Skip to content
This repository has been archived by the owner on Jan 9, 2023. It is now read-only.

Commit

Permalink
Merge pull request #639 from simonswine/improve-security-kube-bench
Browse files Browse the repository at this point in the history 
Kube bench proposed security fixes
  • Loading branch information
@jetstack-bot
jetstack-bot committed Nov 23, 2018
2 parents f8d8ab7 + 0b2a431 commit b811398
Show file tree
Hide file tree
Showing 9 changed files with 48 additions and 4 deletions.
11 changes: 9 additions & 2 deletions puppet/modules/kubernetes/manifests/apiserver.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,11 @@
$_systemd_after = ['network.target'] + $systemd_after
$_systemd_before = $systemd_before

$tls_min_version = $::kubernetes::tls_min_version
$tls_cipher_suites = $::kubernetes::tls_cipher_suites

$post_1_11 = versioncmp($::kubernetes::version, '1.11.0') >= 0
$post_1_10 = versioncmp($::kubernetes::version, '1.10.0') >= 0
$post_1_9 = versioncmp($::kubernetes::version, '1.9.0') >= 0
$post_1_8 = versioncmp($::kubernetes::version, '1.8.0') >= 0
$post_1_7 = versioncmp($::kubernetes::version, '1.7.0') >= 0
Expand Down Expand Up @@ -104,11 +108,14 @@
$_oidc_signing_algs = []
}

# Do not set insecure_port variable of the API server on kubernetes 1.11+
# Do not set etcd_qorum_read
if !$post_1_11 {
$insecure_port = $::kubernetes::_apiserver_insecure_port
$etcd_quorum_read = true
}

# insecure_port variable of the API server (needs to be set to 0 at least up to 1.13)
$insecure_port = $::kubernetes::_apiserver_insecure_port

$secure_port = $::kubernetes::apiserver_secure_port

# Default to etcd3 for versions bigger than 1.5
Expand Down
11 changes: 11 additions & 0 deletions puppet/modules/kubernetes/manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,17 @@
Integer[-1,65535] $apiserver_insecure_port = -1,
Integer[0,65535] $apiserver_secure_port = 6443,
Array[Enum['AlwaysAllow', 'ABAC', 'RBAC']] $authorization_mode = [],
String $tls_min_version = 'VersionTLS12',
Array[String] $tls_cipher_suites = [
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305',
'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305',
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
'TLS_RSA_WITH_AES_256_GCM_SHA384',
'TLS_RSA_WITH_AES_128_GCM_SHA256',
],
) inherits ::kubernetes::params
{

Expand Down
4 changes: 4 additions & 0 deletions puppet/modules/kubernetes/manifests/kubelet.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,11 @@
) inherits kubernetes::params{
require ::kubernetes

$tls_min_version = $::kubernetes::tls_min_version
$tls_cipher_suites = $::kubernetes::tls_cipher_suites

$post_1_11 = versioncmp($::kubernetes::version, '1.11.0') >= 0
$post_1_10 = versioncmp($::kubernetes::version, '1.10.0') >= 0

if ! $eviction_soft_memory_available_threshold or ! $eviction_soft_memory_available_grace_period {
$_eviction_soft_memory_available_threshold = undef
Expand Down
4 changes: 2 additions & 2 deletions puppet/modules/kubernetes/spec/classes/apiserver_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -245,14 +245,14 @@
it {should contain_file(service_file).with_content(/#{Regexp.escape('--insecure-port=')}/)}
end

context 'should not exist after 1.11' do
context 'should exist after 1.11' do
let(:pre_condition) {[
"""
class{'kubernetes': version => '1.11.0'}
"""
]}

it {should_not contain_file(service_file).with_content(/#{Regexp.escape('--insecure-port=')}/)}
it {should contain_file(service_file).with_content(/#{Regexp.escape('--insecure-port=0')}/)}
end
end

