feat: make kubernetes owner parametrized (#8952)
* feat: make kubernetes owner parametrized * docs: update hardening guide with configuration for CIS 1.1.19 * fix: set etcd data directory permissions to be compliant to CIS 1.1.12
This commit is contained in:
parent
890fad389d
commit
97b4d79ed5
17 changed files with 40 additions and 14 deletions
|
@ -84,6 +84,10 @@ kubelet_rotate_certificates: true
|
|||
kubelet_streaming_connection_idle_timeout: "5m"
|
||||
kubelet_make_iptables_util_chains: true
|
||||
kubelet_feature_gates: ["RotateKubeletServerCertificate=true"]
|
||||
|
||||
# additional configurations
|
||||
kube_owner: root
|
||||
kube_cert_group: root
|
||||
```
|
||||
|
||||
Let's take a deep look to the resultant **kubernetes** configuration:
|
||||
|
|
|
@ -25,6 +25,9 @@ local_release_dir: "/tmp/releases"
|
|||
# Random shifts for retrying failed ops like pushing/downloading
|
||||
retry_stagger: 5
|
||||
|
||||
# This is the user that owns tha cluster installation.
|
||||
kube_owner: kube
|
||||
|
||||
# This is the group that the cert creation scripts chgrp the
|
||||
# cert files to. Not really changeable...
|
||||
kube_cert_group: kube-cert
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
---
|
||||
kube_owner: kube
|
||||
kube_cert_group: kube-cert
|
||||
etcd_data_dir: "/var/lib/etcd"
|
||||
|
||||
|
|
|
@ -13,3 +13,4 @@
|
|||
shell: "{{ user.shell|default(omit) }}"
|
||||
name: "{{ user.name }}"
|
||||
system: "{{ user.system|default(omit) }}"
|
||||
when: kube_owner != "root"
|
||||
|
|
|
@ -35,7 +35,7 @@
|
|||
file:
|
||||
path: /etc/cni/net.d
|
||||
state: directory
|
||||
owner: kube
|
||||
owner: "{{ kube_owner }}"
|
||||
mode: 0755
|
||||
- name: Setup CNI
|
||||
copy:
|
||||
|
|
|
@ -36,7 +36,7 @@
|
|||
file:
|
||||
path: /etc/cni/net.d
|
||||
state: directory
|
||||
owner: kube
|
||||
owner: "{{ kube_owner }}"
|
||||
mode: 0755
|
||||
- name: Setup CNI
|
||||
copy:
|
||||
|
|
|
@ -1614,5 +1614,5 @@ download_defaults:
|
|||
version: None
|
||||
url: None
|
||||
unarchive: false
|
||||
owner: kube
|
||||
owner: "{{ kube_owner }}"
|
||||
mode: None
|
||||
|
|
|
@ -1,4 +1,7 @@
|
|||
---
|
||||
# Set etcd user
|
||||
etcd_owner: etcd
|
||||
|
||||
# Set to false to only do certificate management
|
||||
etcd_cluster_setup: true
|
||||
etcd_events_cluster_setup: false
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
path: "{{ etcd_cert_dir }}"
|
||||
group: "{{ etcd_cert_group }}"
|
||||
state: directory
|
||||
owner: kube
|
||||
owner: "{{ etcd_owner }}"
|
||||
mode: "{{ etcd_cert_dir_mode }}"
|
||||
recurse: yes
|
||||
|
||||
|
@ -81,7 +81,7 @@
|
|||
dest: "{{ item.item }}"
|
||||
content: "{{ item.content | b64decode }}"
|
||||
group: "{{ etcd_cert_group }}"
|
||||
owner: kube
|
||||
owner: "{{ etcd_owner }}"
|
||||
mode: 0640
|
||||
with_items: "{{ etcd_master_certs.results }}"
|
||||
when:
|
||||
|
@ -111,7 +111,7 @@
|
|||
dest: "{{ item.item }}"
|
||||
content: "{{ item.content | b64decode }}"
|
||||
group: "{{ etcd_cert_group }}"
|
||||
owner: kube
|
||||
owner: "{{ etcd_owner }}"
|
||||
mode: 0640
|
||||
with_items: "{{ etcd_master_node_certs.results }}"
