From 32a9fe423073a13d8897cf19e651eec9b0c67df3 Mon Sep 17 00:00:00 2001 From: Etienne Audet-Cobello Date: Thu, 13 Jun 2024 08:51:19 -0400 Subject: [PATCH 1/2] change default args to conform with cis hardening --- src/k8s/pkg/k8sd/setup/kube_apiserver.go | 3 +++ src/k8s/pkg/k8sd/setup/kube_apiserver_test.go | 6 ++++++ src/k8s/pkg/k8sd/setup/kube_controller_manager.go | 1 + .../pkg/k8sd/setup/kube_controller_manager_test.go | 2 ++ src/k8s/pkg/k8sd/setup/kubelet.go | 3 ++- src/k8s/pkg/k8sd/setup/kubelet_test.go | 12 ++++++++---- 6 files changed, 22 insertions(+), 5 deletions(-) diff --git a/src/k8s/pkg/k8sd/setup/kube_apiserver.go b/src/k8s/pkg/k8sd/setup/kube_apiserver.go index 09d797f27..c6a881d8d 100644 --- a/src/k8s/pkg/k8sd/setup/kube_apiserver.go +++ b/src/k8s/pkg/k8sd/setup/kube_apiserver.go @@ -80,6 +80,9 @@ func KubeAPIServer(snap snap.Snap, serviceCIDR string, authWebhookURL string, en "--tls-cert-file": path.Join(snap.KubernetesPKIDir(), "apiserver.crt"), "--tls-cipher-suites": strings.Join(apiserverTLSCipherSuites, ","), "--tls-private-key-file": path.Join(snap.KubernetesPKIDir(), "apiserver.key"), + "--anonymous-auth": "false", + "--profiling": "false", + "--requests-timeout": "300s", } switch datastore.GetType() { diff --git a/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go b/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go index 6eede1f05..6129f0c29 100644 --- a/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go +++ b/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go @@ -68,6 +68,9 @@ func TestKubeAPIServer(t *testing.T) { {key: "--requestheader-username-headers", expectedVal: "X-Remote-User"}, {key: "--proxy-client-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-client.crt")}, {key: "--proxy-client-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-client.key")}, + {key: "--anonymous-auth", expectedVal: "false"}, + {key: "--profiling", expectedVal: "false"}, + {key: "--requests-timeout", expectedVal: "300s"}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { @@ -116,6 +119,9 @@ func TestKubeAPIServer(t *testing.T) { {key: "--tls-cipher-suites", expectedVal: apiserverTLSCipherSuites}, {key: "--tls-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver.key")}, {key: "--etcd-servers", expectedVal: fmt.Sprintf("unix://%s", path.Join(s.Mock.K8sDqliteStateDir, "k8s-dqlite.sock"))}, + {key: "--anonymous-auth", expectedVal: "false"}, + {key: "--profiling", expectedVal: "false"}, + {key: "--requests-timeout", expectedVal: "300s"}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { diff --git a/src/k8s/pkg/k8sd/setup/kube_controller_manager.go b/src/k8s/pkg/k8sd/setup/kube_controller_manager.go index a76bb6643..6d142ee3e 100644 --- a/src/k8s/pkg/k8sd/setup/kube_controller_manager.go +++ b/src/k8s/pkg/k8sd/setup/kube_controller_manager.go @@ -21,6 +21,7 @@ func KubeControllerManager(snap snap.Snap) error { "--root-ca-file": path.Join(snap.KubernetesPKIDir(), "ca.crt"), "--service-account-private-key-file": path.Join(snap.KubernetesPKIDir(), "serviceaccount.key"), "--use-service-account-credentials": "true", + "--terminated-pod-gc-threshold": "12500", } // enable cluster-signing if certificates are available if _, err := os.Stat(path.Join(snap.KubernetesPKIDir(), "ca.key")); err == nil { diff --git a/src/k8s/pkg/k8sd/setup/kube_controller_manager_test.go b/src/k8s/pkg/k8sd/setup/kube_controller_manager_test.go index b5c44f800..c226d8328 100644 --- a/src/k8s/pkg/k8sd/setup/kube_controller_manager_test.go +++ b/src/k8s/pkg/k8sd/setup/kube_controller_manager_test.go @@ -49,6 +49,7 @@ func TestKubeControllerManager(t *testing.T) { {key: "--use-service-account-credentials", expectedVal: "true"}, {key: "--cluster-signing-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.crt")}, {key: "--cluster-signing-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.key")}, + {key: "--terminated-pod-gc-threshold", expectedVal: "12500"}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { @@ -94,6 +95,7 @@ func TestKubeControllerManager(t *testing.T) { {key: "--root-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.crt")}, {key: "--service-account-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "serviceaccount.key")}, {key: "--use-service-account-credentials", expectedVal: "true"}, + {key: "--terminated-pod-gc-threshold", expectedVal: "12500"}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { diff --git a/src/k8s/pkg/k8sd/setup/kubelet.go b/src/k8s/pkg/k8sd/setup/kubelet.go index 7ad85fcdf..fe447dc02 100644 --- a/src/k8s/pkg/k8sd/setup/kubelet.go +++ b/src/k8s/pkg/k8sd/setup/kubelet.go @@ -44,7 +44,8 @@ func kubelet(snap