easzlab
/
kubeasz
mirror of https://github.com/easzlab/kubeasz.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

增加[可选]OS安全加固脚本

pull/199/merge
gjmzj 2018-05-19 22:40:41 +08:00
parent a0d3ac6ec9
commit 58ccd3bc88
13 changed files with 32 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
01.prepare.yml
View File

@ -1,3 +1,8 @@
# [可选]操作系统安全加固 https://github.com/dev-sec/ansible-os-hardening
- hosts: all
roles:
- { role: os-harden, when: "OS_HARDEN is defined and OS_HARDEN == 'yes'" }
# 在deploy节点生成CA相关证书以及kubedns.yaml配置文件
- hosts: deploy
roles:

1
11.harbor.yml
View File

@ -1,5 +1,6 @@
- hosts: harbor
roles:
- { role: os-harden, when: "OS_HARDEN is defined and OS_HARDEN == 'yes'" }
- prepare
- docker
- harbor

1
20.addnode.yml
View File

@ -1,5 +1,6 @@
- hosts: new-node
roles:
- { role: os-harden, when: "OS_HARDEN is defined and OS_HARDEN == 'yes'" }
- prepare
- docker
- kube-node

1
21.addmaster.yml
View File

@ -8,6 +8,7 @@
- hosts: new-master
roles:
- { role: os-harden, when: "OS_HARDEN is defined and OS_HARDEN == 'yes'" }
- prepare
- docker
- kube-master

5
90.setup.yml
View File

@ -1,3 +1,8 @@
# [可选]操作系统安全加固 https://github.com/dev-sec/ansible-os-hardening
- hosts: all
roles:
- { role: os-harden, when: "OS_HARDEN is defined and OS_HARDEN == 'yes'" }
# 在deploy节点生成CA相关证书以供整个集群使用
# 以及初始化kubedns.yaml配置文件
- hosts: deploy

3
example/hosts.allinone.example
View File

@ -75,6 +75,9 @@ BASIC_AUTH_USER="admin"
BASIC_AUTH_PASS="test1234"
# ---------附加参数--------------------
#是否对操作系统进行安全加固 "yes"/"no"
OS_HARDEN="no"
#默认二进制文件目录
bin_dir="/opt/kube/bin"

3
example/hosts.m-masters.example
View File

@ -92,6 +92,9 @@ BASIC_AUTH_USER="admin"
BASIC_AUTH_PASS="test1234"
# ---------附加参数--------------------
#是否对操作系统进行安全加固 "yes"/"no"
OS_HARDEN="no"
#默认二进制文件目录
bin_dir="/opt/kube/bin"

3
example/hosts.s-master.example
View File

@ -79,6 +79,9 @@ BASIC_AUTH_USER="admin"
BASIC_AUTH_PASS="test1234"
# ---------附加参数--------------------
#是否对操作系统进行安全加固 "yes"/"no"
OS_HARDEN="no"
#默认二进制文件目录
bin_dir="/opt/kube/bin"

4
os-harden.yml
View File

@ -1,4 +0,0 @@
- hosts: localhost
gather_facts: true
roles:
- ansible-os-hardening

7
roles/kube-node/tasks/main.yml
View File

@ -53,9 +53,8 @@
copy: src=/etc/kubernetes/kube-proxy.kubeconfig dest=/etc/kubernetes/kube-proxy.kubeconfig
- name: 创建kube-proxy 服务文件
tags: reload-kube-proxy
tags: reload-kube-proxy, upgrade_k8s
template: src=kube-proxy.service.j2 dest=/etc/systemd/system/kube-proxy.service
tags: upgrade_k8s
- name: 开机启用kube-proxy 服务
shell: systemctl enable kube-proxy
@ -63,9 +62,7 @@
- name: 开启kube-proxy 服务
shell: systemctl daemon-reload && systemctl restart kube-proxy
tags:
- reload-kube-proxy
- upgrade_k8s
tags: reload-kube-proxy, upgrade_k8s
# 批准 node 节点首先轮询等待kubelet启动完成
- name: 轮询等待kubelet启动

