Added seed code for caas-security.
Change-Id: I206543bc11d68300fd205e3194beae8eb65c66dc
Signed-off-by: Szekeres, Balazs (Nokia - HU/Budapest) <balazs.szekeres@nokia.com>
--- /dev/null
+
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# cmframework.requires: master_kube_proxy.yaml
+- hosts: caas_master
+ strategy: free
+ become: true
+ become_user: "root"
+ roles:
+ - role: rbac
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# cmframework.requires: common.yaml
+- hosts: caas_nodes
+ strategy: free
+ become: true
+ become_user: "root"
+ roles:
+ - role: security
+ - role: hardening
+
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: template node.conf
+ template:
+ src: "node.conf.j2"
+ dest: /etc/openssl/node.conf
+ mode: 0000
+
+- name: check instance cert directory
+ stat:
+ path: "{{ cert_path }}/ca.pem"
+ register: cert_path_register
+
+- name: create cert directory
+ file:
+ name: "{{ cert_path }}"
+ state: directory
+ when: not cert_path_register.stat.exists
+
+# The 'create cert directory' and 'changing permissions of cert directory' tasks cannot merged together!
+# Since 'state: directory' creates the directory recursively.
+# So, if cert_path is e.g: /etc/kubernetes/ssl, then /etc/kubernetes would get 700 as it's permisson.
+# And in that case the admin user would get access denied for the /etc/kubernetes folder.
+- name: changing permissions of cert directory
+ file:
+ path: "{{ cert_path }}"
+ mode: 0700
+ when: not cert_path_register.stat.exists
+
+- name: adding default acl read to {{ users.admin_user_name }} to {{ cert_path }}
+ acl:
+ default: yes
+ name: "{{ cert_path }}"
+ entity: "{{ users.admin_user_name }}"
+ etype: user
+ permissions: rx
+ recursive: yes
+ state: present
+
+- name: adding acl read to {{ users.admin_user_name }} to {{ cert_path }}
+ acl:
+ name: "{{ cert_path }}"
+ entity: "{{ users.admin_user_name }}"
+ etype: user
+ permissions: rx
+ recursive: yes
+ state: present
+
+- name: check instance cert
+ stat:
+ path: "{{ cert_path }}/{{ _cert }}"
+ register: cert
+
+- name: copy CA to {{ cert_path }}
+ copy:
+ src: "/etc/openssl/ca.pem"
+ dest: "{{ cert_path }}/ca.pem"
+ when: not cert_path_register.stat.exists
+
+- name: generate instance certificate
+ command: "{{ item }}"
+ with_items:
+ - "/usr/bin/openssl genrsa -out {{ _key }} 2048"
+ - "/usr/bin/openssl req -new -key {{ _key }} -out {{ instance }}.csr -subj '{{ _subject }}' {% if _common_key is sameas false %} -config /etc/openssl/{{ _conf_file }} {% endif %} -sha256"
+ - "/usr/bin/openssl x509 -req -in {{ instance }}.csr -CA ca.pem -CAserial {{ instance }}.slr -CAkey /etc/openssl/ca-key.pem -CAcreateserial -out {{ _cert }} -days {{ _expiry }} -extensions v3_req -extfile /etc/openssl/{{ _conf_file }} -sha256"
+ args:
+ chdir: "{{ cert_path }}"
+ when: not cert.stat.exists
+
+- name: reducing permission of key file and cert file
+ file:
+ path: "{{ cert_path }}/{{ item }}"
+ mode: 0000
+ with_items:
+ - "{{ _key }}"
+ - "{{ _cert }}"
+ when: not cert.stat.exists
+
+- name: remove cert request and serial file
+ file:
+ path: "{{ cert_path }}/{{ item }}"
+ state: absent
+ with_items:
+ - "{{ instance }}.csr"
+ - "{{ instance }}.slr"
+ when: not cert.stat.exists
+
+- name: setting ca.pem permission
+ file:
+ path: "{{ cert_path }}/ca.pem"
+ mode: 0000
+ when: not cert_path_register.stat.exists
+
+- name: adding default acl read to {{ users.admin_user_name }} to {{ cert_path }}/ca.epm
+ acl:
+ name: "{{ cert_path }}/ca.pem"
+ entity: "{{ users.admin_user_name }}"
