Preparing for falco
This commit is contained in:
parent
b5eb997165
commit
361895d43d
GPG key ID:
DA7B27055C66D6DE
3 changed files with 74 additions and 37 deletions
|
|
@ -168,6 +168,10 @@
|
||||||
when:
|
when:
|
||||||
- kubernetes_master|bool
|
- kubernetes_master|bool
|
||||||
|
|
||||||
|
# https://v1-17.docs.kubernetes.io/docs/tasks/debug-application-cluster/falco/
|
||||||
|
# https://github.com/falcosecurity/falco/blob/master/rules/k8s_audit_rules.yaml
|
||||||
|
# Ou récupération de ces règles pour une utilisation avec falco
|
||||||
|
|
||||||
- name: Configure audit policy
|
- name: Configure audit policy
|
||||||
copy:
|
copy:
|
||||||
src: "etc/kubernetes/policies/audit-policy.yaml"
|
src: "etc/kubernetes/policies/audit-policy.yaml"
|
||||||
|
|
|
||||||
14
templates/etc/kubernetes/audit-webhook-kubeconfig.j2
Normal file
14
templates/etc/kubernetes/audit-webhook-kubeconfig.j2
Normal file
|
|
@ -0,0 +1,14 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Config
|
||||||
|
clusters:
|
||||||
|
- cluster:
|
||||||
|
server: http://<ip_of_falco>:8765/k8s_audit
|
||||||
|
name: falco
|
||||||
|
contexts:
|
||||||
|
- context:
|
||||||
|
cluster: falco
|
||||||
|
user: ""
|
||||||
|
name: default-context
|
||||||
|
current-context: default-context
|
||||||
|
preferences: {}
|
||||||
|
users: []
|
||||||
|
|
@ -33,9 +33,12 @@ nodeRegistration:
|
||||||
container-runtime-endpoint: "unix:///var/run/crio/crio.sock"
|
container-runtime-endpoint: "unix:///var/run/crio/crio.sock"
|
||||||
{% endif %}
|
{% endif %}
|
||||||
node-ip: {{ ansible_default_ipv4.address }}
|
node-ip: {{ ansible_default_ipv4.address }}
|
||||||
read-only-port: "10255"
|
# read-only-port: "10255"
|
||||||
ignorePreflightErrors:
|
ignorePreflightErrors:
|
||||||
- SystemVerification
|
- SystemVerification
|
||||||
|
{% if (kubernetes_master|bool and not kubernetes_master_taint|bool) %}
|
||||||
|
- NumCPU
|
||||||
|
{% endif %}
|
||||||
{% if true == false %}
|
{% if true == false %}
|
||||||
- IsPrivilegedUser
|
- IsPrivilegedUser
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
@ -45,6 +48,51 @@ localAPIEndpoint:
|
||||||
{% if kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %}
|
{% if kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %}
|
||||||
certificateKey: "{{ kubernetes_certificateKey.stdout }}"
|
certificateKey: "{{ kubernetes_certificateKey.stdout }}"
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined %}
|
||||||
|
---
|
||||||
|
apiVersion: kubeadm.k8s.io/v1beta2
|
||||||
|
kind: ClusterConfiguration
|
||||||
|
kubernetesVersion: stable
|
||||||
|
{% if lbip_kubeapiserver is defined %}
|
||||||
|
controlPlaneEndpoint: "{{ lbip_kubeapiserver }}:6443"
|
||||||
|
{% else %}
|
||||||
|
controlPlaneEndpoint: "{{ ansible_default_ipv4.address }}:6443"
|
||||||
|
{% endif %}
|
||||||
|
apiServer:
|
||||||
|
extraArgs:
|
||||||
|
enable-admission-plugins: NodeRestriction,PodSecurityPolicy
|
||||||
|
authorization-mode: "Node,RBAC"
|
||||||
|
audit-policy-file: "/etc/kubernetes/policies/audit-policy.yaml"
|
||||||
|
audit-log-path: "/var/log/apiserver/audit.log"
|
||||||
|
audit-log-maxage: "30"
|
||||||
|
audit-log-maxbackup: "10"
|
||||||
|
audit-log-maxsize: "100"
|
||||||
|
{% if false %}
|
||||||
|
# Falco
|
||||||
|
audit-policy-file: "/etc/kubernetes/policies/k8s_audit_rules.yaml"
|
||||||
|
audit-webhook-config-file: "/etc/kubernetes/policies/audit-webhook-kubeconfig"
|
||||||
|
{% endif %}
|
||||||
|
extraVolumes:
|
||||||
|
- name: "audit-log"
|
||||||
|
hostPath: "/var/log/apiserver"
|
||||||
|
mountPath: "/var/log/apiserver"
|
||||||