70
roles/os-harden/default.yml
View File

@ -1,70 +0,0 @@
---
- name: wrapper playbook for kitchen testing "ansible-os-hardening" with custom vars for testing
hosts: localhost
roles:
- ansible-os-hardening
pre_tasks:
- name: Run the equivalent of "apt-get update" as a separate step
apt:
update_cache: yes
when: ansible_os_family == 'Debian'
vars:
os_security_users_allow: change_user
os_security_kernel_enable_core_dump: false
os_security_suid_sgid_remove_from_unknown: true
os_auth_pam_passwdqc_enable: false
os_desktop_enable: true
os_env_extra_user_paths: ['/home']
os_auth_allow_homeless: true
os_security_suid_sgid_blacklist: ['/bin/umount']
os_security_suid_sgid_whitelist: ['/usr/bin/rlogin']
os_filesystem_whitelist: ['vfat']
sysctl_config:
net.ipv4.ip_forward: 0
net.ipv6.conf.all.forwarding: 0
net.ipv6.conf.all.accept_ra: 0
net.ipv6.conf.default.accept_ra: 0
net.ipv4.conf.all.rp_filter: 1
net.ipv4.conf.default.rp_filter: 1
net.ipv4.icmp_echo_ignore_broadcasts: 1
net.ipv4.icmp_ignore_bogus_error_responses: 1
net.ipv4.icmp_ratelimit: 100
net.ipv4.icmp_ratemask: 88089
net.ipv6.conf.all.disable_ipv6: 1
net.ipv4.conf.all.arp_ignore: 1
net.ipv4.conf.all.arp_announce: 2
net.ipv4.conf.all.shared_media: 1
net.ipv4.conf.default.shared_media: 1
net.ipv4.conf.all.accept_source_route: 0
net.ipv4.conf.default.accept_source_route: 0
net.ipv4.conf.default.accept_redirects: 0
net.ipv4.conf.all.accept_redirects: 0
net.ipv4.conf.all.secure_redirects: 0
net.ipv4.conf.default.secure_redirects: 0
net.ipv6.conf.default.accept_redirects: 0
net.ipv6.conf.all.accept_redirects: 0
net.ipv4.conf.all.send_redirects: 0
net.ipv4.conf.default.send_redirects: 0
net.ipv4.conf.all.log_martians: 1
net.ipv6.conf.default.router_solicitations: 0
net.ipv6.conf.default.accept_ra_rtr_pref: 0
net.ipv6.conf.default.accept_ra_pinfo: 0
net.ipv6.conf.default.accept_ra_defrtr: 0
net.ipv6.conf.default.autoconf: 0
net.ipv6.conf.default.dad_transmits: 0
net.ipv6.conf.default.max_addresses: 1
kernel.sysrq: 0
fs.suid_dumpable: 0
kernel.randomize_va_space: 2
- name: wrapper playbook for kitchen testing "ansible-os-hardening"
hosts: localhost
pre_tasks:
- name: Run the equivalent of "apt-get update" as a separate step
apt:
update_cache: yes
when: ansible_os_family == 'Debian'
roles:
- ansible-os-hardening

2
roles/os-harden/defaults/main.yml
View File

@ -53,7 +53,7 @@ ufw_ipt_modules: 'nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns'
sysctl_config:
# Disable IPv4 traffic forwarding. | sysctl-01
net.ipv4.ip_forward: 0
net.ipv4.ip_forward: 1
# Disable IPv6 traffic forwarding. | sysctl-19
net.ipv6.conf.all.forwarding: 0

7
roles/os-harden/tasks/main.yml
View File

@ -1,4 +1,11 @@
---
- name: 缓存ansilbe setup信息
setup: gather_subset=all
- name: apt更新缓存刷新
apt: update_cache=yes cache_valid_time=72000
when: ansible_os_family == 'Debian'
- name: Set OS family dependent variables
include_vars: '{{ ansible_os_family }}.yml'
tags: always