+ etype: user
+ permissions: rx
+ state: present
+
+- name: allowing users to access keys
+ acl:
+ name: "{{ item[0] }}"
+ entity: "{{ item[1] }}"
+ etype: user
+ permissions: "r"
+ state: present
+ with_nested:
+ - [ "{{ cert_path }}/{{ _key }}", "{{ cert_path }}/{{ _cert }}", "{{ cert_path }}/ca.pem" ]
+ - "{{ add_users | default([]) }}"
+
+- name: adding exec flag to {{ cert_path }} directory for users
+ acl:
+ name: "{{ cert_path }}"
+ entity: "{{ item }}"
+ etype: user
+ permissions: "rx"
+ state: present
+ with_items: "{{ add_users | default([]) }}"
+
+- name: create kubeconfig from cert
+ include_role:
+ name: kubeconfig
+ vars:
+ config:
+ path: "{{ item.path }}"
+ owner: "{{ item.owner | default('root') }}"
+ group: "{{ item.group | default('root') }}"
+ restricted: "{{ item.restricted | default(true) }}"
+ user: "{{ _cn }}"
+ cert: "{{ cert_path }}/{{ _cert }}"
+ key: "{{ cert_path }}/{{ _key }}"
+ apiserver: "{{ item.apiserver }}"
+ apiserver_port: "{{ item.apiserver_port }}"
+ add_users: "{{ add_users | default([]) }}"
+ with_items: "{{ kube_conf | default([]) }}"
+
+- name: force IO to write data to disk
+ shell: "sync"
--- /dev/null
+{#
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+#}
+[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+[req_distinguished_name]
+[ v3_req ]
+basicConstraints = critical, CA:FALSE
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, serverAuth
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+{% if _alt_names.dns | default([]) or _alt_names.ip | default([]) %}
+subjectAltName = @alt_names
+[alt_names]
+{% for element in _alt_names.dns | default([]) %}
+DNS.{{loop.index}} = {{ element }}
+{% endfor %}
+{% for element in _alt_names.ip | default([]) %}
+IP.{{loop.index}} = {{ element }}
+{% endfor %}
+{% endif %}
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+_cert: "{{ cert_name | default(instance + '.pem') }}"
+_key: "{{ key_name | default(instance + '-key.pem') }}"
+_cn: "{{ common_name | default('crf-' + instance) }}"
+_org: "{{ org_name | default('') }}"
+_conf_file: "{{ conf_file | default('node.conf') }}"
+_expiry: "{{ cert_expiry | default('1825') }}"
+_subject: "/CN={{ _cn }}{% if _org %}/O={{ _org }}{% endif %}"
+_alt_names: "{{ alt_names | default( {'dns':[], 'ip':[]} ) }}"
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: create group
+ group:
+ name: "{{ _name }}"
+ state: present
+ gid: "{{ _gid }}"
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: create user
+ user:
+ name: "{{ _name }}"
+ state: present
+ group: "{{ _group }}"
+ groups: "{{ _groups }}"
+ uid: "{{ _uid }}"
+ shell: "{{ _shell }}"
+ home: "{{ _home | default('/dev/null') }}"
+ createhome: "{{ _home is defined | ternary('yes', 'no') }}"
+ password: "{{ _password | default('') }}"
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: set /etc/openssl directory with proper rights
+ file:
+ path: /etc/openssl
+ state: directory
+ mode: 0755
+
+- name: templating path hardener profile.d script
+ template:
+ src: hardened_path.sh
+ dest: /etc/profile.d/hardened_path.sh
+ mode: 0644
+
+- name: removing root spool/mail if exists
+ file:
+ path: /var/spool/mail/root
+ state: absent
+
+- name: creating root spool/mail
+ file:
+ path: /var/spool/mail/root
+ state: directory
+ mode: 0660
+ owner: root
+ group: mail
+
+- name: removing unused users
+ user:
+ name: "{{ item }}"
+ state: absent
+ remove: yes # deletes home, spool etc
+ ignore_errors: yes # sometimes spool not exists, sometimes group is not primary.