|
readOnly: false
|
||||||
|
pathType: DirectoryOrCreate
|
||||||
|
- name: "audit-policies"
|
||||||
|
hostPath: "/etc/kubernetes/policies/audit-policy.yaml"
|
||||||
|
mountPath: "/etc/kubernetes/policies/audit-policy.yaml"
|
||||||
|
readOnly: false
|
||||||
|
pathType: File
|
||||||
|
{% if lb_kubemaster is defined %}
|
||||||
|
certSANs:
|
||||||
|
- "{{ lb_kubemaster }}"
|
||||||
|
{% endif %}
|
||||||
|
{% if kubernetes_network == "flannel" or kubernetes_network == "calico" %}
|
||||||
|
networking:
|
||||||
|
podSubnet: "{{ kubernetes_pods_network }}"
|
||||||
|
{% endif %}
|
||||||
|
{% endif %}
|
||||||
|
{% if not kubernetes_master|bool or kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %}
|
||||||
---
|
---
|
||||||
apiVersion: kubeadm.k8s.io/v1beta2
|
apiVersion: kubeadm.k8s.io/v1beta2
|
||||||
kind: JoinConfiguration
|
kind: JoinConfiguration
|
||||||
|
|
@ -68,51 +116,22 @@ discovery:
|
||||||
nodeRegistration:
|
nodeRegistration:
|
||||||
kubeletExtraArgs:
|
kubeletExtraArgs:
|
||||||
node-ip: {{ ansible_default_ipv4.address }}
|
node-ip: {{ ansible_default_ipv4.address }}
|
||||||
read-only-port: "10255"
|
# read-only-port: "10255"
|
||||||
ignorePreflightErrors:
|
ignorePreflightErrors:
|
||||||
- SystemVerification
|
- SystemVerification
|
||||||
---
|
{% if (kubernetes_master|bool and not kubernetes_master_taint|bool) %}
|
||||||
apiVersion: kubeadm.k8s.io/v1beta2
|
- NumCPU
|
||||||
kind: ClusterConfiguration
|
|
||||||
kubernetesVersion: stable
|
|
||||||
{% if lbip_kubeapiserver is defined %}
|
|
||||||
controlPlaneEndpoint: "{{ lbip_kubeapiserver }}:6443"
|
|
||||||
{% else %}
|
|
||||||
controlPlaneEndpoint: "{{ ansible_default_ipv4.address }}:6443"
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
apiServer:
|
|
||||||
extraArgs:
|
|
||||||
enable-admission-plugins: NodeRestriction,PodSecurityPolicy
|
|
||||||
authorization-mode: "Node,RBAC"
|
|
||||||
audit-policy-file: "/etc/kubernetes/policies/audit-policy.yaml"
|
|
||||||
audit-log-path: "/var/log/apiserver/audit.log"
|
|
||||||
audit-log-maxage: "30"
|
|
||||||
audit-log-maxbackup: "10"
|
|
||||||
audit-log-maxsize: "100"
|
|
||||||
extraVolumes:
|
|
||||||
- name: "audit-log"
|
|
||||||
hostPath: "/var/log/apiserver"
|
|
||||||
mountPath: "/var/log/apiserver"
|
|
||||||
readOnly: false
|
|
||||||
pathType: DirectoryOrCreate
|
|
||||||
- name: "audit-policies"
|
|
||||||
hostPath: "/etc/kubernetes/policies/audit-policy.yaml"
|
|
||||||
mountPath: "/etc/kubernetes/policies/audit-policy.yaml"
|
|
||||||
readOnly: false
|
|
||||||
pathType: File
|
|
||||||
{% if lb_kubemaster is defined %}
|
|
||||||
certSANs:
|
|
||||||
- "{{ lb_kubemaster }}"
|
|
||||||
{% endif %}
|
|
||||||
{% if kubernetes_network == "flannel" or kubernetes_network == "calico" %}
|
|
||||||
networking:
|
|
||||||
podSubnet: "{{ kubernetes_pods_network }}"
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
---
|
---
|
||||||
apiVersion: kubeproxy.config.k8s.io/v1alpha1
|
apiVersion: kubeproxy.config.k8s.io/v1alpha1
|
||||||
kind: KubeProxyConfiguration
|
kind: KubeProxyConfiguration
|
||||||
{% if kubernetes_kubeproxy_mode is defined %}
|
{% if kubernetes_kubeproxy_mode is defined %}
|
||||||
mode: {{ kubernetes_kubeproxy_mode }}
|
mode: {{ kubernetes_kubeproxy_mode }}
|
||||||
|
{% if kubernetes_kubeproxy_mode == "ipvs" %}
|
||||||
|
ipvs:
|
||||||
|
strictARP: true
|
||||||
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
---
|
---
|
||||||
apiVersion: kubelet.config.k8s.io/v1beta1
|
apiVersion: kubelet.config.k8s.io/v1beta1
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue