From 97b4d79ed565c033abd1fe91e7304eddbd6d9f39 Mon Sep 17 00:00:00 2001
From: Alessio Greggi <ale_grey_91@hotmail.it>
Date: Fri, 17 Jun 2022 10:34:32 +0200
Subject: [PATCH] feat: make kubernetes owner parametrized (#8952)
* feat: make kubernetes owner parametrized
* docs: update hardening guide with configuration for CIS 1.1.19
* fix: set etcd data directory permissions to be compliant to CIS 1.1.12
---
docs/hardening.md | 4 ++++
inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml | 3 +++
roles/adduser/defaults/main.yml | 1 +
roles/adduser/tasks/main.yml | 1 +
.../cri-dockerd/molecule/default/prepare.yml | 2 +-
.../kata-containers/molecule/default/prepare.yml | 2 +-
roles/download/defaults/main.yml | 2 +-
roles/etcd/defaults/main.yml | 3 +++
roles/etcd/tasks/gen_certs_script.yml | 8 ++++----
roles/kubernetes/control-plane/defaults/main/etcd.yml | 3 +++
roles/kubernetes/control-plane/tasks/kubeadm-etcd.yml | 7 +++++++
roles/kubernetes/preinstall/defaults/main.yml | 1 +
.../preinstall/tasks/0050-create_directories.yml | 4 ++--
roles/kubespray-defaults/defaults/main.yaml | 3 +++
roles/network_plugin/canal/tasks/main.yml | 2 +-
roles/network_plugin/cni/tasks/main.yml | 2 +-
roles/network_plugin/kube-router/tasks/main.yml | 6 +++---
17 files changed, 40 insertions(+), 14 deletions(-)
diff --git a/docs/hardening.md b/docs/hardening.md
index 7dd42e0ef..180979ed6 100644
--- a/docs/hardening.md
+++ b/docs/hardening.md
@@ -84,6 +84,10 @@ kubelet_rotate_certificates: true
kubelet_streaming_connection_idle_timeout: "5m"
kubelet_make_iptables_util_chains: true
kubelet_feature_gates: ["RotateKubeletServerCertificate=true"]
+
+# additional configurations
+kube_owner: root
+kube_cert_group: root
```
Let's take a deep look to the resultant **kubernetes** configuration:
diff --git a/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
index d31139479..fe41e916a 100644
--- a/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
+++ b/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
@@ -25,6 +25,9 @@ local_release_dir: "/tmp/releases"
# Random shifts for retrying failed ops like pushing/downloading
retry_stagger: 5
+# This is the user that owns tha cluster installation.
+kube_owner: kube
+
# This is the group that the cert creation scripts chgrp the
# cert files to. Not really changeable...
kube_cert_group: kube-cert
diff --git a/roles/adduser/defaults/main.yml b/roles/adduser/defaults/main.yml
index c7f683710..3c692343a 100644
--- a/roles/adduser/defaults/main.yml
+++ b/roles/adduser/defaults/main.yml
@@ -1,4 +1,5 @@
---
+kube_owner: kube
kube_cert_group: kube-cert
etcd_data_dir: "/var/lib/etcd"
diff --git a/roles/adduser/tasks/main.yml b/roles/adduser/tasks/main.yml
index 774eb412b..a36467977 100644
--- a/roles/adduser/tasks/main.yml
+++ b/roles/adduser/tasks/main.yml
@@ -13,3 +13,4 @@
shell: "{{ user.shell|default(omit) }}"
name: "{{ user.name }}"
system: "{{ user.system|default(omit) }}"
+ when: kube_owner != "root"
diff --git a/roles/container-engine/cri-dockerd/molecule/default/prepare.yml b/roles/container-engine/cri-dockerd/molecule/default/prepare.yml
index 77e48b083..c54feaca2 100644
--- a/roles/container-engine/cri-dockerd/molecule/default/prepare.yml
