diff --git a/files/etc/kubernetes/psa.yaml b/files/etc/kubernetes/psa.yaml new file mode 100644 index 0000000..9072c55 --- /dev/null +++ b/files/etc/kubernetes/psa.yaml @@ -0,0 +1,18 @@ +apiVersion: apiserver.config.k8s.io/v1 +kind: AdmissionConfiguration +plugins: +- name: PodSecurity + configuration: + apiVersion: pod-security.admission.config.k8s.io/v1beta1 + kind: PodSecurityConfiguration + defaults: + enforce: "restricted" + enforce-version: "latest" + audit: "restricted" + audit-version: "latest" + warn: "restricted" + warn-version: "latest" + exemptions: + usernames: [] + runtimeClasses: [] + namespaces: [kube-system, cis-operator-system] diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml index 763e946..c501724 100644 --- a/tasks/cluster_k3s.yml +++ b/tasks/cluster_k3s.yml @@ -122,6 +122,16 @@ when: - kubernetes_server|bool +- name: Configure Pod Security + ansible.builtin.copy: + src: "etc/kubernetes/psa.yaml" + dest: "/etc/kubernetes/psa.yaml" + group: root + owner: root + mode: 0644 + when: + - kubernetes_master|bool + - name: Audit policies directory ansible.builtin.file: path: "/etc/kubernetes/policies" @@ -164,6 +174,38 @@ - name: Configure first controler # run_once: true block: + - name: Create k3s directories + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: root + group: root + mode: 0700 + with_items: + - "/etc/rancher" + - "/etc/rancher/k3s" + - "/etc/rancher/k3s/config.yaml.d" + - "/var/lib/rancher" + - "/var/lib/rancher/k3s" + - "/var/lib/rancher/k3s/server" + - "/var/lib/rancher/k3s/server/manifests" + when: + - kubernetes_master|bool + + - name: Deploy Network Policies + ansible.builtin.template: + src: "{{ item }}.j2" + dest: "{{ item }}" + owner: root + group: root + mode: 0600 + with_items: + - "var/lib/rancher/k3s/server/manifests/np-00-intra-namespace.yaml.j2" + - "var/lib/rancher/k3s/server/manifests/np-01-default-network-dns-policy.yaml.j2" + - "var/lib/rancher/k3s/server/manifests/np-03-metrics-server-traefik.yaml.j2" + when: + - kubernetes_master|bool + - name: Deploy systemd service ansible.builtin.template: src: "{{ item }}.j2" @@ -205,7 +247,7 @@ - kubernetes_master|bool - vars['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined - +# chmod -R 600 /var/lib/rancher/k3s/server/tls/*.crt # Manque kubernetes_server_token, kubernetes_master url diff --git a/templates/etc/rancher/k3s/config.yaml.j2 b/templates/etc/rancher/k3s/config.yaml.j2 index a27e263..fb504b7 100644 --- a/templates/etc/rancher/k3s/config.yaml.j2 +++ b/templates/etc/rancher/k3s/config.yaml.j2 @@ -1,5 +1,18 @@ flannel-backend: wireguard-native +protect-kernel-defaults: true {% if kubernetes_master|bool %} +secrets-encryption: true +kube-apiserver-arg: + - "enable-admission-plugins=NodeRestriction,AlwaysPullImages,EventRateLimit" + - 'admission-control-config-file=/etc/kubernetes/psa.yaml' + - 'audit-log-path=/var/log/apiserver/audit.log' + - 'audit-policy-file=/etc/kubernetes/policies/audit-policy.yaml' + - 'audit-log-maxage=30' + - 'audit-log-maxbackup=10' + - 'audit-log-maxsize=100' +# - "request-timeout=300s" +kube-controller-manager-arg: + - 'terminated-pod-gc-threshold=10' {% if vars['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined %} cluster-init: true {% else %} @@ -10,15 +23,18 @@ token: ${NODE_TOKEN} server: https://{{ kubernetes_master }}:6443 token: ${NODE_TOKEN} {% endif %} -#node-label: -# - "foo=bar" -# - "something=amazing" +kubelet-arg: + - 'streaming-connection-idle-timeout=5m' + - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305" {% if ansible_os_family == "RedHat" %} selinux: true {% endif %} -secrets-encryption: true +#embedded-registry: true disable: - traefik {% if false %} # node-external-ip: 1.2.3.4 +#node-label: +# - "foo=bar" +# - "something=amazing" {% endif %} diff --git a/templates/kubeadm-config.yaml.j2 b/templates/kubeadm-config.yaml.j2 index adf6639..00ee1b7 100644 --- a/templates/kubeadm-config.yaml.j2 +++ b/templates/kubeadm-config.yaml.j2 @@ -55,7 +55,7 @@ controlPlaneEndpoint: "{{ lookup('vars', 'ansible_' + kubernetes_interface ).ipv {% endif %} apiServer: extraArgs: - enable-admission-plugins: NodeRestriction + enable-admission-plugins: NodeRestriction,AlwaysPullImages,EventRateLimit authorization-mode: "Node,RBAC" audit-policy-file: "/etc/kubernetes/policies/audit-policy.yaml" audit-log-path: "/var/log/apiserver/audit.log" diff --git a/templates/var/lib/rancher/k3s/server/manifests/np-00-intra-namespace.yaml.j2 b/templates/var/lib/rancher/k3s/server/manifests/np-00-intra-namespace.yaml.j2 new file mode 100644 index 0000000..8775180 --- /dev/null +++ b/templates/var/lib/rancher/k3s/server/manifests/np-00-intra-namespace.yaml.j2 @@ -0,0 +1,12 @@ +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: intra-namespace + namespace: kube-system +spec: + podSelector: {} + ingress: + - from: + - namespaceSelector: + matchLabels: + name: kube-system diff --git a/templates/var/lib/rancher/k3s/server/manifests/np-01-default-network-dns-policy.yaml.j2 b/templates/var/lib/rancher/k3s/server/manifests/np-01-default-network-dns-policy.yaml.j2 new file mode 100644 index 0000000..e0c00b8 --- /dev/null +++ b/templates/var/lib/rancher/k3s/server/manifests/np-01-default-network-dns-policy.yaml.j2 @@ -0,0 +1,17 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-network-dns-policy + namespace: +spec: + ingress: + - ports: + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP + podSelector: + matchLabels: + k8s-app: kube-dns + policyTypes: + - Ingress diff --git a/templates/var/lib/rancher/k3s/server/manifests/np-03-metrics-server-traefik.yaml.j2 b/templates/var/lib/rancher/k3s/server/manifests/np-03-metrics-server-traefik.yaml.j2 new file mode 100644 index 0000000..e7b8621 --- /dev/null +++ b/templates/var/lib/rancher/k3s/server/manifests/np-03-metrics-server-traefik.yaml.j2 @@ -0,0 +1,42 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-all-metrics-server + namespace: kube-system +spec: + podSelector: + matchLabels: + k8s-app: metrics-server + ingress: + - {} + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-all-svclbtraefik-ingress + namespace: kube-system +spec: + podSelector: + matchLabels: + svccontroller.k3s.cattle.io/svcname: traefik + ingress: + - {} + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-all-traefik-v121-ingress + namespace: kube-system +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: traefik + ingress: + - {} + policyTypes: + - Ingress +---