Securing k3s deployment

2024-09-01 14:36:15 +02:00 · 2024-09-01 14:36:15 +02:00 · 5717cca04d
commit 5717cca04d
parent 3fd4c7dee0
7 changed files with 153 additions and 6 deletions
--- a/templates/etc/rancher/k3s/config.yaml.j2
+++ b/templates/etc/rancher/k3s/config.yaml.j2
@ -1,5 +1,18 @@
 flannel-backend: wireguard-native
+protect-kernel-defaults: true
 {% if kubernetes_master|bool %}
+secrets-encryption: true
+kube-apiserver-arg:
+  - "enable-admission-plugins=NodeRestriction,AlwaysPullImages,EventRateLimit"
+  - 'admission-control-config-file=/etc/kubernetes/psa.yaml'
+  - 'audit-log-path=/var/log/apiserver/audit.log'
+  - 'audit-policy-file=/etc/kubernetes/policies/audit-policy.yaml'
+  - 'audit-log-maxage=30'
+  - 'audit-log-maxbackup=10'
+  - 'audit-log-maxsize=100'
+#  - "request-timeout=300s"
+kube-controller-manager-arg:
+  - 'terminated-pod-gc-threshold=10'
 {% if vars['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined %}
 cluster-init: true
 {% else %}
@ -10,15 +23,18 @@ token: ${NODE_TOKEN}
 server: https://{{ kubernetes_master }}:6443
 token: ${NODE_TOKEN}
 {% endif %}
-#node-label:
-#  - "foo=bar"
-#  - "something=amazing"
+kubelet-arg:
+  - 'streaming-connection-idle-timeout=5m'
+  - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
 {% if ansible_os_family == "RedHat" %}
 selinux: true
 {% endif %}
-secrets-encryption: true
+#embedded-registry: true
 disable:
  - traefik
 {% if false %}
 # node-external-ip: 1.2.3.4
+#node-label:
+#  - "foo=bar"
+#  - "something=amazing"
 {% endif %}