From d8e5fcd95619a3cc3b52760d724a6bd3d1d28314 Mon Sep 17 00:00:00 2001
From: Christian Simon <simon@swine.de>
Date: Thu, 22 Nov 2018 14:46:09 +0000
Subject: [PATCH 1/6] Disable profiling endpoints for controlplane

Signed-off-by: Christian Simon <simon@swine.de>
---
 puppet/modules/kubernetes/templates/kube-apiserver.service.erb   | 1 +
 .../kubernetes/templates/kube-controller-manager.service.erb     | 1 +
 puppet/modules/kubernetes/templates/kube-scheduler.service.erb   | 1 +
 3 files changed, 3 insertions(+)

diff --git a/puppet/modules/kubernetes/templates/kube-apiserver.service.erb b/puppet/modules/kubernetes/templates/kube-apiserver.service.erb
index e3d3c76af5..bfbec80301 100644
--- a/puppet/modules/kubernetes/templates/kube-apiserver.service.erb
+++ b/puppet/modules/kubernetes/templates/kube-apiserver.service.erb
@@ -136,6 +136,7 @@ ExecStart=<%= scope['kubernetes::_dest_dir'] %>/apiserver \
 <% if @oidc_username_prefix -%>
   "--oidc-username-prefix=<%= @oidc_username_prefix %>" \
 <% end -%>
+  --profiling=false \
   --logtostderr=true
 
 Restart=on-failure
diff --git a/puppet/modules/kubernetes/templates/kube-controller-manager.service.erb b/puppet/modules/kubernetes/templates/kube-controller-manager.service.erb
index cd735fc5b4..4edf044f06 100644
--- a/puppet/modules/kubernetes/templates/kube-controller-manager.service.erb
+++ b/puppet/modules/kubernetes/templates/kube-controller-manager.service.erb
@@ -30,6 +30,7 @@ ExecStart=<%= scope['kubernetes::_dest_dir'] %>/controller-manager \
   --use-service-account-credentials \
 <% end -%>
   --leader-elect=true \
+  --profiling=false \
   --logtostderr=true
 
 Restart=on-failure
diff --git a/puppet/modules/kubernetes/templates/kube-scheduler.service.erb b/puppet/modules/kubernetes/templates/kube-scheduler.service.erb
index 34d6a181f7..cc38378f7f 100644
--- a/puppet/modules/kubernetes/templates/kube-scheduler.service.erb
+++ b/puppet/modules/kubernetes/templates/kube-scheduler.service.erb
@@ -14,6 +14,7 @@ ExecStart=<%= scope['kubernetes::_dest_dir'] %>/scheduler \
 <% if @_feature_gates != [] -%>
   --feature-gates=<%= @_feature_gates.join(',') %> \
 <% end -%>
+  --profiling=false \
   --logtostderr=true
 
 Restart=on-failure

From 63303a7d67c49649166865aea9fcef52f24441f6 Mon Sep 17 00:00:00 2001
From: Christian Simon <simon@swine.de>
Date: Thu, 22 Nov 2018 14:46:32 +0000
Subject: [PATCH 2/6] Ensure service accounts are looked up in etcd

Signed-off-by: Christian Simon <simon@swine.de>
---
 puppet/modules/kubernetes/templates/kube-apiserver.service.erb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/puppet/modules/kubernetes/templates/kube-apiserver.service.erb b/puppet/modules/kubernetes/templates/kube-apiserver.service.erb
index bfbec80301..08523fd286 100644
--- a/puppet/modules/kubernetes/templates/kube-apiserver.service.erb
+++ b/puppet/modules/kubernetes/templates/kube-apiserver.service.erb
@@ -88,6 +88,7 @@ ExecStart=<%= scope['kubernetes::_dest_dir'] %>/apiserver \
 <% end -%>
 <%- if scope['kubernetes::_service_account_key_file'] -%>
   --service-account-key-file=<%= scope['kubernetes::_service_account_key_file'] %> \
+  --service-account-lookup \
 <% end -%>
 <% if @_feature_gates != [] -%>
   --feature-gates=<%= @_feature_gates.join(',') %> \

From 89c2d513cfec613e3725ea78b173994bb40ebb14 Mon Sep 17 00:00:00 2001
From: Christian Simon <simon@swine.de>
Date: Thu, 22 Nov 2018 14:47:55 +0000
Subject: [PATCH 3/6] Disable read-only ports of the kubelet

Signed-off-by: Christian Simon <simon@swine.de>
---
 puppet/modules/kubernetes/templates/kubelet-config.yaml.erb | 1 +
 puppet/modules/kubernetes/templates/kubelet.service.erb     | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/puppet/modules/kubernetes/templates/kubelet-config.yaml.erb b/puppet/modules/kubernetes/templates/kubelet-config.yaml.erb
index e98a8f25a5..41fd75552e 100644
--- a/puppet/modules/kubernetes/templates/kubelet-config.yaml.erb
+++ b/puppet/modules/kubernetes/templates/kubelet-config.yaml.erb
@@ -1,5 +1,6 @@
 kind: KubeletConfiguration
 apiVersion: kubelet.config.k8s.io/v1beta1
+readOnlyPort: 0
 clusterDNS:
     - <%= @cluster_dns %>
 clusterDomain: <%= @cluster_domain %>
diff --git a/puppet/modules/kubernetes/templates/kubelet.service.erb b/puppet/modules/kubernetes/templates/kubelet.service.erb
index fea146cc5b..f4e818556b 100644
--- a/puppet/modules/kubernetes/templates/kubelet.service.erb
+++ b/puppet/modules/kubernetes/templates/kubelet.service.erb
@@ -12,6 +12,9 @@ ExecStartPre=/bin/sh -e -c "iptables -C PREROUTING -p tcp --destination 169.254.
 <% end -%>
 ExecStart=<%= scope['kubernetes::_dest_dir'] %>/kubelet \
   --v=<%= scope['kubernetes::log_level'] %> \
+<% if not @post_1_11 -%>
+  --cadvisor-port=0 \
+<% end -%>
 <% if scope.function_versioncmp([scope['kubernetes::version'], '1.6.0']) >= 0 -%>
 <% if @_node_taints_string and @_node_taints_string.length > 0 -%>
   "--register-with-taints=<%= @_node_taints_string %>" \
@@ -60,6 +63,7 @@ ExecStart=<%= scope['kubernetes::_dest_dir'] %>/kubelet \
 <% if @post_1_11 -%>
   --config=<%= @config_file  %> \
 <% else -%>
+  --read-only-port=0 \
   --cluster-dns=<%= @cluster_dns %> \
   --cluster-domain=<%= @cluster_domain %> \
 <% if @pod_cidr -%>

From f8e583d53a51350bc407ae6906bb8bbc23f31290 Mon Sep 17 00:00:00 2001
From: Christian Simon <simon@swine.de>
Date: Thu, 22 Nov 2018 15:37:46 +0000
Subject: [PATCH 4/6] Hardening TLS configuration

Signed-off-by: Christian Simon <simon@swine.de>
---
 puppet/modules/kubernetes/manifests/apiserver.pp      |  4 ++++
 puppet/modules/kubernetes/manifests/init.pp           | 11 +++++++++++
 puppet/modules/kubernetes/manifests/kubelet.pp        |  4 ++++
 .../kubernetes/templates/kube-apiserver.service.erb   |  4 ++++
 .../kubernetes/templates/kubelet-config.yaml.erb      |  2 ++
 .../modules/kubernetes/templates/kubelet.service.erb  |  4 ++++
 6 files changed, 29 insertions(+)

diff --git a/puppet/modules/kubernetes/manifests/apiserver.pp b/puppet/modules/kubernetes/manifests/apiserver.pp
index e71181e417..90beaed8da 100644
--- a/puppet/modules/kubernetes/manifests/apiserver.pp
+++ b/puppet/modules/kubernetes/manifests/apiserver.pp
@@ -52,7 +52,11 @@
   $_systemd_after = ['network.target'] + $systemd_after
   $_systemd_before = $systemd_before
 