Expand Down
9 changes: 9 additions & 0 deletions puppet/modules/kubernetes/templates/kube-apiserver.service.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ ExecStart=<%= scope['kubernetes::_dest_dir'] %>/apiserver \
<% else -%>
--allow-privileged=false \
<% end -%>
<% if not @post_1_11 -%>
--repair-malformed-updates=false \
<% end -%>
<% if @_audit_enabled -%>
--audit-policy-file=<%= scope['kubernetes::apiserver::audit_policy_file'] %> \
--audit-log-path=<%= scope['kubernetes::apiserver::audit_log_path'] %> \
Expand Down Expand Up @@ -88,6 +91,7 @@ ExecStart=<%= scope['kubernetes::_dest_dir'] %>/apiserver \
<% end -%>
<%- if scope['kubernetes::_service_account_key_file'] -%>
--service-account-key-file=<%= scope['kubernetes::_service_account_key_file'] %> \
--service-account-lookup \
<% end -%>
<% if @_feature_gates != [] -%>
--feature-gates=<%= @_feature_gates.join(',') %> \
Expand Down Expand Up @@ -135,6 +139,11 @@ ExecStart=<%= scope['kubernetes::_dest_dir'] %>/apiserver \
<% end -%>
<% if @oidc_username_prefix -%>
"--oidc-username-prefix=<%= @oidc_username_prefix %>" \
<% end -%>
--profiling=false \
<% if @post_1_10 -%>
"--tls-min-version=<%= @tls_min_version %>" \
"--tls-cipher-suites=<%= @tls_cipher_suites.join(',') %>" \
<% end -%>
--logtostderr=true

Expand Down
1 change: 1 addition & 0 deletions puppet/modules/kubernetes/templates/kube-controller-manager.service.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ ExecStart=<%= scope['kubernetes::_dest_dir'] %>/controller-manager \
--use-service-account-credentials \
<% end -%>
--leader-elect=true \
--profiling=false \
--logtostderr=true

Restart=on-failure
Expand Down
1 change: 1 addition & 0 deletions puppet/modules/kubernetes/templates/kube-scheduler.service.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ ExecStart=<%= scope['kubernetes::_dest_dir'] %>/scheduler \
<% if @_feature_gates != [] -%>
--feature-gates=<%= @_feature_gates.join(',') %> \
<% end -%>
--profiling=false \
--logtostderr=true

Restart=on-failure
Expand Down
3 changes: 3 additions & 0 deletions puppet/modules/kubernetes/templates/kubelet-config.yaml.erb
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
readOnlyPort: 0
clusterDNS:
- <%= @cluster_dns %>
clusterDomain: <%= @cluster_domain %>
Expand Down Expand Up @@ -45,6 +46,8 @@ systemReserved:
tlsCertFile: <%= @cert_file %>
tlsPrivateKeyFile: <%= @key_file %>
<% end -%>
tlsCipherSuites: <%= @tls_cipher_suites.inspect %>
tlsMinVersion: <%= @tls_min_version %>
evictionHard:
<% if !@eviction_hard_memory_available_threshold.nil? and @eviction_hard_memory_available_threshold != 'nil' -%>
memory.available: <%= @eviction_hard_memory_available_threshold %>
Expand Down
8 changes: 8 additions & 0 deletions puppet/modules/kubernetes/templates/kubelet.service.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ ExecStartPre=/bin/sh -e -c "iptables -C PREROUTING -p tcp --destination 169.254.
<% end -%>
ExecStart=<%= scope['kubernetes::_dest_dir'] %>/kubelet \
--v=<%= scope['kubernetes::log_level'] %> \
<% if not @post_1_11 -%>
--cadvisor-port=0 \
<% end -%>
<% if scope.function_versioncmp([scope['kubernetes::version'], '1.6.0']) >= 0 -%>
<% if @_node_taints_string and @_node_taints_string.length > 0 -%>
"--register-with-taints=<%= @_node_taints_string %>" \
Expand Down Expand Up @@ -60,6 +63,7 @@ ExecStart=<%= scope['kubernetes::_dest_dir'] %>/kubelet \
<% if @post_1_11 -%>
--config=<%= @config_file %> \
<% else -%>
--read-only-port=0 \
--cluster-dns=<%= @cluster_dns %> \
--cluster-domain=<%= @cluster_domain %> \
<% if @pod_cidr -%>
Expand Down Expand Up @@ -156,6 +160,10 @@ ExecStart=<%= scope['kubernetes::_dest_dir'] %>/kubelet \
<% if @_feature_gates != [] -%>
--feature-gates=<%= @_feature_gates.join(',') %> \
<% end -%>
<% if @post_1_10 -%>
"--tls-min-version=<%= @tls_min_version %>" \
"--tls-cipher-suites=<%= @tls_cipher_suites.join(',') %>" \
<% end -%>
<% end -%>
--logtostderr=true

Expand Down

0 comments on commit b811398

Please sign in to comment.