From b45abf84be5da89853b0a38716a936c66a3c645b Mon Sep 17 00:00:00 2001
From: Adrien Reslinger <adrien@reslinger.net>
Date: Sat, 31 Aug 2024 11:17:00 +0200
Subject: [PATCH] Add more security to k3s installation

---
 tasks/cluster_k3s.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml
index 1a38ca7..763e946 100644
--- a/tasks/cluster_k3s.yml
+++ b/tasks/cluster_k3s.yml
@@ -108,6 +108,20 @@
   with_items:
     - { name: var_lib_k3s, vg: vg_sys, size: 10g, mount_point: /var/lib/rancher/k3s, mount_opts: "discard"}
 
+- name: Ensure protect-kernel-defaults is set
+  ansible.posix.sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    sysctl_file: /etc/sysctl.d/90-kubelet.conf
+    reload: true
+  with_items:
+    - { name: "vm.panic_on_oom", value: "0" }
+    - { name: "vm.overcommit_memory", value: "1" }
+    - { name: "kernel.panic", value: "10" }
+    - { name: "kernel.panic_on_oops", value: "1" }
+  when:
+    - kubernetes_server|bool
+
 - name: Audit policies directory
   ansible.builtin.file:
     path: "/etc/kubernetes/policies"