feat: CIS benchmark improvements (#1137)

Pulling in most of the changes from #1132.

This commit does not include Kubelet CSR Approver because that requires
more invasive changes (e.g. deploying the `kubelet-csr-approver` service
and reconfiguring kubelet after initial startup.

Author: jimmidyson

charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/aws-cluster-class.yaml

@@ -84,24 +84,73 @@ spec:
         clusterConfiguration:
           apiServer:
             extraArgs:
+              admission-control-config-file: /etc/kubernetes/admission.yaml
+              enable-admission-plugins: DenyServiceExternalIPs,EventRateLimit,NodeRestriction
               profiling: "false"
+              service-account-lookup: "true"
+            extraVolumes:
+            - hostPath: /etc/kubernetes/admission.yaml
+              mountPath: /etc/kubernetes/admission.yaml
+              name: admission-config
+              pathType: File
+              readOnly: true
+            - hostPath: /etc/kubernetes/eventratelimit-config.yaml
+              mountPath: /etc/kubernetes/eventratelimit-config.yaml
+              name: eventratelimit-config
+              pathType: File
+              readOnly: true
           controllerManager:
             extraArgs:
               cloud-provider: external
               profiling: "false"
+              terminated-pod-gc-threshold: "10000"
           scheduler:
             extraArgs:
               profiling: "false"
+        files:
+        - content: |
+            apiVersion: apiserver.config.k8s.io/v1
+            kind: AdmissionConfiguration
+            plugins:
+            - name: EventRateLimit
+              path: /etc/kubernetes/eventratelimit-config.yaml
+          path: /etc/kubernetes/admission.yaml
+          permissions: "0600"
+        - content: |
+            apiVersion: eventratelimit.admission.k8s.io/v1alpha1
+            kind: Configuration
+            limits:
+            - type: Server
+              qps: 10000
+              burst: 40000
+          path: /etc/kubernetes/eventratelimit-config.yaml
+          permissions: "0600"
         initConfiguration:
           nodeRegistration:
             kubeletExtraArgs:
               cloud-provider: external
+              event-qps: "5"
+              make-iptables-util-chains: "true"
+              pod-max-pids: "4096"
+              read-only-port: "0"
+              streaming-connection-idle-timeout: 5m
+              tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
             name: '{{ ds.meta_data.local_hostname }}'
         joinConfiguration:
           nodeRegistration:
             kubeletExtraArgs:
               cloud-provider: external
+              event-qps: "5"
+              make-iptables-util-chains: "true"
+              pod-max-pids: "4096"
+              read-only-port: "0"
+              streaming-connection-idle-timeout: 5m
+              tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
             name: '{{ ds.meta_data.local_hostname }}'
+        postKubeadmCommands:
+        - chmod 600 "$(systemctl show -P FragmentPath kubelet.service)"
+        - chmod 600 $(systemctl show -P DropInPaths kubelet.service)
+        - chmod 600 /var/lib/kubelet/config.yaml
 ---
 apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
 kind: AWSMachineTemplate
@@ -140,4 +189,13 @@ spec:
         nodeRegistration:
           kubeletExtraArgs:
             cloud-provider: external
+            event-qps: "5"
+            pod-max-pids: "4096"
+            read-only-port: "0"
+            streaming-connection-idle-timeout: 5m
+            tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
           name: '{{ ds.meta_data.local_hostname }}'
+      postKubeadmCommands:
+      - chmod 600 "$(systemctl show -P FragmentPath kubelet.service)"
+      - chmod 600 $(systemctl show -P DropInPaths kubelet.service)
+      - chmod 600 /var/lib/kubelet/config.yaml

charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/docker-cluster-class.yaml

