github.com/rancher/elemental/tests@v0.0.0-20240517125144-ae048c615b3f/scripts/config-hardened

github.com/rancher/elemental/tests@v0.0.0-20240517125144-ae048c615b3f/scripts/config-hardened (about)

     1  #!/bin/bash
     2  
     3  # This script configures all we need to configure k3s / rke2 hardened cluster
     4  # Instructions from https://docs.k3s.io/security/hardening-guide and https://docs.rke2.io/security/hardening_guide
     5  
     6  set -e -x
     7  
     8  # Variables
     9  K3S_SERVER_DIR="/var/lib/rancher/k3s/server"
    10  K3S_CONFIG_DIR="/etc/rancher/k3s"
    11  K3S_CONFIG_FILE="${K3S_CONFIG_DIR}/config.yaml"
    12  RKE2_SERVER_DIR="/etc/rancher/rke2"
    13  RKE2_CONFIG_FILE="${RKE2_SERVER_DIR}/config.yaml"
    14  RKE2_BINARY="/usr/local/bin/rke2"
    15  MANIFESTS_DIR="${K3S_SERVER_DIR}/manifests/"
    16  SYSCTL_DIR="/etc/sysctl.d"
    17  HARDENED_DIR="../assets/hardened_cluster"
    18  SYSCTL_CONF="${HARDENED_DIR}/90-kubelet.conf"
    19  PSA_YAML="${HARDENED_DIR}/psa.yaml"
    20  NETWORK_POLICY_YAML="${HARDENED_DIR}/networkpolicy.yaml"
    21  AUDIT_YAML="${HARDENED_DIR}/audit.yaml"
    22  
    23  # Apply mandatory sysctl config
    24  cp ${SYSCTL_CONF} ${SYSCTL_DIR}
    25  sysctl -p ${SYSCTL_DIR}/90-kubelet.conf
    26  
    27  # Check if we are running RKE2 or K3S
    28  if [[ -f ${RKE2_BINARY} ]]; then
    29    # Create RKE2 directory and config file
    30    mkdir -p ${RKE2_SERVER_DIR}
    31    # Enable hardened profile
    32    cp ${PSA_YAML} ${RKE2_SERVER_DIR}
    33    cat << EOF > ${RKE2_CONFIG_FILE}
    34  profile: cis-1.23
    35  pod-security-admission-config-file: ${RKE2_SERVER_DIR}/psa.yaml
    36  EOF
    37    # Create etcd user
    38    useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U
    39  else
    40    # Create K3S directories to preload manifests
    41    mkdir -p -m 700 ${MANIFESTS_DIR}
    42    mkdir ${K3S_SERVER_DIR}/logs
    43  
    44    # Copy policies to manifests directory
    45    cp ${NETWORK_POLICY_YAML} ${MANIFESTS_DIR}
    46  
    47    # Enable auditing
    48    cp ${PSA_YAML} ${AUDIT_YAML} ${K3S_SERVER_DIR}
    49  
    50    # Create K3S config file
    51    mkdir -p ${K3S_CONFIG_DIR}
    52    cat << EOF > ${K3S_CONFIG_FILE}
    53  protect-kernel-defaults: true
    54  kube-apiserver-arg:
    55    - "admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml"
    56    - "audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log"
    57    - "audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml"
    58    - "audit-log-maxage=30"
    59    - "audit-log-maxbackup=10"
    60    - "audit-log-maxsize=100"
    61    - "request-timeout=300s"
    62    - "service-account-lookup=true"
    63    - "anonymous-auth=false"
    64  kubelet-arg:
    65    - "make-iptables-util-chains=true" 
    66  EOF
    67  fi