From d7c7a47c61e2a5017e8ec1ca52321773b5a73d88 Mon Sep 17 00:00:00 2001 From: Mark Burnett Date: Wed, 26 Sep 2018 11:26:47 -0500 Subject: [PATCH] Improve security of default and example configurations * Enabled the NodeRestriction Admission Controller. * Configured the default terminated-pod-gc-threshold in the controller-manager. * Disable repair-malformed-updates. * Disable anonymous-auth in the Kubelet. * Further restrict permissions for contents of /etc/kubernetes and /var/lib/etcd. Change-Id: I112652a5aa7bde054de253234f65755d90ab65ad --- charts/controller_manager/values.yaml | 1 + examples/basic/Genesis.yaml | 4 +++- examples/basic/Kubelet.yaml | 3 ++- examples/basic/armada-resources.yaml | 4 +++- promenade/templates/include/up.sh | 15 +++++++++++++-- 5 files changed, 22 insertions(+), 5 deletions(-) diff --git a/charts/controller_manager/values.yaml b/charts/controller_manager/values.yaml index 37e23b00..d19d5dcb 100644 --- a/charts/controller_manager/values.yaml +++ b/charts/controller_manager/values.yaml @@ -54,6 +54,7 @@ command_prefix: - --node-monitor-grace-period=20s - --pod-eviction-timeout=60s - --service-cluster-ip-range=10.96.0.0/16 + - --terminated-pod-gc-threshold=1000 secrets: tls: diff --git a/examples/basic/Genesis.yaml b/examples/basic/Genesis.yaml index f4387a04..7bade7d2 100644 --- a/examples/basic/Genesis.yaml +++ b/examples/basic/Genesis.yaml @@ -14,9 +14,11 @@ data: command_prefix: - /apiserver - --authorization-mode=Node,RBAC - - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds + - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction - --service-cluster-ip-range=10.96.0.0/16 - --endpoint-reconciler-type=lease + # NOTE(mark-burnett): This flag is removed in Kubernetes 1.11 + - --repair-malformed-updates=false armada: target_manifest: cluster-bootstrap labels: diff --git a/examples/basic/Kubelet.yaml b/examples/basic/Kubelet.yaml index 41b84ce4..6464a4ec 100644 --- a/examples/basic/Kubelet.yaml +++ b/examples/basic/Kubelet.yaml @@ -15,7 +15,8 @@ data: - --network-plugin=cni - --node-status-update-frequency=5s - --serialize-image-pulls=false - - --v=5 + - --anonymous-auth=false + - --v=3 images: pause: gcr.io/google_containers/pause-amd64:3.0 ... diff --git a/examples/basic/armada-resources.yaml b/examples/basic/armada-resources.yaml index 48fb9b91..ec4f2e3e 100644 --- a/examples/basic/armada-resources.yaml +++ b/examples/basic/armada-resources.yaml @@ -743,9 +743,11 @@ data: command_prefix: - /apiserver - --authorization-mode=Node,RBAC - - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds + - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction - --service-cluster-ip-range=10.96.0.0/16 - --endpoint-reconciler-type=lease + # NOTE(mark-burnett): This flag is removed in Kubernetes 1.11 + - --repair-malformed-updates=false apiserver: etcd: endpoints: https://127.0.0.1:2378 diff --git a/promenade/templates/include/up.sh b/promenade/templates/include/up.sh index 22c87c34..1c47fa29 100644 --- a/promenade/templates/include/up.sh +++ b/promenade/templates/include/up.sh @@ -2,8 +2,15 @@ # resolvconf --disable-updates -mkdir -p /etc/kubernetes -chmod 700 /etc/kubernetes +CURATED_DIRS=( + /etc/kubernetes + /var/lib/etcd +) + +for DIR in "${CURATED_DIRS[@]}"; do + mkdir -p "${DIR}" + chmod 700 "${DIR}" +done # Unpack prepared files into place # @@ -15,6 +22,10 @@ echo "{{ encrypted_tarball | b64enc }}" | base64 -d | {{ decrypt_command }} | ta {{ decrypt_teardown_command }} set -x +for DIR in "${CURATED_DIRS[@]}"; do + chmod go-rwx "${DIR}" +done + # Adding apt repositories # set +x