OPS-0 enable security setting according to kube-bench (#41)

* Fix Fail check 4.2.* in kube-bench-cis-1.6 * Fix Fail check 1.3.2 in kube-bench-cis-1.6 * Fix Fail check 1.4.1 in kube-bench-cis-1.6 * Make the setting read from variables
Flaconi · Dec 13, 2021 · a32c2a2 · a32c2a2
1 parent f0dd723
commit a32c2a2
Show file tree

Hide file tree

Showing 3 changed files with 93 additions and 0 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -95,3 +95,15 @@ kops_default_encryptionConfig:
   enabled: false
   image: "flaconi/aws-encryption-provider:v0.1.0"
   kms_id: "12345678-1234-1234-1234-1234567890ab"
+
+###
+### Security setting recommend by kube-bench cis-1.6
+###
+kops_default_kubelet:
+  anonymousAuth: false
+  authenticationTokenWebhook: true
+  authorizationMode: Webhook
+kops_default_kubeControllerManager:
+  enableProfiling: false
+kops_default_kubeScheduler:
+  enableProfiling: false
diff --git a/tasks/asserts.yml b/tasks/asserts.yml
@@ -133,3 +133,76 @@
       {%- else -%}
       {{ kops_default_encryptionConfig }}
       {%- endif -%}
+
+###
+### Validate security setting
+###
+- name: "({{ cluster.name }}) ensure kubelet.anonymousAuth is boolean"
+  assert:
+    that:
+      - item.anonymousAuth is defined
+      - item.anonymousAuth | type_debug == 'bool'
+    msg: "kubelet.anonymousAuth should be true or false"
+  with_items:
+    - >-
+      {%- if cluster.kops_kubelet is defined and 'anonymousAuth' in cluster.kops_kubelet -%}
+      {{ cluster.kops_kubelet }}
+      {%- else -%}
+      {{ kops_default_kubelet }}
+      {%- endif -%}
+
+- name: "({{ cluster.name }}) ensure kubelet.authenticationTokenWebhook is boolean"
+  assert:
+    that:
+      - item.authenticationTokenWebhook is defined
+      - item.authenticationTokenWebhook | type_debug == 'bool'
+    msg: "kubelet.authenticationTokenWebhook should be true or false"
+  with_items:
+    - >-
+      {%- if cluster.kops_kubelet is defined and 'authenticationTokenWebhook' in cluster.kops_kubelet -%}
+      {{ cluster.kops_kubelet }}
+      {%- else -%}
+      {{ kops_default_kubelet }}
+      {%- endif -%}
+
+- name: "({{ cluster.name }}) ensure kubelet.authorizationMode is string"
+  assert:
+    that:
+      - item.authorizationMode is defined
+      - item.authorizationMode | length > 0
+    msg: "kubelet.authorizationMode should be string"
+  with_items:
+    - >-
+      {%- if cluster.kops_kubelet is defined and 'authorizationMode' in cluster.kops_kubelet -%}
+      {{ cluster.kops_kubelet }}
+      {%- else -%}
+      {{ kops_default_kubelet }}
+      {%- endif -%}
+
+- name: "({{ cluster.name }}) ensure kubeControllerManager.enableProfiling is boolean"
+  assert:
+    that:
+      - item.enableProfiling is defined
+      - item.enableProfiling | type_debug == 'bool'
+    msg: "kubeControllerManager.enableProfiling should be true or false"
+  with_items:
+    - >-
+      {%- if cluster.kubeControllerManager is defined and 'enableProfiling' in cluster.kubeControllerManager -%}
+      {{ cluster.kubeControllerManager }}
+      {%- else -%}
+      {{ kops_default_kubeControllerManager }}
+      {%- endif -%}
+
+- name: "({{ cluster.name }}) ensure kubeScheduler.enableProfiling is boolean"
+  assert:
+    that:
+      - item.enableProfiling is defined
+      - item.enableProfiling | type_debug == 'bool'
+    msg: "kubeScheduler.enableProfiling should be true or false"
+  with_items:
+    - >-
+      {%- if cluster.kubeScheduler is defined and 'enableProfiling' in cluster.kubeScheduler -%}
+      {{ cluster.kubeScheduler }}
+      {%- else -%}
+      {{ kops_default_kubeScheduler }}
+      {%- endif -%}
diff --git a/templates/cluster.yml.j2 b/templates/cluster.yml.j2
@@ -4,6 +4,14 @@ metadata:
   creationTimestamp: null
   name: {{ cluster.name }}
 spec:
+  kubelet:
+    anonymousAuth: {{ cluster.kops_kubelet.anonymousAuth | default(kops_default_kubelet.anonymousAuth) }}
+    authenticationTokenWebhook: {{ cluster.kops_kubelet.authenticationTokenWebhook | default(kops_default_kubelet.authenticationTokenWebhook) }}
+    authorizationMode: {{ cluster.kops_kubelet.authorizationMode | default(kops_default_kubelet.authorizationMode) }}
+  kubeControllerManager:
+    enableProfiling: {{ cluster.kops_kubeControllerManager.enableProfiling | default(kops_default_kubeControllerManager.enableProfiling) }}
+  kubeScheduler:
+    enableProfiling: {{ cluster.kops_kubeScheduler.enableProfiling | default(kops_default_kubeScheduler.enableProfiling) }}
   api:
     loadBalancer:
       type: Public