X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=blobdiff_plain;f=deploy%2Fclusters%2Ftemplates%2Fkubeadmconfigtemplate.yaml;h=741bf69d51636d034f41ed015114caf3675d688b;hb=a6207042fd60266b82e67a4866e95aef609586c2;hp=2bfc97d79fcd10b782a09a00b70fa89c64b55e56;hpb=34b869955b20515bc44e5bac1b39ee0ffca65727;p=icn.git

diff --git a/deploy/clusters/templates/kubeadmconfigtemplate.yaml b/deploy/clusters/templates/kubeadmconfigtemplate.yaml
index 2bfc97d..741bf69 100644
--- a/deploy/clusters/templates/kubeadmconfigtemplate.yaml
+++ b/deploy/clusters/templates/kubeadmconfigtemplate.yaml
@@ -31,6 +31,7 @@ spec:
       - apt-get install -y kubelet={{ $cluster.kubeVersion }} kubeadm={{ $cluster.kubeVersion }} kubectl={{ $cluster.kubeVersion }}
       - systemctl enable --now kubelet
       postKubeadmCommands:
+      - /usr/local/bin/harden_os.sh
       # This must be done after kubeadm as the cabpk provider relies
       # on files in /var/run, which won't persist after a reboot
       - /usr/local/bin/set_kernel_cmdline.sh
@@ -39,6 +40,10 @@ spec:
       - path: /etc/systemd/system/containerd.service.d/override.conf
         content: |
 {{ $.Files.Get "resources/override.conf" | indent 10 }}
+      - path: /usr/local/bin/harden_os.sh
+        permissions: '0777'
+        content: |
+{{ $.Files.Get "resources/harden_os.sh" | indent 10 }}
       - path: /usr/local/bin/set_kernel_cmdline.sh
         permissions: '0777'
         content: |
@@ -51,6 +56,7 @@ spec:
         sshAuthorizedKeys:
         - {{ $cluster.userData.sshAuthorizedKey }}
         sudo: "ALL=(ALL) NOPASSWD:ALL"
+        groups: sudo # Necessary to allow SSH logins (see /etc/ssh/sshd_config)
       - name: root
         sshAuthorizedKeys:
         - {{ $cluster.userData.sshAuthorizedKey }}