Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
- name: Remove blocks of unsecure YAML
yedit:
src: "{{ mst_conf }}"
key: "{{ item }}"
state: absent
with_items:
- admissionConfig.pluginConfig.NodeRestriction
- admissionConfig.pluginConfig.PodSecurityPolicy
- admissionConfig.pluginConfig.ServiceAccount
- name: Removing unsecure features and plugins
yedit:
src: "{{ mst_conf }}"
key: "{{ item }}"
state: absent
with_items:
- kubernetesMasterConfig.apiServerArguments.basic-auth-file
- kubernetesMasterConfig.apiServerArguments.insecure-bind-address
- kubernetesMasterConfig.apiServerArguments.insecure-port
- kubernetesMasterConfig.apiServerArguments.secure-port
- kubernetesMasterConfig.apiServerArguments.profiling
- kubernetesMasterConfig.apiServerArguments.AlwaysAdmit
- kubernetesMasterConfig.apiServerArguments.NamespaceLifecycle
- kubernetesMasterConfig.apiServerArguments.authorization-mode
- kubernetesMasterConfig.apiServerArguments.token-auth-file
- kubernetesMasterConfig.apiServerArguments.kubelet-certifcate-authority
- kubernetesMasterConfig.apiServerArguments.service-account-lookup
- kubernetesMasterConfig.apiServerArguments.service-account-key-file
- kubernetesMasterConfig.apiServerArguments.etcd-keyfile
- kubernetesMasterConfig.apiServerArguments.etcd-certfile
- kubernetesMasterConfig.apiServerArguments.tls-cert-file
- kubernetesMasterConfig.apiServerArguments.tls-private-key-file
- kubernetesMasterConfig.apiServerArguments.client-ca-file
- kubernetesMasterConfig.apiServerArguments.etcd-cafile
- kubernetesMasterConfig.controllerArguments.service-account-private-key-file
- kubernetesMasterConfig.controllerArguments.root-ca-file
- name: 1.8 Ensure OPENSHIFT_PROFILE is not set to web
command: grep OPENSHIFT_PROFILE "{{ mst_env }}"
register: opw
ignore_errors: yes
- name: 1.8 Remove OPENSHIFT_PROFILE if it is equal to web
lineinfile:
dest: "{{ mst_env }}"
regexp: '^OPENSHIFT_PROFILE'
state: absent
when: "'web' in opw.stdout"
ignore_errors: yes
- name: 1.11 Is AlwaysPullImages set in config
command: grep -A4 AlwaysPullImages "{{ mst_conf }}"
register: alpi
ignore_errors: yes
- name: 1.11 If AlwaysPullImages exists ensure it is not disabled
yedit:
src: "{{ mst_conf }}"
key: admissionConfig.pluginConfig.AlwaysPullImages.configuration.disable
value: 'false'
when: "'true' in alpi.stdout"
- name: 1.12 Is DenyEscalatingExec set in config
command: grep -A4 DenyEscalatingExec "{{ mst_conf }}"
register: dee
ignore_errors: yes
- name: 1.12 If DenyEscalatingExec exists ensure it is not disabled
yedit:
src: "{{ mst_conf }}"
key: admissionConfig.pluginConfig.DenyEscalatingExec.configuration.disable
value: 'false'
when: "'true' in dee.stdout"
- name: 1.13 Is SecurityContextDeny set in config
command: grep -A4 SecurityContextDeny "{{ mst_conf }}"
register: scd
ignore_errors: yes
- name: 1.13 If SecurityContextDeny exists ensure it is not disabled
yedit:
src: "{{ mst_conf }}"
key: admissionConfig.pluginConfig.SecurityContextDeny.configuration.disable
value: 'false'
when: "'true' in scd.stdout"
- name: 1.15 - 1.18 Verify if auditConfig exists
command: grep -A5 auditConfig "{{ mst_conf }}"
ignore_errors: yes
register: ac
- name: 1.15 - 1.18 Add audit config if not present in config
yedit:
src: "{{ mst_conf }}"
key: auditConfig
value:
auditFilePath: "/var/log/audit-ocp.log"
enabled: true
maximumFileRetentionDays: 30
maximumFileSizeMegabytes: 10
maximumRetainedFiles: 10
state: present
- name: Adding security features and plugins
yedit:
src: "{{ mst_conf }}"
edits:
- key: kubernetesMasterConfig.apiServerArguments.feature-gates
value: "- AdvancedAuditing=true"
#- key: kubernetesMasterConfig.apiServerArguments.request-timeout
# value: "- 300"
#- key: kubernetesMasterConfig.controllerArguments.repair-malformed-updates
# value: "- repair-malformed-updates=true"
#- key: kubernetesMasterConfig.controllerArguments.experimental-encryption-provider-config
# value: "- /etc/origin/master/encryption-config.yaml"
- key: kubernetesMasterConfig.controllerArguments.terminated-pod-gc-threshold
value: "- '1000'"
- key: kubernetesMasterConfig.controllerArguments.use-service-account-credentials
value: "- 'true'"
state: present
- name: 1.22 Does kubeletClientInfo exist in config
command: grep -A4 kubeletClientInfo "{{ mst_conf }}"
register: kci
ignore_errors: yes
- name: 1.22 remove bad config
yedit:
src: "{{ mst_conf }}"
key: "{{ item }}"
state: absent
with_items:
- kubernetesMasterConfig.apiServerArguments.kubelet-client-certificate
- kubernetesMasterConfig.apiServerArguments.kubelet-client-key
when: kci.rc == 1
- name: 1.33 verify encryption-config exists
stat:
path: "{{ mst_path }}encryption-config.yaml"
register: ecnc
- name: 1.33 Create encryption-config secret
shell: head -c 32 /dev/urandom | base64
register: aes
when: ecnc.stat.exists == false
- set_fact:
gensec: "{{ aes.stdout }}"
- name: 1.33 Generate encryption-config
template:
src: encryption-config.j2
dest: "{{ encryption_config }}"
when: ecnc.stat.exists == false
#- name: 1.35 Ensure EventRateLimit admission plugin is enabled
# yedit:
# src: "{{ mst_conf }}"
# key: admissionConfig.pluginConfig.EventRateLimit
# value:
# configuration:
# kind: DefaultAdmissionConfig
# apiVersion: v1
# disable: false
# state: present