snap.Snap, hostname string, nodeIP net.IP, clusterDNS string, args := map[string]string{ "--anonymous-auth": "false", "--authentication-token-webhook": "true", - "--cert-dir": snap.KubernetesPKIDir(), + "--tls-cert-file": path.Join(snap.KubernetesPKIDir(), "kubelet.crt"), + "--tls-private-key": path.Join(snap.KubernetesPKIDir(), "kubelet.key"), "--client-ca-file": path.Join(snap.KubernetesPKIDir(), "client-ca.crt"), "--container-runtime-endpoint": path.Join(snap.ContainerdSocketDir(), "containerd.sock"), "--containerd": path.Join(snap.ContainerdSocketDir(), "containerd.sock"), diff --git a/src/k8s/pkg/k8sd/setup/kubelet_test.go b/src/k8s/pkg/k8sd/setup/kubelet_test.go index 59d11e980..11bd6b65d 100644 --- a/src/k8s/pkg/k8sd/setup/kubelet_test.go +++ b/src/k8s/pkg/k8sd/setup/kubelet_test.go @@ -55,7 +55,8 @@ func TestKubelet(t *testing.T) { }{ {key: "--anonymous-auth", expectedVal: "false"}, {key: "--authentication-token-webhook", expectedVal: "true"}, - {key: "--cert-dir", expectedVal: s.Mock.KubernetesPKIDir}, + {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")}, + {key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, {key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, {key: "--containerd", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, @@ -104,7 +105,8 @@ func TestKubelet(t *testing.T) { }{ {key: "--anonymous-auth", expectedVal: "false"}, {key: "--authentication-token-webhook", expectedVal: "true"}, - {key: "--cert-dir", expectedVal: s.Mock.KubernetesPKIDir}, + {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")}, + {key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, {key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, {key: "--containerd", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, @@ -150,7 +152,8 @@ func TestKubelet(t *testing.T) { }{ {key: "--anonymous-auth", expectedVal: "false"}, {key: "--authentication-token-webhook", expectedVal: "true"}, - {key: "--cert-dir", expectedVal: s.Mock.KubernetesPKIDir}, + {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")}, + {key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, {key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, {key: "--containerd", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, @@ -200,7 +203,8 @@ func TestKubelet(t *testing.T) { }{ {key: "--anonymous-auth", expectedVal: "false"}, {key: "--authentication-token-webhook", expectedVal: "true"}, - {key: "--cert-dir", expectedVal: s.Mock.KubernetesPKIDir}, + {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")}, + {key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, {key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, {key: "--containerd", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, From 4637cd7f3005d9da3c87e4e324b757ba790fb095 Mon Sep 17 00:00:00 2001 From: Etienne Audet-Cobello Date: Thu, 13 Jun 2024 08:55:39 -0400 Subject: [PATCH 2/2] sort --- src/k8s/pkg/k8sd/setup/kube_apiserver.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/k8s/pkg/k8sd/setup/kube_apiserver.go b/src/k8s/pkg/k8sd/setup/kube_apiserver.go index c6a881d8d..6de30ebea 100644 --- a/src/k8s/pkg/k8sd/setup/kube_apiserver.go +++ b/src/k8s/pkg/k8sd/setup/kube_apiserver.go @@ -64,6 +64,7 @@ func KubeAPIServer(snap snap.Snap, serviceCIDR string, authWebhookURL string, en args := map[string]string{ "--allow-privileged": "true", + "--anonymous-auth": "false", "--authentication-token-webhook-config-file": authTokenWebhookConfigFile, "--authorization-mode": authorizationMode, "--client-ca-file": path.Join(snap.KubernetesPKIDir(), "client-ca.crt"), @@ -72,6 +73,8 @@ func KubeAPIServer(snap snap.Snap, serviceCIDR string, authWebhookURL string, en "--kubelet-client-certificate": path.Join(snap.KubernetesPKIDir(), "apiserver-kubelet-client.crt"), "--kubelet-client-key": path.Join(snap.KubernetesPKIDir(), "apiserver-kubelet-client.key"), "--kubelet-preferred-address-types": "InternalIP,Hostname,InternalDNS,ExternalDNS,ExternalIP", + "--profiling": "false", + "--requests-timeout": "300s", "--secure-port": "6443", "--service-account-issuer": "https://kubernetes.default.svc", "--service-account-key-file": path.Join(snap.KubernetesPKIDir(), "serviceaccount.key"), @@ -80,9 +83,6 @@ func KubeAPIServer(snap snap.Snap, serviceCIDR string, authWebhookURL string, en "--tls-cert-file": path.Join(snap.KubernetesPKIDir(), "apiserver.crt"), "--tls-cipher-suites": strings.Join(apiserverTLSCipherSuites, ","), "--tls-private-key-file": path.Join(snap.KubernetesPKIDir(), "apiserver.key"), - "--anonymous-auth": "false", - "--profiling": "false", - "--requests-timeout": "300s", } switch datastore.GetType() {