+ with_items:
+ - "lp"
+ - "operator"
+ - "games"
+ - "ftp"
+
+- name: remove not needed user groups
+ group:
+ name: "{{ item }}"
+ state: absent
+ with_items:
+ - "cdrom"
+ - "floppy"
+ - "games"
+ - "tape"
+
+- name: system uids to 999 instead of 199
+ replace:
+ dest: /etc/profile
+ regexp: 'if \[ \$UID -gt 199 \]'
+ replace: 'if [ $UID -gt 999 ]'
+
+- name: Removing home per bin from path in skeleton and in the already existing root
+ lineinfile:
+ dest: "{{ item }}"
+ state: absent
+ regexp: '^PATH=.*$HOME/bin'
+ with_items:
+ - /etc/skel/.bash_profile
+ - /root/.bash_profile
+
+- name: create /etc/cron.allow with root
+ copy:
+ content: 'root'
+ dest: /etc/cron.allow
+ owner: root
+ group: root
+ mode: 0600
+ force: yes
+
+- name: remove linked files
+ file:
+ path: "{{ item }}"
+ state: absent
+ with_items:
+ - /etc/prelink.conf.d/fipscheck.conf
+ - /etc/prelink.conf.d/grub2.conf
+ - /etc/prelink.conf.d/nss-softokn-prelink.conf
+
+- name: change auditd config
+ lineinfile:
+ dest: /etc/audit/auditd.conf
+ state: present
+ regexp: '^ *{{ item.key }} *=.+$'
+ line: '{{ item.key }} = {{ item.val }}'
+ with_items:
+ - key: num_logs
+ val: 10
+ - key: max_log_file
+ val: 15
+
+- name: No root login access on terminals /etc/securetty
+ copy:
+ content: 'console'
+ dest: /etc/securetty
+ force: yes
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- import_tasks: hardening.yaml
+
+- name: setting umask for init scripts
+ lineinfile:
+ dest: /etc/sysconfig/init
+ regexp: ^umask
+ line: umask 027
+
+- name: disable interactive boot
+ lineinfile:
+ dest: /etc/sysconfig/init
+ state: present
+ regexp: '^ *PROMPT *= *\w+$'
+ line: PROMPT=no
+
+- name: removing wheel group altogether
+ group:
+ name: wheel
+ state: absent
+
+- name: removing postfix
+ yum:
+ name: postfix
+ state: absent
+
+- name: change permission of files to 0500
+ file:
+ path: /usr/sbin/tcpdump
+ state: file
+ mode: 0500
+
+- name: change permission of files to 0X00
+ file:
+ path: /root
+ state: directory
+ recurse: yes
+ mode: "g-rwx,o-rwx"
+
--- /dev/null
+{#
+Copyright 2019 Nokia
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+#}
+-w /usr/bin/docker -k docker
+-w /var/lib/docker/manifests -k docker"
+-w /etc/docker -k docker
+-w /usr/lib/systemd/system/docker.service -k docker
+-w /var/run/docker.sock -k docker
+-w /etc/sysconfig/docker-proxy -k docker
+-w /etc/sysconfig/docker-storage -k docker
+-w /etc/sysconfig/docker-registries -k docker
--- /dev/null
+#!/bin/sh
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+IFS=':' read -ra PATH_ELEMENTS <<< "$PATH"
+PATH=""
+for element in "${PATH_ELEMENTS[@]}"; do
+ if [[ ! -z "$element" ]] && [[ -d "$element" ]] && [[ ! -z "`/usr/bin/ls -A \"$element\"`" ]]; then
+ PATH=$PATH:$element
+ fi
+done
+PATH=${PATH#":"}
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: create rbac objects
+ kubectl:
+ manifest: "{{ item }}"
+ state: present
+ with_fileglob: "{{ caas.rbac_manifests_directory }}/*"
+ when: ( nodename | search("caas_master1") )
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+ - name: protect grub with root password
+ blockinfile:
+ dest: /etc/grub.d/40_custom
+ state: present
+ insertafter: 'EOF'
+ content: |
+ # define superusers
+ set superusers="root"
+ #define users
+ password_pbkdf2 root {{ host_os.grub2_password }}
+ when:
+ - host_os is defined
+ - host_os.grub2_password | default(False, True)
+
+ - name: generate grub config
+ command: /usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg
+
+ - name: chsh/chfn right setting
+ file:
+ path: "{{ item }}"
+ state: file
+ mode: 04700
+ owner: root
+ group: root
+ with_items:
+ - /usr/bin/chsh
+ - /usr/bin/chfn
+
+ - name: permission change for ssh certificates
+ file:
+ path: "{{ item }}"
+ state: file
+ mode: 0600
+ owner: root
+ group: root
+ with_fileglob:
