Add packet_ubuntu20-calico-aio-hardening (#9359)
To verify the hardening method works always. The configuration comes from docs/hardening.md Fix yaml format of hardening.yml Add condition to skip 040 test for hardening
This commit is contained in:
parent
0f44e8c812
commit
e5ec0f18c0
3 changed files with 111 additions and 1 deletions
|
@ -51,6 +51,11 @@ packet_ubuntu20-aio-docker:
|
||||||
extends: .packet_pr
|
extends: .packet_pr
|
||||||
when: on_success
|
when: on_success
|
||||||
|
|
||||||
|
packet_ubuntu20-calico-aio-hardening:
|
||||||
|
stage: deploy-part2
|
||||||
|
extends: .packet_pr
|
||||||
|
when: on_success
|
||||||
|
|
||||||
packet_ubuntu18-calico-aio:
|
packet_ubuntu18-calico-aio:
|
||||||
stage: deploy-part2
|
stage: deploy-part2
|
||||||
extends: .packet_pr
|
extends: .packet_pr
|
||||||
|
|
96
tests/files/packet_ubuntu20-calico-aio-hardening.yml
Normal file
96
tests/files/packet_ubuntu20-calico-aio-hardening.yml
Normal file
|
@ -0,0 +1,96 @@
|
||||||
|
---
|
||||||
|
# Instance settings
|
||||||
|
cloud_image: ubuntu-2004
|
||||||
|
mode: aio
|
||||||
|
|
||||||
|
# Kubespray settings
|
||||||
|
auto_renew_certificates: true
|
||||||
|
|
||||||
|
# Currently ipvs not available on KVM: https://packages.ubuntu.com/search?suite=focal&arch=amd64&mode=exactfilename&searchon=contents&keywords=ip_vs_sh.ko
|
||||||
|
kube_proxy_mode: iptables
|
||||||
|
enable_nodelocaldns: False
|
||||||
|
|
||||||
|
# The followings are for hardening
|
||||||
|
## kube-apiserver
|
||||||
|
authorization_modes: ['Node', 'RBAC']
|
||||||
|
# AppArmor-based OS
|
||||||
|
kube_apiserver_feature_gates: ['AppArmor=true']
|
||||||
|
kube_apiserver_request_timeout: 120s
|
||||||
|
kube_apiserver_service_account_lookup: true
|
||||||
|
|
||||||
|
# enable kubernetes audit
|
||||||
|
kubernetes_audit: true
|
||||||
|
audit_log_path: "/var/log/kube-apiserver-log.json"
|
||||||
|
audit_log_maxage: 30
|
||||||
|
audit_log_maxbackups: 10
|
||||||
|
audit_log_maxsize: 100
|
||||||
|
|
||||||
|
tls_min_version: VersionTLS12
|
||||||
|
tls_cipher_suites:
|
||||||
|
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||||
|
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||||
|
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
|
||||||
|
|
||||||
|
# enable encryption at rest
|
||||||
|
kube_encrypt_secret_data: true
|
||||||
|
kube_encryption_resources: [secrets]
|
||||||
|
kube_encryption_algorithm: "secretbox"
|
||||||
|
|
||||||
|
kube_apiserver_enable_admission_plugins: ['EventRateLimit,AlwaysPullImages,ServiceAccount,NamespaceLifecycle,NodeRestriction,LimitRanger,ResourceQuota,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,PodNodeSelector,PodSecurity']
|
||||||
|
kube_apiserver_admission_control_config_file: true
|
||||||
|
# EventRateLimit plugin configuration
|
||||||
|
kube_apiserver_admission_event_rate_limits:
|
||||||
|
limit_1:
|
||||||
|
type: Namespace
|
||||||
|
qps: 50
|
||||||
|
burst: 100
|
||||||
|
cache_size: 2000
|
||||||
|
limit_2:
|
||||||
|
type: User
|
||||||
|
qps: 50
|
||||||
|
burst: 100
|
||||||
|
kube_profiling: false
|
||||||
|
|
||||||
|
## kube-controller-manager
|
||||||
|
kube_controller_manager_bind_address: 127.0.0.1
|
||||||
|
kube_controller_terminated_pod_gc_threshold: 50
|
||||||
|
# AppArmor-based OS
|
||||||
|
kube_controller_feature_gates: ["RotateKubeletServerCertificate=true", "AppArmor=true"]
|
||||||
|
|
||||||
|
## kube-scheduler
|
||||||
|
kube_scheduler_bind_address: 127.0.0.1
|
||||||
|
kube_kubeadm_scheduler_extra_args:
|
||||||
|
profiling: false
|
||||||
|
# AppArmor-based OS
|
||||||
|
kube_scheduler_feature_gates: ["AppArmor=true"]
|
||||||
|
|
||||||
|
## etcd
|
||||||
|
etcd_deployment_type: kubeadm
|
||||||
|
|
||||||
|
## kubelet
|
||||||
|
kubelet_authentication_token_webhook: true
|
||||||
|
kube_read_only_port: 0
|
||||||
|
kubelet_rotate_server_certificates: true
|
||||||
|
kubelet_protect_kernel_defaults: true
|
||||||
|
kubelet_event_record_qps: 1
|
||||||
|
kubelet_rotate_certificates: true
|
||||||
|
kubelet_streaming_connection_idle_timeout: "5m"
|
||||||
|
kubelet_make_iptables_util_chains: true
|
||||||
|
kubelet_feature_gates: ["RotateKubeletServerCertificate=true", "SeccompDefault=true"]
