Preparing for falco

2021-05-07 23:55:15 +02:00 · 2021-05-07 23:55:15 +02:00 · 361895d43d
commit 361895d43d
parent b5eb997165
3 changed files with 74 additions and 37 deletions
--- a/tasks/cluster_kubeadm.yml
+++ b/tasks/cluster_kubeadm.yml
@ -168,6 +168,10 @@
  when:
    - kubernetes_master|bool

+# https://v1-17.docs.kubernetes.io/docs/tasks/debug-application-cluster/falco/
+# https://github.com/falcosecurity/falco/blob/master/rules/k8s_audit_rules.yaml
+# Ou récupération de ces règles pour une utilisation avec falco
+
 - name: Configure audit policy
  copy:
    src: "etc/kubernetes/policies/audit-policy.yaml"
--- a/templates/etc/kubernetes/audit-webhook-kubeconfig.j2
+++ b/templates/etc/kubernetes/audit-webhook-kubeconfig.j2
@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Config
+clusters:
+- cluster:
+    server: http://<ip_of_falco>:8765/k8s_audit
+  name: falco
+contexts:
+- context:
+    cluster: falco
+    user: ""
+  name: default-context
+current-context: default-context
+preferences: {}
+users: []
--- a/templates/kubeadm-config.yaml.j2
+++ b/templates/kubeadm-config.yaml.j2
@ -33,9 +33,12 @@ nodeRegistration:
    container-runtime-endpoint: "unix:///var/run/crio/crio.sock"
 {% endif %}
    node-ip: {{ ansible_default_ipv4.address }}
-    read-only-port: "10255"
+#    read-only-port: "10255"
  ignorePreflightErrors:
  - SystemVerification
+{% if (kubernetes_master|bool and not kubernetes_master_taint|bool) %}
+  - NumCPU
+{% endif %}
 {% if true == false %}
  - IsPrivilegedUser
 {% endif %}
@ -45,6 +48,51 @@ localAPIEndpoint:
 {% if kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %}
 certificateKey: "{{ kubernetes_certificateKey.stdout }}"
 {% endif %}
+{% if kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined %}
+---
+apiVersion: kubeadm.k8s.io/v1beta2
+kind: ClusterConfiguration
+kubernetesVersion: stable
+{% if lbip_kubeapiserver is defined %}
+controlPlaneEndpoint: "{{ lbip_kubeapiserver }}:6443"
+{% else %}
+controlPlaneEndpoint: "{{ ansible_default_ipv4.address }}:6443"
+{% endif %}
+apiServer:
+  extraArgs:
+    enable-admission-plugins: NodeRestriction,PodSecurityPolicy
+    authorization-mode: "Node,RBAC"
+    audit-policy-file: "/etc/kubernetes/policies/audit-policy.yaml"
+    audit-log-path: "/var/log/apiserver/audit.log"
+    audit-log-maxage: "30"
+    audit-log-maxbackup: "10"
+    audit-log-maxsize: "100"
+{% if false %}
+# Falco
+    audit-policy-file: "/etc/kubernetes/policies/k8s_audit_rules.yaml"
+    audit-webhook-config-file: "/etc/kubernetes/policies/audit-webhook-kubeconfig"
+{% endif %}
+  extraVolumes:
+  - name: "audit-log"
+    hostPath: "/var/log/apiserver"
+    mountPath: "/var/log/apiserver"
+    readOnly: false
+    pathType: DirectoryOrCreate
+  - name: "audit-policies"
+    hostPath: "/etc/kubernetes/policies/audit-policy.yaml"
+    mountPath: "/etc/kubernetes/policies/audit-policy.yaml"
+    readOnly: false
+    pathType: File
+{% if lb_kubemaster is defined %}
+  certSANs:
+  - "{{ lb_kubemaster }}"
+{% endif %}
+{% if kubernetes_network == "flannel" or kubernetes_network == "calico" %}
+networking:
+  podSubnet: "{{ kubernetes_pods_network }}"
+{% endif %}
+{% endif %}
+{% if not kubernetes_master|bool or kubernetes_master|bool and groups['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is defined %}
 ---
 apiVersion: kubeadm.k8s.io/v1beta2
 kind: JoinConfiguration
@ -68,51 +116,22 @@ discovery:
 nodeRegistration:
  kubeletExtraArgs:
    node-ip: {{ ansible_default_ipv4.address }}
-    read-only-port: "10255"
+#    read-only-port: "10255"
  ignorePreflightErrors:
  - SystemVerification
---
-apiVersion: kubeadm.k8s.io/v1beta2
-kind: ClusterConfiguration
-kubernetesVersion: stable
-{% if lbip_kubeapiserver is defined %}
-controlPlaneEndpoint: "{{ lbip_kubeapiserver }}:6443"
-{% else %}
-controlPlaneEndpoint: "{{ ansible_default_ipv4.address }}:6443"
+{% if (kubernetes_master|bool and not kubernetes_master_taint|bool) %}
+  - NumCPU
 {% endif %}
-apiServer:
-  extraArgs:
-    enable-admission-plugins: NodeRestriction,PodSecurityPolicy
-    authorization-mode: "Node,RBAC"
-    audit-policy-file: "/etc/kubernetes/policies/audit-policy.yaml"
-    audit-log-path: "/var/log/apiserver/audit.log"
-    audit-log-maxage: "30"
-    audit-log-maxbackup: "10"
-    audit-log-maxsize: "100"
-  extraVolumes:
-  - name: "audit-log"
-    hostPath: "/var/log/apiserver"
-    mountPath: "/var/log/apiserver"
-    readOnly: false
-    pathType: DirectoryOrCreate
-  - name: "audit-policies"
-    hostPath: "/etc/kubernetes/policies/audit-policy.yaml"
-    mountPath: "/etc/kubernetes/policies/audit-policy.yaml"
-    readOnly: false
-    pathType: File
-{% if lb_kubemaster is defined %}
-  certSANs:
-  - "{{ lb_kubemaster }}"
-{% endif %}
-{% if kubernetes_network == "flannel" or kubernetes_network == "calico" %}
-networking:
-  podSubnet: "{{ kubernetes_pods_network }}"
 {% endif %}
 ---
 apiVersion: kubeproxy.config.k8s.io/v1alpha1
 kind: KubeProxyConfiguration
 {% if kubernetes_kubeproxy_mode is defined %}
 mode: {{ kubernetes_kubeproxy_mode }}
+{% if kubernetes_kubeproxy_mode == "ipvs" %}
+ipvs:
+  strictARP: true
+{% endif %}
 {% endif %}
 ---
 apiVersion: kubelet.config.k8s.io/v1beta1