+ - /etc/ssh/ssh_host_*_key
+
+ - name: reload audit config
+ command: augenrules --load
+
+ - name: Checking existing file id for permission set 0600
+ stat:
+ path: "{{ item }}"
+ register: file_perm_status
+ with_items:
+ - /var/log/boot.log
+ - /var/log/cloud-init.log
+ - /var/log/cloud-init-output.log
+ - /var/log/dmesg
+ - /var/log/dmesg.old
+ - /var/log/java_install.log
+ - /var/log/ntp.log
+ - /var/log/rhsm/rhsmcertd.log
+ - /var/log/rhsm/rhsm.log
+ - /var/log/tuned/tuned.log
+ - /var/log/up2date
+ - /var/log/wpa_supplicant.log
+ - /etc/cron.d/0hourly
+ - /etc/cron.daily/0yum-daily.cron
+ - /etc/cron.daily/man-db.cron
+ - /etc/cron.hourly/0anacron
+ - /etc/cron.hourly/0yum-hourly.cron
+ - /boot/grub2/grub.cfg
+ - /etc/rsyslog.conf
+ - /etc/sysctl.conf
+ - /etc/ntp.conf
+ - /etc/audit/audit.rules
+
+ - name: change permission of of files to 0600
+ file:
+ path: "{{ item.stat.path }}"
+ state: file
+ mode: 0600
+ when: item.stat.exists
+ with_items: "{{ file_perm_status.results }}"
+
+ - name: delete broken links
+ file:
+ path: "{{ item }}"
+ state: absent
+ with_lines:
+ - find /run/udev/watch/ -xtype l
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: auto-approve-bootstrappers-certs
+subjects:
+- kind: Group
+ name: system:bootstrappers
+ apiGroup: rbac.authorization.k8s.io
+roleRef:
+ kind: ClusterRole
+ name: system:certificates.k8s.io:certificatesigningrequests:nodeclient
+ apiGroup: rbac.authorization.k8s.io
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: auto-renew-node-certs
+subjects:
+- kind: Group
+ name: system:nodes
+ apiGroup: rbac.authorization.k8s.io
+roleRef:
+ kind: ClusterRole
+ name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
+ apiGroup: rbac.authorization.k8s.io
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: extensions/v1beta1
+kind: PodSecurityPolicy
+metadata:
+ name: caas-default
+spec:
+ privileged: false
+ allowPrivilegeEscalation: true
+ readOnlyRootFilesystem: false
+ hostIPC: false
+ hostNetwork: false
+ hostPID: false
+ volumes:
+ - 'configMap'
+ - 'downwardAPI'
+ - 'emptyDir'
+ - 'persistentVolumeClaim'
+ - 'projected'
+ - 'secret'
+ - 'hostPath'
+ seLinux:
+ rule: RunAsAny
+ supplementalGroups:
+ rule: RunAsAny
+ runAsUser:
+ rule: RunAsAny
+ fsGroup:
+ rule: RunAsAny
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: caas:default-psp
+rules:
+- apiGroups: ['extensions']
+ resources: ['podsecuritypolicies']
+ verbs: ['use']
+ resourceNames: ['caas-default']
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: caas:default-psp
+roleRef:
+ kind: ClusterRole
+ name: caas:default-psp
+ apiGroup: rbac.authorization.k8s.io
+subjects:
+# Authorize system:nodes group to be able to create mirror pods
+- kind: Group
+ apiGroup: rbac.authorization.k8s.io
+ name: system:nodes
+- kind: Group
+ apiGroup: rbac.authorization.k8s.io
+ name: system:serviceaccounts
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: extensions/v1beta1
+kind: PodSecurityPolicy
+metadata:
+ name: caas-infra
+spec:
+ privileged: true
+ readOnlyRootFilesystem: false
+ hostNetwork: true
+ hostPorts:
+ - min: 0
+ max: 65535
+ volumes:
+ - 'emptyDir'
+ - 'hostPath'
+ - 'persistentVolumeClaim'
+ - 'configMap'
+ - 'secret'
+ - 'rbd'
+ seLinux:
+ rule: RunAsAny
+ supplementalGroups:
+ rule: RunAsAny
+ runAsUser:
+ rule: RunAsAny
+ fsGroup:
+ rule: RunAsAny
+ allowedCapabilities:
+ - NET_BIND_SERVICE
+ - ALL
+ - IPC_LOCK
+ - SYS_RESOURCE
+ - SYS_PTRACE
+ - SYS_ADMIN
+ - NET_ADMIN
+ - NET_RAW
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: caas:infra-psp
+rules:
+- apiGroups: ['extensions']
+ resources: ['podsecuritypolicies']
+ verbs: ['use']
+ resourceNames: ['caas-infra']
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: caas:infra-psp
+roleRef:
+ kind: ClusterRole
+ name: caas:infra-psp
+ apiGroup: rbac.authorization.k8s.io
