Code Review / icn.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
Harden OS and K8s deployments
[icn.git] / deploy / clusters / templates / kubeadmconfigtemplate.yaml
diff --git a/deploy/clusters/templates/kubeadmconfigtemplate.yaml b/deploy/clusters/templates/kubeadmconfigtemplate.yaml
index 2bfc97d..741bf69 100644 (file)
--- a/deploy/clusters/templates/kubeadmconfigtemplate.yaml
+++ b/deploy/clusters/templates/kubeadmconfigtemplate.yaml
@@ -31,6 +31,7 @@ spec:
       - apt-get install -y kubelet={{ $cluster.kubeVersion }} kubeadm={{ $cluster.kubeVersion }} kubectl={{ $cluster.kubeVersion }}
       - systemctl enable --now kubelet
       postKubeadmCommands:
+      - /usr/local/bin/harden_os.sh
       # This must be done after kubeadm as the cabpk provider relies
       # on files in /var/run, which won't persist after a reboot
       - /usr/local/bin/set_kernel_cmdline.sh
@@ -39,6 +40,10 @@ spec:
       - path: /etc/systemd/system/containerd.service.d/override.conf
         content: |
 {{ $.Files.Get "resources/override.conf" | indent 10 }}
+      - path: /usr/local/bin/harden_os.sh
+        permissions: '0777'
+        content: |
+{{ $.Files.Get "resources/harden_os.sh" | indent 10 }}
       - path: /usr/local/bin/set_kernel_cmdline.sh
         permissions: '0777'
         content: |
@@ -51,6 +56,7 @@ spec:
         sshAuthorizedKeys:
         - {{ $cluster.userData.sshAuthorizedKey }}
         sudo: "ALL=(ALL) NOPASSWD:ALL"
+        groups: sudo # Necessary to allow SSH logins (see /etc/ssh/sshd_config)
       - name: root
         sshAuthorizedKeys:
         - {{ $cluster.userData.sshAuthorizedKey }}