+  $tls_min_version = $::kubernetes::tls_min_version
+  $tls_cipher_suites = $::kubernetes::tls_cipher_suites
+
   $post_1_11 = versioncmp($::kubernetes::version, '1.11.0') >= 0
+  $post_1_10 = versioncmp($::kubernetes::version, '1.10.0') >= 0
   $post_1_9 = versioncmp($::kubernetes::version, '1.9.0') >= 0
   $post_1_8 = versioncmp($::kubernetes::version, '1.8.0') >= 0
   $post_1_7 = versioncmp($::kubernetes::version, '1.7.0') >= 0
diff --git a/puppet/modules/kubernetes/manifests/init.pp b/puppet/modules/kubernetes/manifests/init.pp
index e4ddcbb81b..e06fa8f3de 100644
--- a/puppet/modules/kubernetes/manifests/init.pp
+++ b/puppet/modules/kubernetes/manifests/init.pp
@@ -33,6 +33,17 @@
   Integer[-1,65535] $apiserver_insecure_port = -1,
   Integer[0,65535] $apiserver_secure_port = 6443,
   Array[Enum['AlwaysAllow', 'ABAC', 'RBAC']] $authorization_mode = [],
+  String $tls_min_version = 'VersionTLS12',
+  Array[String] $tls_cipher_suites = [
+    'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
+    'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
+    'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305',
+    'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
+    'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305',
+    'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
+    'TLS_RSA_WITH_AES_256_GCM_SHA384',
+    'TLS_RSA_WITH_AES_128_GCM_SHA256',
+  ],
 ) inherits ::kubernetes::params
 {
 
diff --git a/puppet/modules/kubernetes/manifests/kubelet.pp b/puppet/modules/kubernetes/manifests/kubelet.pp
index 941926f62f..619ee129b1 100644
--- a/puppet/modules/kubernetes/manifests/kubelet.pp
+++ b/puppet/modules/kubernetes/manifests/kubelet.pp
@@ -57,7 +57,11 @@
 ) inherits kubernetes::params{
   require ::kubernetes
 
+  $tls_min_version = $::kubernetes::tls_min_version
+  $tls_cipher_suites = $::kubernetes::tls_cipher_suites
+
   $post_1_11 = versioncmp($::kubernetes::version, '1.11.0') >= 0
+  $post_1_10 = versioncmp($::kubernetes::version, '1.10.0') >= 0
 
   if ! $eviction_soft_memory_available_threshold or ! $eviction_soft_memory_available_grace_period {
     $_eviction_soft_memory_available_threshold = undef
diff --git a/puppet/modules/kubernetes/templates/kube-apiserver.service.erb b/puppet/modules/kubernetes/templates/kube-apiserver.service.erb
index 08523fd286..8e66067a7d 100644
--- a/puppet/modules/kubernetes/templates/kube-apiserver.service.erb
+++ b/puppet/modules/kubernetes/templates/kube-apiserver.service.erb
@@ -138,6 +138,10 @@ ExecStart=<%= scope['kubernetes::_dest_dir'] %>/apiserver \
   "--oidc-username-prefix=<%= @oidc_username_prefix %>" \
 <% end -%>
   --profiling=false \
+<% if @post_1_10 -%>
+ "--tls-min-version=<%= @tls_min_version %>" \
+ "--tls-cipher-suites=<%= @tls_cipher_suites.join(',') %>" \
+<% end -%>
   --logtostderr=true
 
 Restart=on-failure
diff --git a/puppet/modules/kubernetes/templates/kubelet-config.yaml.erb b/puppet/modules/kubernetes/templates/kubelet-config.yaml.erb
index 41fd75552e..a2bbcfef28 100644
--- a/puppet/modules/kubernetes/templates/kubelet-config.yaml.erb
+++ b/puppet/modules/kubernetes/templates/kubelet-config.yaml.erb
@@ -46,6 +46,8 @@ systemReserved:
 tlsCertFile: <%= @cert_file %>
 tlsPrivateKeyFile: <%= @key_file %>
 <% end -%>
+tlsCipherSuites: <%= @tls_cipher_suites.inspect %>
+tlsMinVersion: <%= @tls_min_version %>
 evictionHard:
 <% if !@eviction_hard_memory_available_threshold.nil? and @eviction_hard_memory_available_threshold != 'nil' -%>
     memory.available: <%= @eviction_hard_memory_available_threshold %>
diff --git a/puppet/modules/kubernetes/templates/kubelet.service.erb b/puppet/modules/kubernetes/templates/kubelet.service.erb
index f4e818556b..53ef18ba2a 100644
--- a/puppet/modules/kubernetes/templates/kubelet.service.erb
+++ b/puppet/modules/kubernetes/templates/kubelet.service.erb
@@ -160,6 +160,10 @@ ExecStart=<%= scope['kubernetes::_dest_dir'] %>/kubelet \
 <% if @_feature_gates != [] -%>
   --feature-gates=<%= @_feature_gates.join(',') %> \
 <% end -%>
+<% if @post_1_10 -%>
+ "--tls-min-version=<%= @tls_min_version %>" \
+ "--tls-cipher-suites=<%= @tls_cipher_suites.join(',') %>" \
+<% end -%>
 <% end -%>
   --logtostderr=true
 

From 68b50a4804d40848067158fd0d3ab21d7cdf2305 Mon Sep 17 00:00:00 2001
From: Christian Simon <simon@swine.de>
Date: Thu, 22 Nov 2018 16:03:20 +0000
Subject: [PATCH 5/6] Disable repair of malformed updates in apiserver

Signed-off-by: Christian Simon <simon@swine.de>
---
 puppet/modules/kubernetes/templates/kube-apiserver.service.erb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/puppet/modules/kubernetes/templates/kube-apiserver.service.erb b/puppet/modules/kubernetes/templates/kube-apiserver.service.erb
index 8e66067a7d..29e0e31fdc 100644
--- a/puppet/modules/kubernetes/templates/kube-apiserver.service.erb
+++ b/puppet/modules/kubernetes/templates/kube-apiserver.service.erb
@@ -17,6 +17,9 @@ ExecStart=<%= scope['kubernetes::_dest_dir'] %>/apiserver \
 <% else -%>
   --allow-privileged=false \
 <% end -%>
+<% if not @post_1_11 -%>
+  --repair-malformed-updates=false \
+<% end -%>
 <% if @_audit_enabled -%>
   --audit-policy-file=<%= scope['kubernetes::apiserver::audit_policy_file'] %> \
   --audit-log-path=<%= scope['kubernetes::apiserver::audit_log_path'] %> \

From 0b2a43176acc1d6c7f9444ef9001db1879969def Mon Sep 17 00:00:00 2001
From: Christian Simon <simon@swine.de>
Date: Thu, 22 Nov 2018 17:32:05 +0000
Subject: [PATCH 6/6] Ensure insecure API endpoint is disabled for 1.11+

Signed-off-by: Christian Simon <simon@swine.de>
---
 puppet/modules/kubernetes/manifests/apiserver.pp         | 7 +++++--
 puppet/modules/kubernetes/spec/classes/apiserver_spec.rb | 4 ++--
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/puppet/modules/kubernetes/manifests/apiserver.pp b/puppet/modules/kubernetes/manifests/apiserver.pp
index 90beaed8da..f29b31c6de 100644
--- a/puppet/modules/kubernetes/manifests/apiserver.pp
+++ b/puppet/modules/kubernetes/manifests/apiserver.pp
@@ -108,11 +108,14 @@
     $_oidc_signing_algs = []
   }
 
-  # Do not set insecure_port variable of the API server on kubernetes 1.11+
+  # Do not set etcd_qorum_read
   if !$post_1_11 {
-    $insecure_port = $::kubernetes::_apiserver_insecure_port
     $etcd_quorum_read = true
   }
+
+  # insecure_port variable of the API server (needs to be set to 0 at least up to 1.13)
+  $insecure_port = $::kubernetes::_apiserver_insecure_port
+
   $secure_port = $::kubernetes::apiserver_secure_port
 
   # Default to etcd3 for versions bigger than 1.5
diff --git a/puppet/modules/kubernetes/spec/classes/apiserver_spec.rb b/puppet/modules/kubernetes/spec/classes/apiserver_spec.rb
index 1869026330..4a461afd33 100644
--- a/puppet/modules/kubernetes/spec/classes/apiserver_spec.rb
+++ b/puppet/modules/kubernetes/spec/classes/apiserver_spec.rb
@@ -245,14 +245,14 @@
           it {should contain_file(service_file).with_content(/#{Regexp.escape('--insecure-port=')}/)}
         end
 
-        context 'should not exist after 1.11' do
+        context 'should exist after 1.11' do
           let(:pre_condition) {[
             """
             class{'kubernetes': version => '1.11.0'}
               """
           ]}
 
-          it {should_not contain_file(service_file).with_content(/#{Regexp.escape('--insecure-port=')}/)}
+          it {should contain_file(service_file).with_content(/#{Regexp.escape('--insecure-port=0')}/)}
         end
       end