+subjects:
+# Authorize system:nodes group to be able to create mirror pods
+- kind: Group
+ apiGroup: rbac.authorization.k8s.io
+ name: system:nodes
+- kind: ServiceAccount
+ name: default
+ namespace: kube-system
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: cpu-device-plugin
+ namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: caas:cpu-device-plugin
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - get
+ - list
+- apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - get
+ - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: caas:cpu-device-plugin
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: caas:cpu-device-plugin
+subjects:
+- kind: ServiceAccount
+ name: cpu-device-plugin
+ namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: caas:cpu-device-plugin-psp
+subjects:
+- kind: ServiceAccount
+ name: cpu-device-plugin
+ namespace: kube-system
+roleRef:
+ kind: ClusterRole
+ name: caas:infra-psp
+ apiGroup: rbac.authorization.k8s.io
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: cpu-setter
+ namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: caas:cpu-setter
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - get
+ - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: caas:cpu-setter
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: caas:cpu-setter
+subjects:
+- kind: ServiceAccount
+ name: cpu-setter
+ namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: caas:cpu-setter-psp
+subjects:
+- kind: ServiceAccount
+ name: cpu-setter
+ namespace: kube-system
+roleRef:
+ kind: ClusterRole
+ name: caas:infra-psp
+ apiGroup: rbac.authorization.k8s.io
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: custom-metrics-apiserver
+ namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: caas:custom-metrics-server-resource-reader
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - namespaces
+ - pods
+ - services
+ verbs:
+ - get
+ - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: caas:custom-metrics-server:extension-apiserver-authentication-reader
+ namespace: kube-system
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: extension-apiserver-authentication-reader
+subjects:
+- kind: ServiceAccount
+ name: custom-metrics-apiserver
+ namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: caas:custom-metrics-server:system:auth-delegator
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+ name: custom-metrics-apiserver
+ namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: caas:custom-metrics-server-psp
+subjects:
+- kind: ServiceAccount
+ name: custom-metrics-apiserver
+ namespace: kube-system
+roleRef:
+ kind: ClusterRole
+ name: caas:infra-psp
+ apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: caas:custom-metrics-server:custom-apiserver-resource-reader
+ namespace: kube-system
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: caas:custom-metrics-server-resource-reader
+subjects:
+- kind: ServiceAccount
+ name: custom-metrics-apiserver
+ namespace: kube-system
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: caas:danm
+rules:
+ - apiGroups:
+ - danm.k8s.io
+ resources:
+ - danmnets
+ - danmeps
+ verbs: [ "*" ]
+ - apiGroups: [ "" ]
+ resources: [ "pods" ]
+ verbs: [ "get","watch","list"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: caas:danm
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: caas:danm
+subjects:
+ - kind: User
+ apiGroup: rbac.authorization.k8s.io
+ name: danm
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: flannel
+ namespace: kube-system
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: caas:flannel
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - get
+ - apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - nodes/status
+ verbs:
+ - patch
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: caas:flannel