@@ -83,17 +83,68 @@ spec:
         clusterConfiguration:
           apiServer:
             extraArgs:
+              admission-control-config-file: /etc/kubernetes/admission.yaml
+              enable-admission-plugins: DenyServiceExternalIPs,EventRateLimit,NodeRestriction
               profiling: "false"
+              service-account-lookup: "true"
+            extraVolumes:
+            - hostPath: /etc/kubernetes/admission.yaml
+              mountPath: /etc/kubernetes/admission.yaml
+              name: admission-config
+              pathType: File
+              readOnly: true
+            - hostPath: /etc/kubernetes/eventratelimit-config.yaml
+              mountPath: /etc/kubernetes/eventratelimit-config.yaml
+              name: eventratelimit-config
+              pathType: File
+              readOnly: true
           controllerManager:
             extraArgs:
               profiling: "false"
+              terminated-pod-gc-threshold: "10000"
           scheduler:
             extraArgs:
               profiling: "false"
+        files:
+        - content: |
+            apiVersion: apiserver.config.k8s.io/v1
+            kind: AdmissionConfiguration
+            plugins:
+            - name: EventRateLimit
+              path: /etc/kubernetes/eventratelimit-config.yaml
+          path: /etc/kubernetes/admission.yaml
+          permissions: "0600"
+        - content: |
+            apiVersion: eventratelimit.admission.k8s.io/v1alpha1
+            kind: Configuration
+            limits:
+            - type: Server
+              qps: 10000
+              burst: 40000
+          path: /etc/kubernetes/eventratelimit-config.yaml
+          permissions: "0600"
         initConfiguration:
-          nodeRegistration: {}
+          nodeRegistration:
+            kubeletExtraArgs:
+              event-qps: "5"
+              make-iptables-util-chains: "true"
+              pod-max-pids: "4096"
+              read-only-port: "0"
+              streaming-connection-idle-timeout: 5m
+              tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
         joinConfiguration:
-          nodeRegistration: {}
+          nodeRegistration:
+            kubeletExtraArgs:
+              event-qps: "5"
+              make-iptables-util-chains: "true"
+              pod-max-pids: "4096"
+              read-only-port: "0"
+              streaming-connection-idle-timeout: 5m
+              tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        postKubeadmCommands:
+        - chmod 600 "$(systemctl show -P FragmentPath kubelet.service)"
+        - chmod 600 $(systemctl show -P DropInPaths kubelet.service)
+        - chmod 600 /var/lib/kubelet/config.yaml
 ---
 apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
 kind: DockerMachineTemplate
@@ -131,4 +182,14 @@ spec:
   template:
     spec:
       joinConfiguration:
-        nodeRegistration: {}
+        nodeRegistration:
+          kubeletExtraArgs:
+            event-qps: "5"
+            pod-max-pids: "4096"
+            read-only-port: "0"
+            streaming-connection-idle-timeout: 5m
+            tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+      postKubeadmCommands:
+      - chmod 600 "$(systemctl show -P FragmentPath kubelet.service)"
+      - chmod 600 $(systemctl show -P DropInPaths kubelet.service)
+      - chmod 600 /var/lib/kubelet/config.yaml

charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/nutanix-cluster-class.yaml

@@ -11,10 +11,17 @@ spec:
         nodeRegistration:
           kubeletExtraArgs:
             cloud-provider: external
+            event-qps: "5"
             eviction-hard: nodefs.available<10%,nodefs.inodesFree<5%,imagefs.available<15%,memory.available<100Mi,imagefs.inodesFree<10%
-            tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+            pod-max-pids: "4096"
+            read-only-port: "0"
+            streaming-connection-idle-timeout: 5m
+            tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
       postKubeadmCommands:
       - echo "after kubeadm call" > /var/log/postkubeadm.log
+      - chmod 600 "$(systemctl show -P FragmentPath kubelet.service)"
+      - chmod 600 $(systemctl show -P DropInPaths kubelet.service)
+      - chmod 600 /var/lib/kubelet/config.yaml
       preKubeadmCommands:
       - echo "before kubeadm call" > /var/log/prekubeadm.log
       - hostnamectl set-hostname "{{ ds.meta_data.hostname }}"
@@ -123,12 +130,27 @@ spec:
         clusterConfiguration:
           apiServer:
             extraArgs:
+              admission-control-config-file: /etc/kubernetes/admission.yaml
+              enable-admission-plugins: DenyServiceExternalIPs,EventRateLimit,NodeRestriction
               profiling: "false"
+              service-account-lookup: "true"
               tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+            extraVolumes:
+            - hostPath: /etc/kubernetes/admission.yaml
+              mountPath: /etc/kubernetes/admission.yaml
+              name: admission-config
+              pathType: File
+              readOnly: true
+            - hostPath: /etc/kubernetes/eventratelimit-config.yaml
+              mountPath: /etc/kubernetes/eventratelimit-config.yaml
+              name: eventratelimit-config
+              pathType: File
+              readOnly: true
           controllerManager:
             extraArgs:
               cloud-provider: external
               profiling: "false"
+              terminated-pod-gc-threshold: "10000"
               tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
           scheduler:
             extraArgs:
@@ -199,21 +221,49 @@ spec:
                     path: /etc/kubernetes/admin.conf
                   name: kubeconfig
           path: /etc/kubernetes/manifests/kube-vip.yaml
+        - content: |
+            apiVersion: apiserver.config.k8s.io/v1
+            kind: AdmissionConfiguration
+            plugins:
+            - name: EventRateLimit
+              path: /etc/kubernetes/eventratelimit-config.yaml
+          path: /etc/kubernetes/admission.yaml
+          permissions: "0600"
+        - content: |
+            apiVersion: eventratelimit.admission.k8s.io/v1alpha1
+            kind: Configuration
+            limits:
+            - type: Server
+              qps: 10000
+              burst: 40000
+          path: /etc/kubernetes/eventratelimit-config.yaml
+          permissions: "0600"
         initConfiguration:
           nodeRegistration:
             kubeletExtraArgs:
               cloud-provider: external
+              event-qps: "5"
               eviction-hard: nodefs.available<10%,nodefs.inodesFree<5%,imagefs.available<15%,memory.available<100Mi,imagefs.inodesFree<10%
-              tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+              make-iptables-util-chains: "true"
+              pod-max-pids: "4096"
+              read-only-port: "0"
+              streaming-connection-idle-timeout: 5m
+              tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
         joinConfiguration:
           nodeRegistration:
             kubeletExtraArgs:
               cloud-provider: external
+              event-qps: "5"
               eviction-hard: nodefs.available<10%,nodefs.inodesFree<5%,imagefs.available<15%,memory.available<100Mi,imagefs.inodesFree<10%
-              tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+              make-iptables-util-chains: "true"
+              pod-max-pids: "4096"
+              read-only-port: "0"
+              streaming-connection-idle-timeout: 5m
+              tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
         postKubeadmCommands:
-        - echo export KUBECONFIG=/etc/kubernetes/admin.conf >> /root/.bashrc
-        - echo "after kubeadm call" > /var/log/postkubeadm.log
+        - chmod 600 "$(systemctl show -P FragmentPath kubelet.service)"
+        - chmod 600 $(systemctl show -P DropInPaths kubelet.service)
+        - chmod 600 /var/lib/kubelet/config.yaml
         preKubeadmCommands:
         - echo "before kubeadm call" > /var/log/prekubeadm.log
         - hostnamectl set-hostname "{{ ds.meta_data.hostname }}"

