From a32c2a278e6673c654b4f3c87a2ba7d78ac67488 Mon Sep 17 00:00:00 2001
From: "Maohsiang @github" <mao-hsiang.lien@flaconi.de>
Date: Mon, 13 Dec 2021 10:44:20 +0100
Subject: [PATCH] OPS-0 enable security setting according to kube-bench (#41)

* Fix Fail check 4.2.* in kube-bench-cis-1.6

* Fix Fail check 1.3.2 in kube-bench-cis-1.6

* Fix Fail check 1.4.1 in kube-bench-cis-1.6

* Make the setting read from variables
---
 defaults/main.yml        | 12 +++++++
 tasks/asserts.yml        | 73 ++++++++++++++++++++++++++++++++++++++++
 templates/cluster.yml.j2 |  8 +++++
 3 files changed, 93 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index f87bf4a..847c987 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -95,3 +95,15 @@ kops_default_encryptionConfig:
   enabled: false
   image: "flaconi/aws-encryption-provider:v0.1.0"
   kms_id: "12345678-1234-1234-1234-1234567890ab"
+
+###
+### Security setting recommend by kube-bench cis-1.6
+###
+kops_default_kubelet:
+  anonymousAuth: false
+  authenticationTokenWebhook: true
+  authorizationMode: Webhook
+kops_default_kubeControllerManager:
+  enableProfiling: false
+kops_default_kubeScheduler:
+  enableProfiling: false
diff --git a/tasks/asserts.yml b/tasks/asserts.yml
index 16ac140..778a2d8 100644
--- a/tasks/asserts.yml
+++ b/tasks/asserts.yml
@@ -133,3 +133,76 @@
       {%- else -%}
       {{ kops_default_encryptionConfig }}
       {%- endif -%}
+
+###
+### Validate security setting
+###
+- name: "({{ cluster.name }}) ensure kubelet.anonymousAuth is boolean"
+  assert:
+    that:
+      - item.anonymousAuth is defined
+      - item.anonymousAuth | type_debug == 'bool'
+    msg: "kubelet.anonymousAuth should be true or false"
+  with_items:
+    - >-
+      {%- if cluster.kops_kubelet is defined and 'anonymousAuth' in cluster.kops_kubelet -%}
+      {{ cluster.kops_kubelet }}
+      {%- else -%}
+      {{ kops_default_kubelet }}
+      {%- endif -%}
+
+- name: "({{ cluster.name }}) ensure kubelet.authenticationTokenWebhook is boolean"
+  assert:
+    that:
+      - item.authenticationTokenWebhook is defined
+      - item.authenticationTokenWebhook | type_debug == 'bool'
+    msg: "kubelet.authenticationTokenWebhook should be true or false"
+  with_items:
+    - >-
+      {%- if cluster.kops_kubelet is defined and 'authenticationTokenWebhook' in cluster.kops_kubelet -%}
+      {{ cluster.kops_kubelet }}
+      {%- else -%}
+      {{ kops_default_kubelet }}
+      {%- endif -%}
+
+- name: "({{ cluster.name }}) ensure kubelet.authorizationMode is string"
+  assert:
+    that:
+      - item.authorizationMode is defined
+      - item.authorizationMode | length > 0
+    msg: "kubelet.authorizationMode should be string"
+  with_items:
+    - >-
+      {%- if cluster.kops_kubelet is defined and 'authorizationMode' in cluster.kops_kubelet -%}
+      {{ cluster.kops_kubelet }}
+      {%- else -%}
+      {{ kops_default_kubelet }}
+      {%- endif -%}
+
+- name: "({{ cluster.name }}) ensure kubeControllerManager.enableProfiling is boolean"
+  assert:
+    that:
+      - item.enableProfiling is defined
+      - item.enableProfiling | type_debug == 'bool'
+    msg: "kubeControllerManager.enableProfiling should be true or false"
+  with_items:
+    - >-
+      {%- if cluster.kubeControllerManager is defined and 'enableProfiling' in cluster.kubeControllerManager -%}
+      {{ cluster.kubeControllerManager }}
+      {%- else -%}
+      {{ kops_default_kubeControllerManager }}
+      {%- endif -%}
+
+- name: "({{ cluster.name }}) ensure kubeScheduler.enableProfiling is boolean"
+  assert:
+    that:
+      - item.enableProfiling is defined
+      - item.enableProfiling | type_debug == 'bool'
+    msg: "kubeScheduler.enableProfiling should be true or false"
+  with_items:
+    - >-
+      {%- if cluster.kubeScheduler is defined and 'enableProfiling' in cluster.kubeScheduler -%}
+      {{ cluster.kubeScheduler }}
+      {%- else -%}
+      {{ kops_default_kubeScheduler }}
+      {%- endif -%}
diff --git a/templates/cluster.yml.j2 b/templates/cluster.yml.j2
index 9b0e5b3..823244e 100644
--- a/templates/cluster.yml.j2
+++ b/templates/cluster.yml.j2
@@ -4,6 +4,14 @@ metadata:
   creationTimestamp: null
   name: {{ cluster.name }}
 spec:
+  kubelet:
+    anonymousAuth: {{ cluster.kops_kubelet.anonymousAuth | default(kops_default_kubelet.anonymousAuth) }}
+    authenticationTokenWebhook: {{ cluster.kops_kubelet.authenticationTokenWebhook | default(kops_default_kubelet.authenticationTokenWebhook) }}
+    authorizationMode: {{ cluster.kops_kubelet.authorizationMode | default(kops_default_kubelet.authorizationMode) }}
+  kubeControllerManager:
+    enableProfiling: {{ cluster.kops_kubeControllerManager.enableProfiling | default(kops_default_kubeControllerManager.enableProfiling) }}
+  kubeScheduler:
+    enableProfiling: {{ cluster.kops_kubeScheduler.enableProfiling | default(kops_default_kubeScheduler.enableProfiling) }}
   api:
     loadBalancer:
       type: Public