|
||||||
|
kubelet_seccomp_default: true
|
||||||
|
kubelet_systemd_hardening: true
|
||||||
|
# In case you have multiple interfaces in your
|
||||||
|
# control plane nodes and you want to specify the right
|
||||||
|
# IP addresses, kubelet_secure_addresses allows you
|
||||||
|
# to specify the IP from which the kubelet
|
||||||
|
# will receive the packets.
|
||||||
|
# kubelet_secure_addresses: "192.168.10.110 192.168.10.111 192.168.10.112"
|
||||||
|
|
||||||
|
# additional configurations
|
||||||
|
kube_owner: root
|
||||||
|
kube_cert_group: root
|
||||||
|
|
||||||
|
# create a default Pod Security Configuration and deny running of insecure pods
|
||||||
|
# kube-system namespace is exempted by default
|
||||||
|
kube_pod_security_use_default: true
|
||||||
|
kube_pod_security_default_enforce: restricted
|
|
@ -47,6 +47,13 @@ if [[ "$CI_JOB_NAME" =~ "ubuntu" ]]; then
|
||||||
CI_TEST_ADDITIONAL_VARS="-e ansible_python_interpreter=/usr/bin/python3"
|
CI_TEST_ADDITIONAL_VARS="-e ansible_python_interpreter=/usr/bin/python3"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
ENABLE_040_TEST="true"
|
||||||
|
if [[ "$CI_JOB_NAME" =~ "hardening" ]]; then
|
||||||
|
# TODO: We need to remove this condition by finding alternative container
|
||||||
|
# image instead of netchecker which doesn't work at hardening environments.
|
||||||
|
ENABLE_040_TEST="false"
|
||||||
|
fi
|
||||||
|
|
||||||
# Check out latest tag if testing upgrade
|
# Check out latest tag if testing upgrade
|
||||||
test "${UPGRADE_TEST}" != "false" && git fetch --all && git checkout "$KUBESPRAY_VERSION"
|
test "${UPGRADE_TEST}" != "false" && git fetch --all && git checkout "$KUBESPRAY_VERSION"
|
||||||
# Checkout the CI vars file so it is available
|
# Checkout the CI vars file so it is available
|
||||||
|
@ -85,7 +92,9 @@ ansible-playbook --limit "all:!fake_hosts" -e @${CI_TEST_VARS} ${CI_TEST_ADDITIO
|
||||||
ansible-playbook --limit "all:!fake_hosts" -e @${CI_TEST_VARS} ${CI_TEST_ADDITIONAL_VARS} tests/testcases/030_check-network.yml $ANSIBLE_LOG_LEVEL
|
ansible-playbook --limit "all:!fake_hosts" -e @${CI_TEST_VARS} ${CI_TEST_ADDITIONAL_VARS} tests/testcases/030_check-network.yml $ANSIBLE_LOG_LEVEL
|
||||||
|
|
||||||
## Advanced DNS checks
|
## Advanced DNS checks
|
||||||
ansible-playbook --limit "all:!fake_hosts" -e @${CI_TEST_VARS} ${CI_TEST_ADDITIONAL_VARS} tests/testcases/040_check-network-adv.yml $ANSIBLE_LOG_LEVEL
|
if [ "${ENABLE_040_TEST}" = "true" ]; then
|
||||||
|
ansible-playbook --limit "all:!fake_hosts" -e @${CI_TEST_VARS} ${CI_TEST_ADDITIONAL_VARS} tests/testcases/040_check-network-adv.yml $ANSIBLE_LOG_LEVEL
|
||||||
|
fi
|
||||||
|
|
||||||
## Kubernetes conformance tests
|
## Kubernetes conformance tests
|
||||||
ansible-playbook -i ${ANSIBLE_INVENTORY} -e @${CI_TEST_VARS} ${CI_TEST_ADDITIONAL_VARS} --limit "all:!fake_hosts" tests/testcases/100_check-k8s-conformance.yml $ANSIBLE_LOG_LEVEL
|
ansible-playbook -i ${ANSIBLE_INVENTORY} -e @${CI_TEST_VARS} ${CI_TEST_ADDITIONAL_VARS} --limit "all:!fake_hosts" tests/testcases/100_check-k8s-conformance.yml $ANSIBLE_LOG_LEVEL
|
||||||
|
|
Loading…
Reference in a new issue