Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

Apply CIS benchmark for kubeadm clusterconf

Browse Source 
Signed-off-by: Malte Poll <mp@edgeless.systems>
This commit is contained in:
Moritz Eckert 2022-05-09 16:12:15 +02:00 committed by Malte Poll
parent 1d69ed5cd8
commit adda637609
1 changed files with 23 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
coordinator/kubernetes/k8sapi/kubeadm_config.go
View File

@ -48,13 +48,33 @@ func (c *CoreOSConfiguration) InitConfiguration(externalCloudProvider bool) Kube
KubernetesVersion: constants.KubernetesVersion, KubernetesVersion: constants.KubernetesVersion,
// necessary to be able to access the kubeapi server through localhost // necessary to be able to access the kubeapi server through localhost
APIServer: kubeadm.APIServer{ APIServer: kubeadm.APIServer{
ControlPlaneComponent: kubeadm.ControlPlaneComponent{
ExtraArgs: map[string]string{
"profiling": "false", // CIS benchmark
"tls-cipher-suites": "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256," +
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," +
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384," +
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256," +
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," +
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305," +
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA," +
"TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384", // CIS benchmark
},
},
CertSANs: []string{"127.0.0.1", "10.118.0.1"}, CertSANs: []string{"127.0.0.1", "10.118.0.1"},
}, },
ControllerManager: kubeadm.ControlPlaneComponent{ ControllerManager: kubeadm.ControlPlaneComponent{
ExtraArgs: map[string]string{ ExtraArgs: map[string]string{
"flex-volume-plugin-dir": "/opt/libexec/kubernetes/kubelet-plugins/volume/exec/", "flex-volume-plugin-dir": "/opt/libexec/kubernetes/kubelet-plugins/volume/exec/",
"cloud-provider": cloudProvider, "cloud-provider": cloudProvider,
"configure-cloud-routes": "false", "configure-cloud-routes": "false",
"profiling": "false", // CIS benchmark
"terminated-pod-gc-threshold": "1000", // CIS benchmark - Default value of Rancher
},
},
Scheduler: kubeadm.ControlPlaneComponent{
ExtraArgs: map[string]string{
"profiling": "false",
}, },
}, },
ControlPlaneEndpoint: "127.0.0.1:16443", ControlPlaneEndpoint: "127.0.0.1:16443",