|
||||
when:
|
||||
|
@ -165,6 +165,6 @@
|
|||
path: "{{ etcd_cert_dir }}"
|
||||
group: "{{ etcd_cert_group }}"
|
||||
state: directory
|
||||
owner: kube
|
||||
owner: "{{ etcd_owner }}"
|
||||
mode: "{{ etcd_cert_dir_mode }}"
|
||||
recurse: yes
|
||||
|
|
|
@ -1,4 +1,7 @@
|
|||
---
|
||||
# Set etcd user/group
|
||||
etcd_owner: etcd
|
||||
|
||||
# Note: This does not set up DNS entries. It simply adds the following DNS
|
||||
# entries to the certificate
|
||||
etcd_cert_alt_names:
|
||||
|
|
|
@ -16,3 +16,10 @@
|
|||
import_role:
|
||||
name: etcdctl
|
||||
when: etcd_deployment_type == "kubeadm"
|
||||
|
||||
- name: Set ownership for etcd data directory
|
||||
file:
|
||||
path: "{{ etcd_data_dir }}"
|
||||
owner: "{{ etcd_owner }}"
|
||||
group: "{{ etcd_owner }}"
|
||||
mode: 0700
|
||||
|
|
|
@ -22,6 +22,7 @@ common_required_pkgs:
|
|||
# GCE docker repository
|
||||
disable_ipv6_dns: false
|
||||
|
||||
kube_owner: kube
|
||||
kube_cert_group: kube-cert
|
||||
kube_config_dir: /etc/kubernetes
|
||||
kube_cert_dir: "{{ kube_config_dir }}/ssl"
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
owner: kube
|
||||
owner: "{{ kube_owner }}"
|
||||
mode: 0755
|
||||
when: inventory_hostname in groups['k8s_cluster']
|
||||
become: true
|
||||
|
@ -71,7 +71,7 @@
|
|||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
owner: kube
|
||||
owner: "{{ kube_owner }}"
|
||||
mode: 0755
|
||||
with_items:
|
||||
- "/etc/cni/net.d"
|
||||
|
|
|
@ -153,6 +153,9 @@ kube_cert_compat_dir: "/etc/kubernetes/pki"
|
|||
# This is where all of the bearer tokens will be stored
|
||||
kube_token_dir: "{{ kube_config_dir }}/tokens"
|
||||
|
||||
# This is the user that owns tha cluster installation.
|
||||
kube_owner: kube
|
||||
|
||||
# This is the group that the cert creation scripts chgrp the
|
||||
# cert files to. Not really changeable...
|
||||
kube_cert_group: kube-cert
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
src: "cni-canal.conflist.j2"
|
||||
dest: "/etc/cni/net.d/canal.conflist.template"
|
||||
mode: 0644
|
||||
owner: kube
|
||||
owner: "{{ kube_owner }}"
|
||||
register: canal_conflist
|
||||
notify: reset_canal_cni
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
path: /opt/cni/bin
|
||||
state: directory
|
||||
mode: 0755
|
||||
owner: kube
|
||||
owner: "{{ kube_owner }}"
|
||||
recurse: true
|
||||
|
||||
- name: CNI | Copy cni plugins
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
file:
|
||||
path: /var/lib/kube-router
|
||||
state: directory
|
||||
owner: kube
|
||||
owner: "{{ kube_owner }}"
|
||||
recurse: true
|
||||
mode: 0755
|
||||
|
||||
|
@ -16,7 +16,7 @@
|
|||
src: kubeconfig.yml.j2
|
||||
dest: /var/lib/kube-router/kubeconfig
|
||||
mode: 0644
|
||||
owner: kube
|
||||
owner: "{{ kube_owner }}"
|
||||
notify:
|
||||
- reset_kube_router
|
||||
|
||||
|
@ -44,7 +44,7 @@
|
|||
src: cni-conf.json.j2
|
||||
dest: /etc/cni/net.d/10-kuberouter.conflist
|
||||
mode: 0644
|
||||
owner: kube
|
||||
owner: "{{ kube_owner }}"
|
||||
notify:
|
||||
- reset_kube_router
|
||||
|
||||
|
|
Loading…
Reference in a new issue