7 +7,7 @@
file:
path: /var/lib/kube-router
state: directory
owner: kube
owner: "{{ kube_owner }}"
recurse: true
mode: 0755
@ -16,7 +16,7 @@
src: kubeconfig.yml.j2
dest: /var/lib/kube-router/kubeconfig
mode: 0644
owner: kube
owner: "{{ kube_owner }}"
notify:
- reset_kube_router
@ -44,7 +44,7 @@
src: cni-conf.json.j2
dest: /etc/cni/net.d/10-kuberouter.conflist
mode: 0644
owner: kube
owner: "{{ kube_owner }}"
notify:
- reset_kube_router