Preparing for falco
This commit is contained in:
parent
b5eb997165
commit
361895d43d
GPG key ID:
DA7B27055C66D6DE
3 changed files with 74 additions and 37 deletions
14
templates/etc/kubernetes/audit-webhook-kubeconfig.j2
Normal file
14
templates/etc/kubernetes/audit-webhook-kubeconfig.j2
Normal file
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: v1
|
||||
kind: Config
|
||||
clusters:
|
||||
- cluster:
|
||||
server: http://<ip_of_falco>:8765/k8s_audit
|
||||
name: falco
|
||||
contexts:
|
||||
- context:
|
||||
cluster: falco
|
||||
user: ""
|
||||
name: default-context
|
||||
current-context: default-context
|
||||
preferences: {}
|
||||
users: []
|
||||
|
|
@ -33,9 +33,12 @@ nodeRegistration:
|
|||
container-runtime-endpoint: "unix:///var/run/crio/crio.sock"
|
||||
{% endif %}
|
||||
node-ip: {{ ansible_default_ipv4.address }}
|
||||
read-only-port: "10255"
|
||||
# read-only-port: "10255"
|
||||
ignorePreflightErrors:
|
||||
- SystemVerification
|
||||
{% if (kubernetes_master|bool and not kubernetes_master_taint|bool) %}
|
||||
- NumCPU
|
||||
{% endif %}
|
||||
{% if true == false %}
|
||||
- IsPrivilegedUser
|
||||
{% endif %}
|
||||
|
|
@ -45,6 +48,51 @@ localAPIEndpoint:
|
|||
{% if kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %}
|
||||
certificateKey: "{{ kubernetes_certificateKey.stdout }}"
|
||||
{% endif %}
|
||||
{% if kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined %}
|
||||
---
|
||||
apiVersion: kubeadm.k8s.io/v1beta2
|
||||
kind: ClusterConfiguration
|
||||
kubernetesVersion: stable
|
||||
{% if lbip_kubeapiserver is defined %}
|
||||
controlPlaneEndpoint: "{{ lbip_kubeapiserver }}:6443"
|
||||
{% else %}
|
||||
controlPlaneEndpoint: "{{ ansible_default_ipv4.address }}:6443"
|
||||
{% endif %}
|
||||
apiServer:
|
||||
extraArgs:
|
||||
enable-admission-plugins: NodeRestriction,PodSecurityPolicy
|
||||
authorization-mode: "Node,RBAC"
|
||||
audit-policy-file: "/etc/kubernetes/policies/audit-policy.yaml"
|
||||
audit-log-path: "/var/log/apiserver/audit.log"
|
||||
audit-log-maxage: "30"
|
||||
audit-log-maxbackup: "10"
|
||||
audit-log-maxsize: "100"
|
||||
{% if false %}
|
||||
# Falco
|
||||
audit-policy-file: "/etc/kubernetes/policies/k8s_audit_rules.yaml"
|
||||
audit-webhook-config-file: "/etc/kubernetes/policies/audit-webhook-kubeconfig"
|
||||
{% endif %}
|
||||
extraVolumes:
|
||||
- name: "audit-log"
|
||||
hostPath: "/var/log/apiserver"
|
||||
mountPath: "/var/log/apiserver"
|
||||
readOnly: false
|
||||
pathType: DirectoryOrCreate
|
||||
- name: "audit-policies"
|
||||
hostPath: "/etc/kubernetes/policies/audit-policy.yaml"
|
||||
mountPath: "/etc/kubernetes/policies/audit-policy.yaml"
|
||||
readOnly: false
|
||||
pathType: File
|
||||
{% if lb_kubemaster is defined %}
|
||||
certSANs:
|
||||
- "{{ lb_kubemaster }}"
|
||||
{% endif %}
|
||||
{% if kubernetes_network == "flannel" or kubernetes_network == "calico" %}
|
||||
networking:
|
||||
podSubnet: "{{ kubernetes_pods_network }}"
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if not kubernetes_master|bool or kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %}
|
||||
---
|
||||
apiVersion: kubeadm.k8s.io/v1beta2
|
||||
kind: JoinConfiguration
|
||||
|
|
@ -68,51 +116,22 @@ discovery:
|
|||
nodeRegistration:
|
||||
kubeletExtraArgs:
|
||||
node-ip: {{ ansible_default_ipv4.address }}
|
||||
read-only-port: "10255"
|
||||
# read-only-port: "10255"
|
||||
ignorePreflightErrors:
|
||||
- SystemVerification
|
||||
---
|
||||
apiVersion: kubeadm.k8s.io/v1beta2
|
||||
kind: ClusterConfiguration
|
||||
kubernetesVersion: stable
|
||||
{% if lbip_kubeapiserver is defined %}
|
||||
controlPlaneEndpoint: "{{ lbip_kubeapiserver }}:6443"
|
||||
{% else %}
|
||||
controlPlaneEndpoint: "{{ ansible_default_ipv4.address }}:6443"
|
||||
{% if (kubernetes_master|bool and not kubernetes_master_taint|bool) %}
|
||||
- NumCPU
|
||||
{% endif %}
|
||||
apiServer:
|
||||
extraArgs:
|
||||
enable-admission-plugins: NodeRestriction,PodSecurityPolicy
|
||||
authorization-mode: "Node,RBAC"
|
||||
audit-policy-file: "/etc/kubernetes/policies/audit-policy.yaml"
|
||||
audit-log-path: "/var/log/apiserver/audit.log"
|
||||
audit-log-maxage: "30"
|
||||
audit-log-maxbackup: "10"
|
||||
audit-log-maxsize: "100"
|
||||
extraVolumes:
|
||||
- name: "audit-log"
|
||||
hostPath: "/var/log/apiserver"
|
||||
mountPath: "/var/log/apiserver"
|
||||
readOnly: false
|
||||
pathType: DirectoryOrCreate
|
||||
- name: "audit-policies"
|
||||
hostPath: "/etc/kubernetes/policies/audit-policy.yaml"
|
||||
mountPath: "/etc/kubernetes/policies/audit-policy.yaml"
|
||||
readOnly: false
|
||||
pathType: File
|
||||
{% if lb_kubemaster is defined %}
|
||||
certSANs:
|
||||
- "{{ lb_kubemaster }}"
|
||||
{% endif %}
|
||||
{% if kubernetes_network == "flannel" or kubernetes_network == "calico" %}
|
||||
networking:
|
||||
podSubnet: "{{ kubernetes_pods_network }}"
|
||||
{% endif %}
|
||||
---
|
||||
apiVersion: kubeproxy.config.k8s.io/v1alpha1
|
||||
kind: KubeProxyConfiguration
|
||||
{% if kubernetes_kubeproxy_mode is defined %}
|
||||
mode: {{ kubernetes_kubeproxy_mode }}
|
||||
{% if kubernetes_kubeproxy_mode == "ipvs" %}
|
||||
ipvs:
|
||||
strictARP: true
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
---
|
||||
apiVersion: kubelet.config.k8s.io/v1beta1
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue