Securing k3s deployment

files/etc/kubernetes/psa.yaml

@@ -0,0 +1,18 @@
+apiVersion: apiserver.config.k8s.io/v1
+kind: AdmissionConfiguration
+plugins:
+- name: PodSecurity
+  configuration:
+    apiVersion: pod-security.admission.config.k8s.io/v1beta1
+    kind: PodSecurityConfiguration
+    defaults:
+      enforce: "restricted"
+      enforce-version: "latest"
+      audit: "restricted"
+      audit-version: "latest"
+      warn: "restricted"
+      warn-version: "latest"
+    exemptions:
+      usernames: []
+      runtimeClasses: []
+      namespaces: [kube-system, cis-operator-system]

tasks/cluster_k3s.yml

@@ -122,6 +122,16 @@
   when:
     - kubernetes_server|bool
 
+- name: Configure Pod Security
+  ansible.builtin.copy:
+    src: "etc/kubernetes/psa.yaml"
+    dest: "/etc/kubernetes/psa.yaml"
+    group: root
+    owner: root
+    mode: 0644
+  when:
+    - kubernetes_master|bool
+
 - name: Audit policies directory
   ansible.builtin.file:
     path: "/etc/kubernetes/policies"
@@ -164,6 +174,38 @@
 - name: Configure first controler
 #  run_once: true
   block:
+  - name: Create k3s directories
+    ansible.builtin.file:
+      path: "{{ item }}"
+      state: directory
+      owner: root
+      group: root
+      mode: 0700
+    with_items:
+      - "/etc/rancher"
+      - "/etc/rancher/k3s"
+      - "/etc/rancher/k3s/config.yaml.d"
+      - "/var/lib/rancher"
+      - "/var/lib/rancher/k3s"
+      - "/var/lib/rancher/k3s/server"
+      - "/var/lib/rancher/k3s/server/manifests"
+    when:
+      - kubernetes_master|bool
+
+  - name: Deploy Network Policies
+    ansible.builtin.template:
+      src: "{{ item }}.j2"
+      dest: "{{ item }}"
+      owner: root
+      group: root
+      mode: 0600
+    with_items:
+      - "var/lib/rancher/k3s/server/manifests/np-00-intra-namespace.yaml.j2"
+      - "var/lib/rancher/k3s/server/manifests/np-01-default-network-dns-policy.yaml.j2"
+      - "var/lib/rancher/k3s/server/manifests/np-03-metrics-server-traefik.yaml.j2"
+    when:
+      - kubernetes_master|bool
+
   - name: Deploy systemd service
     ansible.builtin.template:
       src: "{{ item }}.j2"
@@ -205,7 +247,7 @@
     - kubernetes_master|bool
     - vars['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined
 
-
+# chmod -R 600 /var/lib/rancher/k3s/server/tls/*.crt
 
 # Manque kubernetes_server_token, kubernetes_master url
 

templates/etc/rancher/k3s/config.yaml.j2

@@ -1,5 +1,18 @@
 flannel-backend: wireguard-native
+protect-kernel-defaults: true
 {% if kubernetes_master|bool %}
+secrets-encryption: true
+kube-apiserver-arg:
+  - "enable-admission-plugins=NodeRestriction,AlwaysPullImages,EventRateLimit"
+  - 'admission-control-config-file=/etc/kubernetes/psa.yaml'
+  - 'audit-log-path=/var/log/apiserver/audit.log'
+  - 'audit-policy-file=/etc/kubernetes/policies/audit-policy.yaml'
+  - 'audit-log-maxage=30'
+  - 'audit-log-maxbackup=10'
+  - 'audit-log-maxsize=100'
+#  - "request-timeout=300s"
+kube-controller-manager-arg:
+  - 'terminated-pod-gc-threshold=10'
 {% if vars['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined %}
 cluster-init: true
 {% else %}
@@ -10,15 +23,18 @@ token: ${NODE_TOKEN}
 server: https://{{ kubernetes_master }}:6443
 token: ${NODE_TOKEN}
 {% endif %}
-#node-label:
+kubelet-arg:
-#  - "foo=bar"
+  - 'streaming-connection-idle-timeout=5m'
-#  - "something=amazing"
+  - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
 {% if ansible_os_family == "RedHat" %}
 selinux: true
 {% endif %}
-secrets-encryption: true
+#embedded-registry: true
 disable:
   - traefik
 {% if false %}
 # node-external-ip: 1.2.3.4
+#node-label:
+#  - "foo=bar"
+#  - "something=amazing"
 {% endif %}

templates/kubeadm-config.yaml.j2

@@ -55,7 +55,7 @@ controlPlaneEndpoint: "{{ lookup('vars', 'ansible_' + kubernetes_interface ).ipv
 {% endif %}
 apiServer:
   extraArgs:
-    enable-admission-plugins: NodeRestriction
+    enable-admission-plugins: NodeRestriction,AlwaysPullImages,EventRateLimit
     authorization-mode: "Node,RBAC"
     audit-policy-file: "/etc/kubernetes/policies/audit-policy.yaml"
     audit-log-path: "/var/log/apiserver/audit.log"

templates/var/lib/rancher/k3s/server/manifests/np-00-intra-namespace.yaml.j2

@@ -0,0 +1,12 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: intra-namespace
+  namespace: kube-system
+spec:
+  podSelector: {}
+  ingress:
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            name: kube-system

templates/var/lib/rancher/k3s/server/manifests/np-01-default-network-dns-policy.yaml.j2

@@ -0,0 +1,17 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-network-dns-policy
+  namespace: <NAMESPACE>
+spec:
+  ingress:
+  - ports:
+    - port: 53
+      protocol: TCP
+    - port: 53
+      protocol: UDP
+  podSelector:
+    matchLabels:
+      k8s-app: kube-dns
+  policyTypes:
+  - Ingress

templates/var/lib/rancher/k3s/server/manifests/np-03-metrics-server-traefik.yaml.j2

@@ -0,0 +1,42 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-all-metrics-server
+  namespace: kube-system
+spec:
+  podSelector:
+    matchLabels:
+      k8s-app: metrics-server
+  ingress:
+  - {}
+  policyTypes:
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-all-svclbtraefik-ingress
+  namespace: kube-system
+spec:
+  podSelector: 
+    matchLabels:
+      svccontroller.k3s.cattle.io/svcname: traefik
+  ingress:
+  - {}
+  policyTypes:
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-all-traefik-v121-ingress
+  namespace: kube-system
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: traefik
+  ingress:
+  - {}
+  policyTypes:
+  - Ingress
+---