change default args to conform with cis hardening

canonical · Jun 13, 2024 · 32a9fe4 · 32a9fe4
1 parent f0a4e7d
commit 32a9fe4
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 5 deletions.
diff --git a/src/k8s/pkg/k8sd/setup/kube_apiserver.go b/src/k8s/pkg/k8sd/setup/kube_apiserver.go
@@ -80,6 +80,9 @@ func KubeAPIServer(snap snap.Snap, serviceCIDR string, authWebhookURL string, en
 		"--tls-cert-file":                            path.Join(snap.KubernetesPKIDir(), "apiserver.crt"),
 		"--tls-cipher-suites":                        strings.Join(apiserverTLSCipherSuites, ","),
 		"--tls-private-key-file":                     path.Join(snap.KubernetesPKIDir(), "apiserver.key"),
+		"--anonymous-auth":                           "false",
+		"--profiling":                                "false",
+		"--requests-timeout":                         "300s",
 	}
 
 	switch datastore.GetType() {

diff --git a/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go b/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go
@@ -68,6 +68,9 @@ func TestKubeAPIServer(t *testing.T) {
 			{key: "--requestheader-username-headers", expectedVal: "X-Remote-User"},
 			{key: "--proxy-client-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-client.crt")},
 			{key: "--proxy-client-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-client.key")},
+			{key: "--anonymous-auth", expectedVal: "false"},
+			{key: "--profiling", expectedVal: "false"},
+			{key: "--requests-timeout", expectedVal: "300s"},
 		}
 		for _, tc := range tests {
 			t.Run(tc.key, func(t *testing.T) {
@@ -116,6 +119,9 @@ func TestKubeAPIServer(t *testing.T) {
 			{key: "--tls-cipher-suites", expectedVal: apiserverTLSCipherSuites},
 			{key: "--tls-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver.key")},
 			{key: "--etcd-servers", expectedVal: fmt.Sprintf("unix://%s", path.Join(s.Mock.K8sDqliteStateDir, "k8s-dqlite.sock"))},
+			{key: "--anonymous-auth", expectedVal: "false"},
+			{key: "--profiling", expectedVal: "false"},
+			{key: "--requests-timeout", expectedVal: "300s"},
 		}
 		for _, tc := range tests {
 			t.Run(tc.key, func(t *testing.T) {

diff --git a/src/k8s/pkg/k8sd/setup/kube_controller_manager.go b/src/k8s/pkg/k8sd/setup/kube_controller_manager.go
@@ -21,6 +21,7 @@ func KubeControllerManager(snap snap.Snap) error {
 		"--root-ca-file":                     path.Join(snap.KubernetesPKIDir(), "ca.crt"),
 		"--service-account-private-key-file": path.Join(snap.KubernetesPKIDir(), "serviceaccount.key"),
 		"--use-service-account-credentials":  "true",
+		"--terminated-pod-gc-threshold":      "12500",
 	}
 	// enable cluster-signing if certificates are available
 	if _, err := os.Stat(path.Join(snap.KubernetesPKIDir(), "ca.key")); err == nil {

diff --git a/src/k8s/pkg/k8sd/setup/kube_controller_manager_test.go b/src/k8s/pkg/k8sd/setup/kube_controller_manager_test.go
@@ -49,6 +49,7 @@ func TestKubeControllerManager(t *testing.T) {
 			{key: "--use-service-account-credentials", expectedVal: "true"},
 			{key: "--cluster-signing-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.crt")},
 			{key: "--cluster-signing-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.key")},
+			{key: "--terminated-pod-gc-threshold", expectedVal: "12500"},
 		}
 		for _, tc := range tests {
 			t.Run(tc.key, func(t *testing.T) {
@@ -94,6 +95,7 @@ func TestKubeControllerManager(t *testing.T) {
 			{key: "--root-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.crt")},
 			{key: "--service-account-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "serviceaccount.key")},
 			{key: "--use-service-account-credentials", expectedVal: "true"},
+			{key: "--terminated-pod-gc-threshold", expectedVal: "12500"},
 		}
 		for _, tc := range tests {
 			t.Run(tc.key, func(t *testing.T) {

diff --git a/src/k8s/pkg/k8sd/setup/kubelet.go b/src/k8s/pkg/k8sd/setup/kubelet.go
@@ -44,7 +44,8 @@ func kubelet(snap snap.Snap, hostname string, nodeIP net.IP, clusterDNS string,
 	args := map[string]string{
 		"--anonymous-auth":               "false",
 		"--authentication-token-webhook": "true",
-		"--cert-dir":                     snap.KubernetesPKIDir(),
+		"--tls-cert-file":                path.Join(snap.KubernetesPKIDir(), "kubelet.crt"),
+		"--tls-private-key":              path.Join(snap.KubernetesPKIDir(), "kubelet.key"),
 		"--client-ca-file":               path.Join(snap.KubernetesPKIDir(), "client-ca.crt"),
 		"--container-runtime-endpoint":   path.Join(snap.ContainerdSocketDir(), "containerd.sock"),
 		"--containerd":                   path.Join(snap.ContainerdSocketDir(), "containerd.sock"),

diff --git a/src/k8s/pkg/k8sd/setup/kubelet_test.go b/src/k8s/pkg/k8sd/setup/kubelet_test.go
@@ -55,7 +55,8 @@ func TestKubelet(t *testing.T) {
 		}{
 			{key: "--anonymous-auth", expectedVal: "false"},
 			{key: "--authentication-token-webhook", expectedVal: "true"},
-			{key: "--cert-dir", expectedVal: s.Mock.KubernetesPKIDir},
+			{key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")},
+			{key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")},
 			{key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")},
 			{key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")},
 			{key: "--containerd", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")},
@@ -104,7 +105,8 @@ func TestKubelet(t *testing.T) {
 		}{
 			{key: "--anonymous-auth", expectedVal: "false"},
 			{key: "--authentication-token-webhook", expectedVal: "true"},
-			{key: "--cert-dir", expectedVal: s.Mock.KubernetesPKIDir},
+			{key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")},
+			{key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")},
 			{key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")},
 			{key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")},
 			{key: "--containerd", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")},
@@ -150,7 +152,8 @@ func TestKubelet(t *testing.T) {
 		}{
 			{key: "--anonymous-auth", expectedVal: "false"},
 			{key: "--authentication-token-webhook", expectedVal: "true"},
-			{key: "--cert-dir", expectedVal: s.Mock.KubernetesPKIDir},
+			{key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")},
+			{key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")},
 			{key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")},
 			{key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")},
 			{key: "--containerd", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")},
@@ -200,7 +203,8 @@ func TestKubelet(t *testing.T) {
 		}{
 			{key: "--anonymous-auth", expectedVal: "false"},
 			{key: "--authentication-token-webhook", expectedVal: "true"},
-			{key: "--cert-dir", expectedVal: s.Mock.KubernetesPKIDir},
+			{key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")},
+			{key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")},
 			{key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")},
 			{key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")},
 			{key: "--containerd", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")},