github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Enhance E2E Hardened option (#10558)

Browse Source 
* Remove unnecessary hardened arguments

Signed-off-by: Derek Nola <derek.nola@suse.com>

* slim down hardened arguments

Signed-off-by: Derek Nola <derek.nola@suse.com>

---------

Signed-off-by: Derek Nola <derek.nola@suse.com>
pull/10338/head
Derek Nola 4 months ago committed by GitHub
parent d4c3422a85
commit ecff337e00
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 13 additions and 8 deletions
Show Stats Download Patch File Download Diff File

2
tests/docker/test-run-hardened
Unescape View File

@ -23,8 +23,6 @@ export SERVER_ARGS="--selinux=true \
--kube-apiserver-arg=audit-log-maxage=30 \ --kube-apiserver-arg=audit-log-maxage=30 \
--kube-apiserver-arg=audit-log-maxbackup=10 \ --kube-apiserver-arg=audit-log-maxbackup=10 \
--kube-apiserver-arg=audit-log-maxsize=100 \ --kube-apiserver-arg=audit-log-maxsize=100 \
--kube-apiserver-arg=request-timeout=300s \
--kube-apiserver-arg=service-account-lookup=true \
--kube-apiserver-arg=enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount \ --kube-apiserver-arg=enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount \
--kube-apiserver-arg=admission-control-config-file=/opt/rancher/k3s/cluster-level-pss.yaml \ --kube-apiserver-arg=admission-control-config-file=/opt/rancher/k3s/cluster-level-pss.yaml \
--kube-controller-manager-arg=terminated-pod-gc-threshold=10 \ --kube-controller-manager-arg=terminated-pod-gc-threshold=10 \

19
tests/e2e/vagrantdefaults.rb
Unescape View File

@ -55,29 +55,36 @@ def getHardenedArg(vm, hardened, scripts_location)
secrets-encryption: true secrets-encryption: true
kube-controller-manager-arg: kube-controller-manager-arg:
- 'terminated-pod-gc-threshold=10' - 'terminated-pod-gc-threshold=10'
- 'use-service-account-credentials=true'
kubelet-arg: kubelet-arg:
- 'streaming-connection-idle-timeout=5m' - 'streaming-connection-idle-timeout=5m'
- 'make-iptables-util-chains=true' - 'make-iptables-util-chains=true'
- 'event-qps=0' - 'event-qps=0'
- "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
kube-apiserver-arg: kube-apiserver-arg:
- 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log' - 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'
- 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml' - 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'
- 'audit-log-maxage=30' - 'audit-log-maxage=30'
- 'audit-log-maxbackup=10' - 'audit-log-maxbackup=10'
- 'audit-log-maxsize=100' - 'audit-log-maxsize=100'
- 'service-account-lookup=true'
HARD HARD
if hardened == "psp"
vm.provision "Set kernel parameters", type: "shell", path: scripts_location + "/harden.sh" if hardened == "psa" || hardened == "true"
hardened_arg += " - 'enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy'"
elsif hardened == "psa"
vm.provision "Set kernel parameters", type: "shell", path: scripts_location + "/harden.sh", args: [ "psa" ] vm.provision "Set kernel parameters", type: "shell", path: scripts_location + "/harden.sh", args: [ "psa" ]
hardened_arg += " - 'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml'" hardened_arg += " - 'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml'"
elsif hardened == "psp"
vm.provision "Set kernel parameters", type: "shell", path: scripts_location + "/harden.sh"
hardened_arg += " - 'enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy'"
else else
puts "Invalid E2E_HARDENED option" puts "Invalid E2E_HARDENED option"
exit 1 exit 1
end end
if vm.box.to_s.include?("generic/ubuntu")
vm.provision "Install kube-bench", type: "shell", inline: <<-SHELL
export KBV=0.8.0
curl -L "https://github.com/aquasecurity/kube-bench/releases/download/v${KBV}/kube-bench_${KBV}_linux_amd64.deb" -o "kube-bench_${KBV}_linux_amd64.deb"
dpkg -i "./kube-bench_${KBV}_linux_amd64.deb"
SHELL
end
return hardened_arg return hardened_arg
end end

Write Preview
Loading…
Cancel
Save