hack/examples/overlays/clusterclasses/aws/kustomization.yaml.tmpl

@@ -68,5 +68,29 @@ patches:
   # BEGIN CIS patches
   - target:
       kind: KubeadmControlPlaneTemplate
-    path: ../../../patches/disable-kubeadmcontrolplane-profiling.yaml
+    path: ../../../patches/cis-kubeadmcontrolplanetemplate.yaml
+  - target:
+      kind: KubeadmConfigTemplate
+    path: ../../../patches/cis-kubeadmconfigtemplate.yaml
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/initialize-kubeadmcontrolplanetemplate-postkubeadmcommands.yaml
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/cis-kubeadmcontrolplanetemplate-kubelet-file-permissions.yaml
+  - target:
+      kind: KubeadmConfigTemplate
+    path: ../../../patches/initialize-kubeadmconfigtemplate-postkubeadmcommands.yaml
+  - target:
+      kind: KubeadmConfigTemplate
+    path: ../../../patches/cis-kubeadmconfigtemplate-kubelet-file-permissions.yaml
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/initialize-files.yaml
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/initialize-extravolumes.yaml
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/cis-admissionconfiguration.yaml
   # END CIS patches

hack/examples/overlays/clusterclasses/docker/kustomization.yaml.tmpl

@@ -29,5 +29,29 @@ patches:
   # BEGIN CIS patches
   - target:
       kind: KubeadmControlPlaneTemplate
-    path: ../../../patches/disable-kubeadmcontrolplane-profiling.yaml
+    path: ../../../patches/cis-kubeadmcontrolplanetemplate.yaml
+  - target:
+      kind: KubeadmConfigTemplate
+    path: ../../../patches/cis-kubeadmconfigtemplate.yaml
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/initialize-kubeadmcontrolplanetemplate-postkubeadmcommands.yaml
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/cis-kubeadmcontrolplanetemplate-kubelet-file-permissions.yaml
+  - target:
+      kind: KubeadmConfigTemplate
+    path: ../../../patches/initialize-kubeadmconfigtemplate-postkubeadmcommands.yaml
+  - target:
+      kind: KubeadmConfigTemplate
+    path: ../../../patches/cis-kubeadmconfigtemplate-kubelet-file-permissions.yaml
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/initialize-files.yaml
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/initialize-extravolumes.yaml
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/cis-admissionconfiguration.yaml
   # END CIS patches

hack/examples/overlays/clusterclasses/nutanix/kustomization.yaml.tmpl

@@ -29,5 +29,23 @@ patches:
   # BEGIN CIS patches
   - target:
       kind: KubeadmControlPlaneTemplate
-    path: ../../../patches/disable-kubeadmcontrolplane-profiling.yaml
+    path: ../../../patches/cis-kubeadmcontrolplanetemplate.yaml
+  - target:
+      kind: KubeadmConfigTemplate
+    path: ../../../patches/cis-kubeadmconfigtemplate.yaml
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/initialize-kubeadmcontrolplanetemplate-postkubeadmcommands.yaml
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/cis-kubeadmcontrolplanetemplate-kubelet-file-permissions.yaml
+  - target:
+      kind: KubeadmConfigTemplate
+    path: ../../../patches/cis-kubeadmconfigtemplate-kubelet-file-permissions.yaml
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/initialize-extravolumes.yaml
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/cis-admissionconfiguration.yaml
   # END CIS patches