+++ b/roles/container-engine/cri-dockerd/molecule/default/prepare.yml
@@ -35,7 +35,7 @@
file:
path: /etc/cni/net.d
state: directory
- owner: kube
+ owner: "{{ kube_owner }}"
mode: 0755
- name: Setup CNI
copy:
diff --git a/roles/container-engine/kata-containers/molecule/default/prepare.yml b/roles/container-engine/kata-containers/molecule/default/prepare.yml
index 9299a7e2d..8a0978f56 100644
--- a/roles/container-engine/kata-containers/molecule/default/prepare.yml
+++ b/roles/container-engine/kata-containers/molecule/default/prepare.yml
@@ -36,7 +36,7 @@
file:
path: /etc/cni/net.d
state: directory
- owner: kube
+ owner: "{{ kube_owner }}"
mode: 0755
- name: Setup CNI
copy:
diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml
index 039fccea1..cac0d3697 100644
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@@ -1614,5 +1614,5 @@ download_defaults:
version: None
url: None
unarchive: false
- owner: kube
+ owner: "{{ kube_owner }}"
mode: None
diff --git a/roles/etcd/defaults/main.yml b/roles/etcd/defaults/main.yml
index 32971bc71..79ed16493 100644
--- a/roles/etcd/defaults/main.yml
+++ b/roles/etcd/defaults/main.yml
@@ -1,4 +1,7 @@
---
+# Set etcd user
+etcd_owner: etcd
+
# Set to false to only do certificate management
etcd_cluster_setup: true
etcd_events_cluster_setup: false
diff --git a/roles/etcd/tasks/gen_certs_script.yml b/roles/etcd/tasks/gen_certs_script.yml
index 680df69db..cf5580bb8 100644
--- a/roles/etcd/tasks/gen_certs_script.yml
+++ b/roles/etcd/tasks/gen_certs_script.yml
@@ -4,7 +4,7 @@
path: "{{ etcd_cert_dir }}"
group: "{{ etcd_cert_group }}"
state: directory
- owner: kube
+ owner: "{{ etcd_owner }}"
mode: "{{ etcd_cert_dir_mode }}"
recurse: yes
@@ -81,7 +81,7 @@
dest: "{{ item.item }}"
content: "{{ item.content | b64decode }}"
group: "{{ etcd_cert_group }}"
- owner: kube
+ owner: "{{ etcd_owner }}"
mode: 0640
with_items: "{{ etcd_master_certs.results }}"
when:
@@ -111,7 +111,7 @@
dest: "{{ item.item }}"
content: "{{ item.content | b64decode }}"
group: "{{ etcd_cert_group }}"
- owner: kube
+ owner: "{{ etcd_owner }}"
mode: 0640
with_items: "{{ etcd_master_node_certs.results }}"
when:
@@ -165,6 +165,6 @@
path: "{{ etcd_cert_dir }}"
group: "{{ etcd_cert_group }}"
state: directory
- owner: kube
+ owner: "{{ etcd_owner }}"
mode: "{{ etcd_cert_dir_mode }}"
recurse: yes
diff --git a/roles/kubernetes/control-plane/defaults/main/etcd.yml b/roles/kubernetes/control-plane/defaults/main/etcd.yml
index 60e934bc2..344ce9b35 100644
--- a/roles/kubernetes/control-plane/defaults/main/etcd.yml
+++ b/roles/kubernetes/control-plane/defaults/main/etcd.yml
@@ -1,4 +1,7 @@
---
+# Set etcd user/group
+etcd_owner: etcd
+
# Note: This does not set up DNS entries. It simply adds the following DNS
# entries to the certificate
etcd_cert_alt_names:
diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-etcd.yml b/roles/kubernetes/control-plane/tasks/kubeadm-etcd.yml
index 8c0c47bb7..1e97ac240 100644
--- a/roles/kubernetes/control-plane/tasks/kubeadm-etcd.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-etcd.yml
@@ -16,3 +16,10 @@
import_role:
name: etcdctl
when: etcd_deployment_type == "kubeadm"
+
+- name: Set ownership for etcd data directory
+ file:
+ path: "{{ etcd_data_dir }}"
+ owner: "{{ etcd_owner }}"
+ group: "{{ etcd_owner }}"
+ mode: 0700
diff --git a/roles/kubernetes/preinstall/defaults/main.yml b/roles/kubernetes/preinstall/defaults/main.yml
index fc17b79d4..9624ea6fa 100644
--- a/roles/kubernetes/preinstall/defaults/main.yml
+++ b/roles/kubernetes/preinstall/defaults/main.yml
@@ -22,6 +22,7 @@ common_required_pkgs:
# GCE docker repository
disable_ipv6_dns: false
+kube_owner: kube
kube_cert_group: kube-cert
kube_config_dir: /etc/kubernetes
kube_cert_dir: "{{ kube_config_dir }}/ssl"
diff --git a/roles/kubernetes/preinstall/tasks/0050-create_directories.yml b/roles/kubernetes/preinstall/tasks/0050-create_directories.yml
index 0c6ded0f9..35d7e04df 100644
--- a/roles/kubernetes/preinstall/tasks/0050-create_directories.yml
+++ b/roles/kubernetes/preinstall/tasks/0050-create_directories.yml
@@ -3,7 +3,7 @@
file:
path: "{{ item }}"
state: directory
- owner: kube
+ owner: "{{ kube_owner }}"
mode: 0755
when: inventory_hostname in groups['k8s_cluster']
become: true
@@ -71,7 +71,7 @@
file:
path: "{{ item }}"
state: directory
- owner: kube
+ owner: "{{ kube_owner }}"
mode: 0755
with_items:
- "/etc/cni/net.d"
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index 756c6f7c3..9a6c58c0c 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -153,6 +153,9 @@ kube_cert_compat_dir: "/etc/kubernetes/pki"
# This is where all of the bearer tokens will be stored
kube_token_dir: "{{ kube_config_dir }}/tokens"
+# This is the user that owns tha cluster installation.
+kube_owner: kube
+
# This is the group that the cert creation scripts chgrp the
# cert files to. Not really changeable...
kube_cert_group: kube-cert
diff --git a/roles/network_plugin/canal/tasks/main.yml b/roles/network_plugin/canal/tasks/main.yml
index 5d7637289..0d62b16ee 100644
--- a/roles/network_plugin/canal/tasks/main.yml
+++ b/roles/network_plugin/canal/tasks/main.yml
@@ -4,7 +4,7 @@
src: "cni-canal.conflist.j2"
dest: "/etc/cni/net.d/canal.conflist.template"
mode: 0644
- owner: kube
+ owner: "{{ kube_owner }}"
register: canal_conflist
notify: reset_canal_cni
diff --git a/roles/network_plugin/cni/tasks/main.yml b/roles/network_plugin/cni/tasks/main.yml
index d9f46939c..b8bcec322 100644
--- a/roles/network_plugin/cni/tasks/main.yml
+++ b/roles/network_plugin/cni/tasks/main.yml
@@ -4,7 +4,7 @@
path: /opt/cni/bin
state: directory
mode: 0755
- owner: kube
+ owner: "{{ kube_owner }}"
recurse: true
- name: CNI | Copy cni plugins
diff --git a/roles/network_plugin/kube-router/tasks/main.yml b/roles/network_plugin/kube-router/tasks/main.yml
index 6cda7fe35..4cc078ae7 100644
--- a/roles/network_plugin/kube-router/tasks/main.yml
+++ b/roles/network_plugin/kube-router/tasks/main.yml
@@ -7,7 +7,7 @@
file:
path: /var/lib/kube-router
state: directory
- owner: kube
+ owner: "{{ kube_owner }}"
recurse: true
mode: 0755
@@ -16,7 +16,7 @@
src: kubeconfig.yml.j2
dest: /var/lib/kube-router/kubeconfig
mode: 0644
- owner: kube
+ owner: "{{ kube_owner }}"
notify:
- reset_kube_router
@@ -44,7 +44,7 @@
src: cni-conf.json.j2
dest: /etc/cni/net.d/10-kuberouter.conflist
mode: 0644
- owner: kube
+ owner: "{{ kube_owner }}"
notify:
- reset_kube_router
--
GitLab