easzlab
/
kubeasz
mirror of https://github.com/easzlab/kubeasz.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix 安全加固允许ip_forward

pull/641/head
gjmzj 2019-06-05 20:41:09 +08:00
parent d0a481cd09
commit e0392acef0
2 changed files with 7 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
roles/clean/tasks/clean_lb.yml
View File

@ -1,11 +1,10 @@
# to clean 'lb' service # to clean 'lb' service
- block: - block:
- name: stop keepalived service - name: rm service keepalived and haproxy
shell: systemctl disable keepalived && systemctl stop keepalived service: name={{ item }} state=stopped enabled=no
ignore_errors: true with_items:
- keepalived
- name: stop haproxy service - haproxy
shell: systemctl disable haproxy && systemctl stop haproxy
ignore_errors: true ignore_errors: true
- name: remove files and dirs - name: remove files and dirs

4
roles/os-harden/os-harden.yml
View File

@ -7,8 +7,8 @@
os_security_suid_sgid_whitelist: ['/usr/bin/rlogin'] os_security_suid_sgid_whitelist: ['/usr/bin/rlogin']
os_filesystem_whitelist: ['vfat'] os_filesystem_whitelist: ['vfat']
sysctl_config: sysctl_config:
net.ipv4.ip_forward: 0 net.ipv4.ip_forward: 1
net.ipv6.conf.all.forwarding: 0 net.ipv6.conf.all.forwarding: 1
net.ipv6.conf.all.accept_ra: 0 net.ipv6.conf.all.accept_ra: 0
net.ipv6.conf.default.accept_ra: 0 net.ipv6.conf.default.accept_ra: 0
net.ipv4.conf.all.rp_filter: 1 net.ipv4.conf.all.rp_filter: 1