From 97b4d79ed565c033abd1fe91e7304eddbd6d9f39 Mon Sep 17 00:00:00 2001 From: Alessio Greggi Date: Fri, 17 Jun 2022 10:34:32 +0200 Subject: [PATCH] feat: make kubernetes owner parametrized (#8952) * feat: make kubernetes owner parametrized * docs: update hardening guide with configuration for CIS 1.1.19 * fix: set etcd data directory permissions to be compliant to CIS 1.1.12 --- docs/hardening.md | 4 ++++ inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml | 3 +++ roles/adduser/defaults/main.yml | 1 + roles/adduser/tasks/main.yml | 1 + .../cri-dockerd/molecule/default/prepare.yml | 2 +- .../kata-containers/molecule/default/prepare.yml | 2 +- roles/download/defaults/main.yml | 2 +- roles/etcd/defaults/main.yml | 3 +++ roles/etcd/tasks/gen_certs_script.yml | 8 ++++---- roles/kubernetes/control-plane/defaults/main/etcd.yml | 3 +++ roles/kubernetes/control-plane/tasks/kubeadm-etcd.yml | 7 +++++++ roles/kubernetes/preinstall/defaults/main.yml | 1 + .../preinstall/tasks/0050-create_directories.yml | 4 ++-- roles/kubespray-defaults/defaults/main.yaml | 3 +++ roles/network_plugin/canal/tasks/main.yml | 2 +- roles/network_plugin/cni/tasks/main.yml | 2 +- roles/network_plugin/kube-router/tasks/main.yml | 6 +++--- 17 files changed, 40 insertions(+), 14 deletions(-) diff --git a/docs/hardening.md b/docs/hardening.md index 7dd42e0ef..180979ed6 100644 --- a/docs/hardening.md +++ b/docs/hardening.md @@ -84,6 +84,10 @@ kubelet_rotate_certificates: true kubelet_streaming_connection_idle_timeout: "5m" kubelet_make_iptables_util_chains: true kubelet_feature_gates: ["RotateKubeletServerCertificate=true"] + +# additional configurations +kube_owner: root +kube_cert_group: root ``` Let's take a deep look to the resultant **kubernetes** configuration: diff --git a/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml index d31139479..fe41e916a 100644 --- a/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml +++ b/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml @@ -25,6 +25,9 @@ local_release_dir: "/tmp/releases" # Random shifts for retrying failed ops like pushing/downloading retry_stagger: 5 +# This is the user that owns tha cluster installation. +kube_owner: kube + # This is the group that the cert creation scripts chgrp the # cert files to. Not really changeable... kube_cert_group: kube-cert diff --git a/roles/adduser/defaults/main.yml b/roles/adduser/defaults/main.yml index c7f683710..3c692343a 100644 --- a/roles/adduser/defaults/main.yml +++ b/roles/adduser/defaults/main.yml @@ -1,4 +1,5 @@ --- +kube_owner: kube kube_cert_group: kube-cert etcd_data_dir: "/var/lib/etcd" diff --git a/roles/adduser/tasks/main.yml b/roles/adduser/tasks/main.yml index 774eb412b..a36467977 100644 --- a/roles/adduser/tasks/main.yml +++ b/roles/adduser/tasks/main.yml @@ -13,3 +13,4 @@ shell: "{{ user.shell|default(omit) }}" name: "{{ user.name }}" system: "{{ user.system|default(omit) }}" + when: kube_owner != "root" diff --git a/roles/container-engine/cri-dockerd/molecule/default/prepare.yml b/roles/container-engine/cri-dockerd/molecule/default/prepare.yml index 77e48b083..c54feaca2 100644 --- a/roles/container-engine/cri-dockerd/molecule/default/prepare.yml +++ b/roles/container-engine/cri-dockerd/molecule/default/prepare.yml @@ -35,7 +35,7 @@ file: path: /etc/cni/net.d state: directory - owner: kube + owner: "{{ kube_owner }}" mode: 0755 - name: Setup CNI copy: diff --git a/roles/container-engine/kata-containers/molecule/default/prepare.yml b/roles/container-engine/kata-containers/molecule/default/prepare.yml index 9299a7e2d..8a0978f56 100644 --- a/roles/container-engine/kata-containers/molecule/default/prepare.yml +++ b/roles/container-engine/kata-containers/molecule/default/prepare.yml @@ -36,7 +36,7 @@ file: path: /etc/cni/net.d state: directory - owner: kube + owner: "{{ kube_owner }}" mode: 0755 - name: Setup CNI copy: diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml index 039fccea1..cac0d3697 100644 --- a/roles/download/defaults/main.yml +++ b/roles/download/defaults/main.yml @@ -1614,5 +1614,5 @@ download_defaults: version: None url: None unarchive: false - owner: kube + owner: "{{ kube_owner }}" mode: None diff --git a/roles/etcd/defaults/main.yml b/roles/etcd/defaults/main.yml index 32971bc71..79ed16493 100644 --- a/roles/etcd/defaults/main.yml +++ b/roles/etcd/defaults/main.yml @@ -1,4 +1,7 @@ --- +# Set etcd user +etcd_owner: etcd + # Set to false to only do certificate management etcd_cluster_setup: true etcd_events_cluster_setup: false diff --git a/roles/etcd/tasks/gen_certs_script.yml b/roles/etcd/tasks/gen_certs_script.yml index 680df69db..cf5580bb8 100644 --- a/roles/etcd/tasks/gen_certs_script.yml +++ b/roles/etcd/tasks/gen_certs_script.yml @@ -4,7 +4,7 @@ path: "{{ etcd_cert_dir }}" group: "{{ etcd_cert_group }}" state: directory - owner: kube + owner: "{{ etcd_owner }}" mode: "{{ etcd_cert_dir_mode }}" recurse: yes @@ -81,7 +81,7 @@ dest: "{{ item.item }}" content: "{{ item.content | b64decode }}" group: "{{ etcd_cert_group }}" - owner: kube + owner: "{{ etcd_owner }}" mode: 0640 with_items: "{{ etcd_master_certs.results }}" when: @@ -111,7 +111,7 @@ dest: "{{ item.item }}" content: "{{ item.content | b64decode }}" group: "{{ etcd_cert_group }}" - owner: kube + owner: "{{ etcd_owner }}" mode: 0640 with_items: "{{ etcd_master_node_certs.results }}" when: @@ -165,6 +165,6 @@ path: "{{ etcd_cert_dir }}" group: "{{ etcd_cert_group }}" state: directory - owner: kube + owner: "{{ etcd_owner }}" mode: "{{ etcd_cert_dir_mode }}" recurse: yes diff --git a/roles/kubernetes/control-plane/defaults/main/etcd.yml b/roles/kubernetes/control-plane/defaults/main/etcd.yml index 60e934bc2..344ce9b35 100644 --- a/roles/kubernetes/control-plane/defaults/main/etcd.yml +++ b/roles/kubernetes/control-plane/defaults/main/etcd.yml @@ -1,4 +1,7 @@ --- +# Set etcd user/group +etcd_owner: etcd + # Note: This does not set up DNS entries. It simply adds the following DNS # entries to the certificate etcd_cert_alt_names: diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-etcd.yml b/roles/kubernetes/control-plane/tasks/kubeadm-etcd.yml index 8c0c47bb7..1e97ac240 100644 --- a/roles/kubernetes/control-plane/tasks/kubeadm-etcd.yml +++ b/roles/kubernetes/control-plane/tasks/kubeadm-etcd.yml @@ -16,3 +16,10 @@ import_role: name: etcdctl when: etcd_deployment_type == "kubeadm" + +- name: Set ownership for etcd data directory + file: + path: "{{ etcd_data_dir }}" + owner: "{{ etcd_owner }}" + group: "{{ etcd_owner }}" + mode: 0700 diff --git a/roles/kubernetes/preinstall/defaults/main.yml b/roles/kubernetes/preinstall/defaults/main.yml index fc17b79d4..9624ea6fa 100644 --- a/roles/kubernetes/preinstall/defaults/main.yml +++ b/roles/kubernetes/preinstall/defaults/main.yml @@ -22,6 +22,7 @@ common_required_pkgs: # GCE docker repository disable_ipv6_dns: false +kube_owner: kube kube_cert_group: kube-cert kube_config_dir: /etc/kubernetes kube_cert_dir: "{{ kube_config_dir }}/ssl" diff --git a/roles/kubernetes/preinstall/tasks/0050-create_directories.yml b/roles/kubernetes/preinstall/tasks/0050-create_directories.yml index 0c6ded0f9..35d7e04df 100644 --- a/roles/kubernetes/preinstall/tasks/0050-create_directories.yml +++ b/roles/kubernetes/preinstall/tasks/0050-create_directories.yml @@ -3,7 +3,7 @@ file: path: "{{ item }}" state: directory - owner: kube + owner: "{{ kube_owner }}" mode: 0755 when: inventory_hostname in groups['k8s_cluster'] become: true @@ -71,7 +71,7 @@ file: path: "{{ item }}" state: directory - owner: kube + owner: "{{ kube_owner }}" mode: 0755 with_items: - "/etc/cni/net.d" diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml index 756c6f7c3..9a6c58c0c 100644 --- a/roles/kubespray-defaults/defaults/main.yaml +++ b/roles/kubespray-defaults/defaults/main.yaml @@ -153,6 +153,9 @@ kube_cert_compat_dir: "/etc/kubernetes/pki" # This is where all of the bearer tokens will be stored kube_token_dir: "{{ kube_config_dir }}/tokens" +# This is the user that owns tha cluster installation. +kube_owner: kube + # This is the group that the cert creation scripts chgrp the # cert files to. Not really changeable... kube_cert_group: kube-cert diff --git a/roles/network_plugin/canal/tasks/main.yml b/roles/network_plugin/canal/tasks/main.yml index 5d7637289..0d62b16ee 100644 --- a/roles/network_plugin/canal/tasks/main.yml +++ b/roles/network_plugin/canal/tasks/main.yml @@ -4,7 +4,7 @@ src: "cni-canal.conflist.j2" dest: "/etc/cni/net.d/canal.conflist.template" mode: 0644 - owner: kube + owner: "{{ kube_owner }}" register: canal_conflist notify: reset_canal_cni diff --git a/roles/network_plugin/cni/tasks/main.yml b/roles/network_plugin/cni/tasks/main.yml index d9f46939c..b8bcec322 100644 --- a/roles/network_plugin/cni/tasks/main.yml +++ b/roles/network_plugin/cni/tasks/main.yml @@ -4,7 +4,7 @@ path: /opt/cni/bin state: directory mode: 0755 - owner: kube + owner: "{{ kube_owner }}" recurse: true - name: CNI | Copy cni plugins diff --git a/roles/network_plugin/kube-router/tasks/main.yml b/roles/network_plugin/kube-router/tasks/main.yml index 6cda7fe35..4cc078ae7 100644 --- a/roles/network_plugin/kube-router/tasks/main.yml +++ b/roles/network_plugin/kube-router/tasks/main.yml @@ -7,7 +7,7 @@ file: path: /var/lib/kube-router state: directory - owner: kube + owner: "{{ kube_owner }}" recurse: true mode: 0755 @@ -16,7 +16,7 @@ src: kubeconfig.yml.j2 dest: /var/lib/kube-router/kubeconfig mode: 0644 - owner: kube + owner: "{{ kube_owner }}" notify: - reset_kube_router @@ -44,7 +44,7 @@ src: cni-conf.json.j2 dest: /etc/cni/net.d/10-kuberouter.conflist mode: 0644 - owner: kube + owner: "{{ kube_owner }}" notify: - reset_kube_router