--- /dev/null
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ annotations:
+ rbac.authorization.kubernetes.io/autoupdate: "true"
+ labels:
+ kubernetes.io/bootstrapping: rbac-defaults
+ name: system:public-info-viewer
+rules:
+- nonResourceURLs: # /version has been removed
+ - /healthz
+ - /livez
+ - /readyz
+ verbs:
+ - get
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: default
+ namespace: default
+automountServiceAccountToken: false
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+ labels:
+ machineconfiguration.openshift.io/role: worker
+ name: 50-disable-secret-automount
+spec:
+ config:
+ ignition:
+ version: 2.2.0
+ storage:
+ files:
+ - contents:
+ source: data:text/plain;charset=utf-8;base64,Cg==
+ filesystem: root
+ mode: 0644
+ path: /etc/containers/mounts.conf
--- /dev/null
+#!/bin/bash
+sudo sysctl -w kernel.dmesg_restrict=1
+sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
+sudo sed -i '/^PASS_MAX_DAYS/c\PASS_MAX_DAYS 998' /etc/login.defs
+sudo echo "AllowUsers core" >> /etc/ssh/sshd_config
+sudo echo "AllowGroups core" >> /etc/ssh/sshd_config
+sudo sed -i 's/^ umask.*/ umask 027/g' /etc/profile
--- /dev/null
+kind: MachineConfig
+apiVersion: machineconfiguration.openshift.io/v1
+metadata:
+ name: 99-akraino-sec-master
+ creationTimestamp:
+ labels:
+ machineconfiguration.openshift.io/role: master
+spec:
+ config:
+ ignition:
+ version: 2.2.0
+ storage:
+ files:
+ - filesystem: root
+ path: "/root/akrainosec.sh"
+ contents:
+ source: data:text/plain;charset=utf-8;base64,IyEvYmluL2Jhc2gKc3VkbyBzeXNjdGwgLXcga2VybmVsLmRtZXNnX3Jlc3RyaWN0PTEKc3VkbyBzeXNjdGwgLXcgbmV0LmlwdjQuY29uZi5kZWZhdWx0LmFjY2VwdF9zb3VyY2Vfcm91dGU9MApzdWRvIHNlZCAtaSAnL15QQVNTX01BWF9EQVlTL2NcUEFTU19NQVhfREFZUyAgIDk5OCcgL2V0Yy9sb2dpbi5kZWZzCnN1ZG8gZWNobyAiQWxsb3dVc2VycyBjb3JlIiA+PiAvZXRjL3NzaC9zc2hkX2NvbmZpZwpzdWRvIGVjaG8gIkFsbG93R3JvdXBzIGNvcmUiID4+IC9ldGMvc3NoL3NzaGRfY29uZmlnCnN1ZG8gc2VkIC1pICdzL14gICAgdW1hc2suKi8gICAgdW1hc2sgMDI3L2cnIC9ldGMvcHJvZmlsZQ==
+ verification: {}
+ mode: 0755
+ systemd:
+ units:
+ - contents: |
+ [Unit]
+ Description=Akraino Security
+ DefaultDependencies=no
+ [Service]
+ Type=oneshot
+ ExecStart=/bin/bash /root/akrainosec.sh
+ Restart=on-failure
+ RestartSec=30
+ [Install]
+ WantedBy=multi-user.target
+ name: akrainosec.service
+ enabled: true
--- /dev/null
+kind: MachineConfig
+apiVersion: machineconfiguration.openshift.io/v1
+metadata:
+ name: 99-akraino-sec-worker
+ creationTimestamp:
+ labels:
+ machineconfiguration.openshift.io/role: worker
+spec:
+ config:
+ ignition:
+ version: 2.2.0
+ storage:
+ files:
+ - filesystem: root
+ path: "/root/akrainosec.sh"
+ contents:
+ source: data:text/plain;charset=utf-8;base64,IyEvYmluL2Jhc2gKc3VkbyBzeXNjdGwgLXcga2VybmVsLmRtZXNnX3Jlc3RyaWN0PTEKc3VkbyBzeXNjdGwgLXcgbmV0LmlwdjQuY29uZi5kZWZhdWx0LmFjY2VwdF9zb3VyY2Vfcm91dGU9MApzdWRvIHNlZCAtaSAnL15QQVNTX01BWF9EQVlTL2NcUEFTU19NQVhfREFZUyAgIDk5OCcgL2V0Yy9sb2dpbi5kZWZzCnN1ZG8gZWNobyAiQWxsb3dVc2VycyBjb3JlIiA+PiAvZXRjL3NzaC9zc2hkX2NvbmZpZwpzdWRvIGVjaG8gIkFsbG93R3JvdXBzIGNvcmUiID4+IC9ldGMvc3NoL3NzaGRfY29uZmlnCnN1ZG8gc2VkIC1pICdzL14gICAgdW1hc2suKi8gICAgdW1hc2sgMDI3L2cnIC9ldGMvcHJvZmlsZQ==
+ verification: {}
+ mode: 0755
+ systemd:
+ units:
+ - contents: |
+ [Unit]
+ Description=Akraino Security
+ DefaultDependencies=no
+ [Service]
+ Type=oneshot
+ ExecStart=/bin/bash /root/akrainosec.sh
+ Restart=on-failure
+ RestartSec=30
+ [Install]
+ WantedBy=multi-user.target
+ name: akrainosec.service
+ enabled: true
Code Review / kni / installer.git / commitdiff