k3s/tests/e2e/scripts/harden.sh

#!/bin/bash

echo "vm.panic_on_oom=0
vm.overcommit_memory=1
kernel.panic=10
kernel.panic_on_oops=1
kernel.keys.root_maxbytes=25000000
" >> /etc/sysctl.d/90-kubelet.conf
sysctl -p /etc/sysctl.d/90-kubelet.conf

mkdir -p /var/lib/rancher/k3s/server
mkdir -m 700 /var/lib/rancher/k3s/server/logs
echo "apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata" >> /var/lib/rancher/k3s/server/audit.yaml

if [ "$1" = "psa" ]; then
    echo "apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
  configuration:
    apiVersion: pod-security.admission.config.k8s.io/v1beta1
    kind: PodSecurityConfiguration
    defaults:
      enforce: \"restricted\"
      enforce-version: \"latest\"
      audit: \"restricted\"
      audit-version: \"latest\"
      warn: \"restricted\"
      warn-version: \"latest\"
    exemptions:
      usernames: []
      runtimeClasses: []
      namespaces: [kube-system, cis-operator-system]" >> /var/lib/rancher/k3s/server/psa.yaml
fi
Added option to deploy hardened k3s (#5415) Added option to deploy hardened k3s Signed-off-by: Derek Nola <derek.nola@suse.com> 3 years ago			`#!/bin/bash`

			`echo "vm.panic_on_oom=0`
			`vm.overcommit_memory=1`
			`kernel.panic=10`
			`kernel.panic_on_oops=1`
			`kernel.keys.root_maxbytes=25000000`
			`" >> /etc/sysctl.d/90-kubelet.conf`
E2E Rancher and Hardened script improvements (#6778) * Improve test-pad rancher script Signed-off-by: Derek Nola <derek.nola@suse.com> * Improve hardened script and added kube-bench utility script Signed-off-by: Derek Nola <derek.nola@suse.com> * Apply same audits for 1.22 and older Signed-off-by: Derek Nola <derek.nola@suse.com> Signed-off-by: Derek Nola <derek.nola@suse.com> 2 years ago			`sysctl -p /etc/sysctl.d/90-kubelet.conf`

			`mkdir -p /var/lib/rancher/k3s/server`
			`mkdir -m 700 /var/lib/rancher/k3s/server/logs`
			`echo "apiVersion: audit.k8s.io/v1`
			`kind: Policy`
			`rules:`
			`- level: Metadata" >> /var/lib/rancher/k3s/server/audit.yaml`

			`if [ "$1" = "psa" ]; then`
			`echo "apiVersion: apiserver.config.k8s.io/v1`
			`kind: AdmissionConfiguration`
			`plugins:`
			`- name: PodSecurity`
			`configuration:`
			`apiVersion: pod-security.admission.config.k8s.io/v1beta1`
			`kind: PodSecurityConfiguration`
			`defaults:`
			`enforce: \"restricted\"`
			`enforce-version: \"latest\"`
			`audit: \"restricted\"`
			`audit-version: \"latest\"`
			`warn: \"restricted\"`
			`warn-version: \"latest\"`
			`exemptions:`
			`usernames: []`
			`runtimeClasses: []`
			`namespaces: [kube-system, cis-operator-system]" >> /var/lib/rancher/k3s/server/psa.yaml`
			`fi`