From f1566cb8c2d6c89b14e0825e3ed3fe8506489bc8 Mon Sep 17 00:00:00 2001
From: Florian Ruynat <16313165+floryut@users.noreply.github.com>
Date: Thu, 3 Sep 2020 16:41:41 +0200
Subject: [PATCH] Add protectKernelDefaults option (default true) to kubelet
 config file (#6611)

---
 .../node/templates/kubelet-config.v1beta1.yaml.j2   |  3 +++
 .../preinstall/tasks/0080-system-configurations.yml | 13 +++++++++++++
 roles/kubespray-defaults/defaults/main.yaml         |  3 +++
 3 files changed, 19 insertions(+)

diff --git a/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2 b/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2
index b07775d56..f6e62b580 100644
--- a/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2
+++ b/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2
@@ -31,6 +31,9 @@ healthzPort: {{ kubelet_healthz_port }}
 healthzBindAddress: {{ kubelet_healthz_bind_address }}
 kubeletCgroups: {{ kubelet_kubelet_cgroups }}
 clusterDomain: {{ dns_domain }}
+{% if kubelet_protect_kernel_defaults|bool %}
+protectKernelDefaults: true
+{% endif %}
 {% if kubelet_rotate_certificates|bool %}
 rotateCertificates: true
 {% endif %}
diff --git a/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml b/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml
index 03716c38a..35cc0b0d5 100644
--- a/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml
+++ b/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml
@@ -61,3 +61,16 @@
     value: 1
     state: present
     reload: yes
+
+- name: Ensure kube-bench parameters are set
+  sysctl:
+    sysctl_file: /etc/sysctl.d/bridge-nf-call.conf
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: present
+    reload: yes
+  with_items:
+    - { name: vm.overcommit_memory, value: 1 }
+    - { name: kernel.panic, value: 10 }
+    - { name: kernel.panic_on_oops, value: 1 }
+  when: kubelet_protect_kernel_defaults|bool
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index 9bc38e4ae..9a0cfe50b 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -397,6 +397,9 @@ kubelet_rotate_certificates: true
 # kubelet can also request a new server certificate from the Kubernetes API
 kubelet_rotate_server_certificates: false
 
+# If set to true, kubelet errors if any of kernel tunables is different than kubelet defaults
+kubelet_protect_kernel_defaults: true
+
 ## List of key=value pairs that describe feature gates for
 ## the k8s cluster.
 kube_feature_gates: []