Browse Source

Improve security of default and example configurations

* Enabled the NodeRestriction Admission Controller.
* Configured the default terminated-pod-gc-threshold in the
  controller-manager.
* Disable repair-malformed-updates.
* Disable anonymous-auth in the Kubelet.
* Further restrict permissions for contents of /etc/kubernetes and
  /var/lib/etcd.

Change-Id: I112652a5aa7bde054de253234f65755d90ab65ad
Mark Burnett 7 months ago
parent
commit
d7c7a47c61

+ 1
- 0
charts/controller_manager/values.yaml View File

@@ -54,6 +54,7 @@ command_prefix:
54 54
   - --node-monitor-grace-period=20s
55 55
   - --pod-eviction-timeout=60s
56 56
   - --service-cluster-ip-range=10.96.0.0/16
57
+  - --terminated-pod-gc-threshold=1000
57 58
 
58 59
 secrets:
59 60
   tls:

+ 3
- 1
examples/basic/Genesis.yaml View File

@@ -14,9 +14,11 @@ data:
14 14
     command_prefix:
15 15
       - /apiserver
16 16
       - --authorization-mode=Node,RBAC
17
-      - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
17
+      - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction
18 18
       - --service-cluster-ip-range=10.96.0.0/16
19 19
       - --endpoint-reconciler-type=lease
20
+      # NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
21
+      - --repair-malformed-updates=false
20 22
   armada:
21 23
     target_manifest: cluster-bootstrap
22 24
   labels:

+ 2
- 1
examples/basic/Kubelet.yaml View File

@@ -15,7 +15,8 @@ data:
15 15
     - --network-plugin=cni
16 16
     - --node-status-update-frequency=5s
17 17
     - --serialize-image-pulls=false
18
-    - --v=5
18
+    - --anonymous-auth=false
19
+    - --v=3
19 20
   images:
20 21
     pause: gcr.io/google_containers/pause-amd64:3.0
21 22
 ...

+ 3
- 1
examples/basic/armada-resources.yaml View File

@@ -743,9 +743,11 @@ data:
743 743
     command_prefix:
744 744
       - /apiserver
745 745
       - --authorization-mode=Node,RBAC
746
-      - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
746
+      - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction
747 747
       - --service-cluster-ip-range=10.96.0.0/16
748 748
       - --endpoint-reconciler-type=lease
749
+      # NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
750
+      - --repair-malformed-updates=false
749 751
     apiserver:
750 752
       etcd:
751 753
         endpoints: https://127.0.0.1:2378

+ 13
- 2
promenade/templates/include/up.sh View File

@@ -2,8 +2,15 @@
2 2
 #
3 3
 resolvconf --disable-updates
4 4
 
5
-mkdir -p /etc/kubernetes
6
-chmod 700 /etc/kubernetes
5
+CURATED_DIRS=(
6
+    /etc/kubernetes
7
+    /var/lib/etcd
8
+)
9
+
10
+for DIR in "${CURATED_DIRS[@]}"; do
11
+    mkdir -p "${DIR}"
12
+    chmod 700 "${DIR}"
13
+done
7 14
 
8 15
 # Unpack prepared files into place
9 16
 #
@@ -15,6 +22,10 @@ echo "{{ encrypted_tarball | b64enc }}" | base64 -d | {{ decrypt_command }} | ta
15 22
 {{ decrypt_teardown_command }}
16 23
 set -x
17 24
 
25
+for DIR in "${CURATED_DIRS[@]}"; do
26
+    chmod go-rwx "${DIR}"
27
+done
28
+
18 29
 # Adding apt repositories
19 30
 #
20 31
 set +x

Loading…
Cancel
Save