feat: make kubernetes owner parametrized (#8952)

* feat: make kubernetes owner parametrized

* docs: update hardening guide with configuration for CIS 1.1.19

* fix: set etcd data directory permissions to be compliant to CIS 1.1.12

docs/hardening.md

@@ -84,6 +84,10 @@ kubelet_rotate_certificates: true
 kubelet_streaming_connection_idle_timeout: "5m"
 kubelet_make_iptables_util_chains: true
 kubelet_feature_gates: ["RotateKubeletServerCertificate=true"]
+
+# additional configurations
+kube_owner: root
+kube_cert_group: root
 ```
 
 Let's take a deep look to the resultant **kubernetes** configuration:

inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml

@@ -25,6 +25,9 @@ local_release_dir: "/tmp/releases"
 # Random shifts for retrying failed ops like pushing/downloading
 retry_stagger: 5
 
+# This is the user that owns tha cluster installation.
+kube_owner: kube
+
 # This is the group that the cert creation scripts chgrp the
 # cert files to. Not really changeable...
 kube_cert_group: kube-cert

roles/adduser/defaults/main.yml

@@ -1,4 +1,5 @@
 ---
+kube_owner: kube
 kube_cert_group: kube-cert
 etcd_data_dir: "/var/lib/etcd"
 

roles/adduser/tasks/main.yml

@@ -13,3 +13,4 @@
     shell: "{{ user.shell|default(omit) }}"
     name: "{{ user.name }}"
     system: "{{ user.system|default(omit) }}"
+  when: kube_owner != "root"

roles/container-engine/cri-dockerd/molecule/default/prepare.yml

@@ -35,7 +35,7 @@
       file:
         path: /etc/cni/net.d
         state: directory
-        owner: kube
+        owner: "{{ kube_owner }}"
         mode: 0755
     - name: Setup CNI
       copy:

roles/container-engine/kata-containers/molecule/default/prepare.yml

@@ -36,7 +36,7 @@
       file:
         path: /etc/cni/net.d
         state: directory
-        owner: kube
+        owner: "{{ kube_owner }}"
         mode: 0755
     - name: Setup CNI
       copy:

roles/download/defaults/main.yml

@@ -1614,5 +1614,5 @@ download_defaults:
   version: None
   url: None
   unarchive: false
-  owner: kube
+  owner: "{{ kube_owner }}"
   mode: None

roles/etcd/defaults/main.yml

@@ -1,4 +1,7 @@
 ---
+# Set etcd user
+etcd_owner: etcd
+
 # Set to false to only do certificate management
 etcd_cluster_setup: true
 etcd_events_cluster_setup: false

roles/etcd/tasks/gen_certs_script.yml

@@ -4,7 +4,7 @@
     path: "{{ etcd_cert_dir }}"
     group: "{{ etcd_cert_group }}"
     state: directory
-    owner: kube
+    owner: "{{ etcd_owner }}"
     mode: "{{ etcd_cert_dir_mode }}"
     recurse: yes
 
@@ -81,7 +81,7 @@
     dest: "{{ item.item }}"
     content: "{{ item.content | b64decode }}"
     group: "{{ etcd_cert_group }}"
-    owner: kube
+    owner: "{{ etcd_owner }}"
     mode: 0640
   with_items: "{{ etcd_master_certs.results }}"
   when:
@@ -111,7 +111,7 @@
     dest: "{{ item.item }}"
     content: "{{ item.content | b64decode }}"
     group: "{{ etcd_cert_group }}"
-    owner: kube
+    owner: "{{ etcd_owner }}"
     mode: 0640
   with_items: "{{ etcd_master_node_certs.results }}"
   when:
@@ -165,6 +165,6 @@
     path: "{{ etcd_cert_dir }}"
     group: "{{ etcd_cert_group }}"
     state: directory
-    owner: kube
+    owner: "{{ etcd_owner }}"
     mode: "{{ etcd_cert_dir_mode }}"
     recurse: yes

roles/kubernetes/control-plane/defaults/main/etcd.yml

@@ -1,4 +1,7 @@
 ---
+# Set etcd user/group
+etcd_owner: etcd
+
 # Note: This does not set up DNS entries. It simply adds the following DNS
 # entries to the certificate
 etcd_cert_alt_names:

roles/kubernetes/control-plane/tasks/kubeadm-etcd.yml

@@ -16,3 +16,10 @@
   import_role:
     name: etcdctl
   when: etcd_deployment_type == "kubeadm"
+
+- name: Set ownership for etcd data directory
+  file:
+    path: "{{ etcd_data_dir }}"
+    owner: "{{ etcd_owner }}"
+    group: "{{ etcd_owner }}"
+    mode: 0700

roles/kubernetes/preinstall/defaults/main.yml

@@ -22,6 +22,7 @@ common_required_pkgs:
 # GCE docker repository
 disable_ipv6_dns: false
 
+kube_owner: kube
 kube_cert_group: kube-cert
 kube_config_dir: /etc/kubernetes
 kube_cert_dir: "{{ kube_config_dir }}/ssl"

roles/kubernetes/preinstall/tasks/0050-create_directories.yml

@@ -3,7 +3,7 @@
   file:
     path: "{{ item }}"
     state: directory
-    owner: kube
+    owner: "{{ kube_owner }}"
     mode: 0755
   when: inventory_hostname in groups['k8s_cluster']
   become: true
@@ -71,7 +71,7 @@
   file:
     path: "{{ item }}"
     state: directory
-    owner: kube
+    owner: "{{ kube_owner }}"
     mode: 0755
   with_items:
     - "/etc/cni/net.d"

roles/kubespray-defaults/defaults/main.yaml

@@ -153,6 +153,9 @@ kube_cert_compat_dir: "/etc/kubernetes/pki"
 # This is where all of the bearer tokens will be stored
 kube_token_dir: "{{ kube_config_dir }}/tokens"
 
+# This is the user that owns tha cluster installation.
+kube_owner: kube
+
 # This is the group that the cert creation scripts chgrp the
 # cert files to. Not really changeable...
 kube_cert_group: kube-cert

roles/network_plugin/canal/tasks/main.yml

@@ -4,7 +4,7 @@
     src: "cni-canal.conflist.j2"
     dest: "/etc/cni/net.d/canal.conflist.template"
     mode: 0644
-    owner: kube
+    owner: "{{ kube_owner }}"
   register: canal_conflist
   notify: reset_canal_cni
 

roles/network_plugin/cni/tasks/main.yml

@@ -4,7 +4,7 @@
     path: /opt/cni/bin
     state: directory
     mode: 0755
-    owner: kube
+    owner: "{{ kube_owner }}"
     recurse: true
 
 - name: CNI | Copy cni plugins

roles/network_plugin/kube-router/tasks/main.yml

@@ -7,7 +7,7 @@
   file:
     path: /var/lib/kube-router
     state: directory
-    owner: kube
+    owner: "{{ kube_owner }}"
     recurse: true
     mode: 0755
 
@@ -16,7 +16,7 @@
     src: kubeconfig.yml.j2
     dest: /var/lib/kube-router/kubeconfig
     mode: 0644
-    owner: kube
+    owner: "{{ kube_owner }}"
   notify:
     - reset_kube_router
 
@@ -44,7 +44,7 @@
     src: cni-conf.json.j2
     dest: /etc/cni/net.d/10-kuberouter.conflist
     mode: 0644
-    owner: kube
+    owner: "{{ kube_owner }}"
   notify:
     - reset_kube_router