diff --git a/global/profiles/genesis.yaml b/global/profiles/genesis.yaml index e16b0758a..4d194d6d1 100644 --- a/global/profiles/genesis.yaml +++ b/global/profiles/genesis.yaml @@ -68,26 +68,37 @@ metadata: name: common-addresses path: .kubernetes.service_cidr dest: - path: .apiserver.command_prefix[1] + path: .apiserver.arguments[2] pattern: SERVICE_CIDR - src: schema: pegleg/CommonAddresses/v1 name: common-addresses path: .kubernetes.service_node_port_range dest: - path: .apiserver.command_prefix[2] + path: .apiserver.arguments[3] pattern: SERVICE_NODE_PORT_RANGE + # Set etcd encryption policy + - src: + schema: promenade/EncryptionPolicy/v1 + name: encryption-policy + path: .etcd + dest: + path: .apiserver.encryption + data: apiserver: - command_prefix: - - /apiserver + arguments: + - --authorization-mode=Node,RBAC + - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction,EventRateLimit - --service-cluster-ip-range=SERVICE_CIDR - --service-node-port-range=SERVICE_NODE_PORT_RANGE - - --authorization-mode=Node,RBAC - - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds - --endpoint-reconciler-type=lease - --feature-gates=PodShareProcessNamespace=true + - --v=3 + - --admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml + - --experimental-encryption-provider-config=/etc/kubernetes/apiserver/encryption_provider.yaml + - --requestheader-allowed-names='aggregator' armada: target_manifest: cluster-bootstrap labels: @@ -118,3 +129,20 @@ data: - path: /var/lib/anchor/calico-etcd-bootstrap content: "# placeholder for triggering calico etcd bootstrapping\n# this file will be deleted" mode: 0644 + - path: /etc/genesis/apiserver/acconfig.yaml + mode: 0444 + content: | + kind: AdmissionConfiguration + apiVersion: apiserver.k8s.io/v1alpha1 + plugins: + - name: EventRateLimit + path: eventconfig.yaml + - path: /etc/genesis/apiserver/eventconfig.yaml + mode: 0444 + content: | + kind: Configuration + apiVersion: eventratelimit.admission.k8s.io/v1alpha1 + limits: + - type: Server + qps: 1000 + burst: 10000 diff --git a/global/schemas/promenade/EncryptionPolicy/v1.yaml b/global/schemas/promenade/EncryptionPolicy/v1.yaml new file mode 100644 index 000000000..03569ab37 --- /dev/null +++ b/global/schemas/promenade/EncryptionPolicy/v1.yaml @@ -0,0 +1,50 @@ +--- +schema: deckhand/DataSchema/v1 +metadata: + schema: metadata/Control/v1 + name: promenade/EncryptionPolicy/v1 + labels: + application: promenade +data: + $schema: http://json-schema.org/schema# + + definitions: + script_encryption: + oneof: + - { $ref: '#/definitions/encryption_method_gpg' } + + etcd_encryption: + type: array + items: + type: object + additionalProperties: false + properties: + resources: + type: array + items: + type: string + providers: + type: array + items: + type: object + additionalProperties: true + encryption_method_gpg: + properties: + gpg: + type: object + additionalProperties: false + required: + - gpg + additionalProperties: false + + properties: + etcd: + $ref: '#/definitions/etcd_encryption' + scripts: + properties: + genesis: + $ref: '#/definitions/script_encryption' + join: + $ref: '#/definitions/script_encryption' + additionalProperties: false +... diff --git a/global/schemas/promenade/Genesis/v1.yaml b/global/schemas/promenade/Genesis/v1.yaml index 936ff6a68..ac02401d4 100644 --- a/global/schemas/promenade/Genesis/v1.yaml +++ b/global/schemas/promenade/Genesis/v1.yaml @@ -67,10 +67,24 @@ data: apiserver: type: object properties: - command_prefix: + arguments: type: array items: type: string + encryption: + type: array + items: + type: object + properties: + resources: + type: array + items: + type: string + providers: + type: array + items: + type: object + additionalProperties: true additionalProperties: false files: diff --git a/global/software/charts/kubernetes/core/apiserver.yaml b/global/software/charts/kubernetes/core/apiserver.yaml index b74b20762..0e8d63a03 100644 --- a/global/software/charts/kubernetes/core/apiserver.yaml +++ b/global/software/charts/kubernetes/core/apiserver.yaml @@ -44,7 +44,7 @@ metadata: name: common-addresses path: .kubernetes.service_cidr dest: - path: .values.command_prefix[1] + path: .values.apiserver.arguments[1] pattern: SERVICE_CIDR # Kubernetes Port Range @@ -53,7 +53,7 @@ metadata: name: common-addresses path: .kubernetes.service_node_port_range dest: - path: .values.command_prefix[2] + path: .values.apiserver.arguments[2] pattern: SERVICE_NODE_PORT_RANGE # CA @@ -102,6 +102,14 @@ metadata: dest: path: .values.secrets.service_account.public_key + # Encryption policy + - src: + schema: promenade/EncryptionPolicy/v1 + name: encryption-policy + path: .etcd + dest: + path: .values.conf.encryption_provider.content.resources + data: chart_name: apiserver release: kubernetes-apiserver @@ -128,14 +136,41 @@ data: # https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ # Possible values: VersionTLS10, VersionTLS11, VersionTLS12 tls-min-version: 'VersionTLS12' - command_prefix: - - /apiserver - - --service-cluster-ip-range=SERVICE_CIDR - - --service-node-port-range=SERVICE_NODE_PORT_RANGE - - --authorization-mode=Node,RBAC - - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds - - --endpoint-reconciler-type=lease - - --feature-gates=PodShareProcessNamespace=true + arguments: + - --authorization-mode=Node,RBAC + - --service-cluster-ip-range=SERVICE_CIDR + - --service-node-port-range=SERVICE_NODE_PORT_RANGE + - --endpoint-reconciler-type=lease + - --feature-gates=PodShareProcessNamespace=true + - --v=3 + conf: + encryption_provider: + file: encryption_provider.yaml + command_options: + - '--experimental-encryption-provider-config=/etc/kubernetes/apiserver/encryption_provider.yaml' + content: + kind: EncryptionConfig + apiVersion: v1 + eventconfig: + file: eventconfig.yaml + content: + kind: Configuration + apiVersion: eventratelimit.admission.k8s.io/v1alpha1 + limits: + - type: Server + qps: 100 + burst: 1000 + acconfig: + file: acconfig.yaml + command_options: + - '--enable-admission-plugins=PodSecurityPolicy,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction,EventRateLimit' + - '--admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml' + content: + kind: AdmissionConfiguration + apiVersion: apiserver.k8s.io/v1alpha1 + plugins: + - name: EventRateLimit + path: eventconfig.yaml dependencies: - kubernetes-apiserver-htk --- diff --git a/global/software/config/encryption.yaml b/global/software/config/encryption.yaml new file mode 100644 index 000000000..5ed0db054 --- /dev/null +++ b/global/software/config/encryption.yaml @@ -0,0 +1,27 @@ +--- +schema: promenade/EncryptionPolicy/v1 +metadata: + schema: metadata/Document/v1 + name: encryption-policy + layeringDefinition: + abstract: false + layer: global + storagePolicy: cleartext + substitutions: + - src: + schema: deckhand/Passphrase/v1 + name: apiserver-encryption-key-key1 + path: . + dest: + path: .etcd[0].providers[0].secretbox.keys[0].secret +data: + etcd: + - resources: + - 'secrets' + providers: + - secretbox: + keys: + - name: key1 + secret: null + - identity: {} +... diff --git a/global/software/config/versions.yaml b/global/software/config/versions.yaml index cab68adef..02f6bf01e 100644 --- a/global/software/config/versions.yaml +++ b/global/software/config/versions.yaml @@ -4,7 +4,7 @@ data: kubernetes: apiserver: location: https://opendev.org/airship/promenade - reference: 44b5fae04788c6a28de0f9a2e132204561474d47 + reference: 32a6c15ffd6c283375bfd1cc9ae82f9232a9b501 subpath: charts/apiserver type: git apiserver-htk: @@ -560,6 +560,7 @@ data: apiserver: anchor: gcr.io/google-containers/hyperkube-amd64:v1.11.6 apiserver: gcr.io/google-containers/hyperkube-amd64:v1.11.6 + key_rotate: gcr.io/google-containers/hyperkube-amd64:v1.11.6 controller-manager: anchor: gcr.io/google-containers/hyperkube-amd64:v1.11.6 controller_manager: gcr.io/google-containers/hyperkube-amd64:v1.11.6 diff --git a/site/aiab/secrets/passphrases/apiserver-encryption-key-key1.yaml b/site/aiab/secrets/passphrases/apiserver-encryption-key-key1.yaml new file mode 100644 index 000000000..effb0f28e --- /dev/null +++ b/site/aiab/secrets/passphrases/apiserver-encryption-key-key1.yaml @@ -0,0 +1,12 @@ +--- +schema: deckhand/Passphrase/v1 +metadata: + schema: metadata/Document/v1 + name: apiserver-encryption-key-key1 + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +# head -c 32 /dev/urandom | base64 +data: /Y8HgBo/rZywuyF3yE3c1mi4bOWanR6FeC+7f6fS8IE= +... diff --git a/site/airskiff/secrets/passphrases/apiserver-encryption-key-key1.yaml b/site/airskiff/secrets/passphrases/apiserver-encryption-key-key1.yaml new file mode 100644 index 000000000..f0529476f --- /dev/null +++ b/site/airskiff/secrets/passphrases/apiserver-encryption-key-key1.yaml @@ -0,0 +1,12 @@ +--- +schema: deckhand/Passphrase/v1 +metadata: + schema: metadata/Document/v1 + name: apiserver-encryption-key-key1 + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +# head -c 32 /dev/urandom | base64 +data: AH/KZrduGOc8NRs5Dkp1maqaOrVY+HZ9pAD/fCweMqw= +... diff --git a/site/airsloop/secrets/passphrases/apiserver-encryption-key-key1.yaml b/site/airsloop/secrets/passphrases/apiserver-encryption-key-key1.yaml new file mode 100644 index 000000000..5346c0d09 --- /dev/null +++ b/site/airsloop/secrets/passphrases/apiserver-encryption-key-key1.yaml @@ -0,0 +1,12 @@ +--- +schema: deckhand/Passphrase/v1 +metadata: + schema: metadata/Document/v1 + name: apiserver-encryption-key-key1 + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +# head -c 32 /dev/urandom | base64 +data: bL2mHd9Sf5hQvZPuDncZRugYYqYyR3cGcZKVJ9wjswg= +... diff --git a/site/seaworthy/secrets/passphrases/apiserver-encryption-key-key1.yaml b/site/seaworthy/secrets/passphrases/apiserver-encryption-key-key1.yaml new file mode 100644 index 000000000..e21876e35 --- /dev/null +++ b/site/seaworthy/secrets/passphrases/apiserver-encryption-key-key1.yaml @@ -0,0 +1,13 @@ +--- +schema: deckhand/Passphrase/v1 +metadata: + schema: metadata/Document/v1 + name: apiserver-encryption-key-key1 + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +# https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ +# use head -c 32 /dev/urandom | base64 +data: n9VBwseT/JjV7r9vbUR/MvCobe01Bdh9XtWgsNF5zLY= +...