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: caas:flannel
+subjects:
+ - kind: ServiceAccount
+ name: flannel
+ namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: caas:flannel-psp
+subjects:
+- kind: ServiceAccount
+ name: flannel
+ namespace: kube-system
+roleRef:
+ kind: ClusterRole
+ name: caas:infra-psp
+ apiGroup: rbac.authorization.k8s.io
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ k8s-app: fluentd
+ name: fluentd
+ namespace: kube-system
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: caas:fluentd
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - "namespaces"
+ - "pods"
+ verbs:
+ - "list"
+ - "get"
+ - "watch"
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: caas:fluentd
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: caas:fluentd
+subjects:
+- kind: ServiceAccount
+ name: fluentd
+ namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: caas:fluentd-psp
+subjects:
+- kind: ServiceAccount
+ name: fluentd
+ namespace: kube-system
+roleRef:
+ kind: ClusterRole
+ name: caas:infra-psp
+ apiGroup: rbac.authorization.k8s.io
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: kube-dns
+ namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: caas:kube-dns
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - endpoints
+ - services
+ verbs:
+ - list
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: caas:kube-dns
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: caas:kube-dns
+subjects:
+- kind: ServiceAccount
+ name: kube-dns
+ namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: caas:kube-dns-psp
+subjects:
+- kind: ServiceAccount
+ name: kube-dns
+ namespace: kube-system
+roleRef:
+ kind: ClusterRole
+ name: caas:infra-psp
+ apiGroup: rbac.authorization.k8s.io
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kubelet-bootstrap-cbr
+subjects:
+- kind: Group
+ name: system:bootstrappers
+ apiGroup: rbac.authorization.k8s.io
+roleRef:
+ kind: ClusterRole
+ name: system:node-bootstrapper
+ apiGroup: rbac.authorization.k8s.io
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: metrics-apiserver
+ namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: caas:metrics-server:extension-apiserver-authentication-reader
+ namespace: kube-system
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: extension-apiserver-authentication-reader
+subjects:
+- kind: ServiceAccount
+ name: metrics-apiserver
+ namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: caas:metrics-server
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ - nodes
+ - nodes/stats
+ - namespaces
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - "extensions"
+ resources:
+ - deployments
+ verbs:
+ - get
+ - list
+ - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: caas:metrics-server
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: caas:metrics-server
+subjects:
+- kind: ServiceAccount
+ name: metrics-apiserver
+ namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: caas:metrics-server:system:auth-delegator
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+ name: metrics-apiserver
+ namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: caas:metrics-apiserver-psp
+subjects:
+- kind: ServiceAccount
+ name: metrics-apiserver
+ namespace: kube-system
+roleRef:
+ kind: ClusterRole
+ name: caas:infra-psp
+ apiGroup: rbac.authorization.k8s.io
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: netwatcher
+ namespace: kube-system
+ labels:
+ kubernetes.io/cluster-service: "true"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: caas:netwatcher
+rules:
+- apiGroups:
+ - "danm.k8s.io"
+ resources:
+ - danmnets
+ verbs:
+ - get
+ - list
+ - watch
+ - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: caas:netwatcher
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: caas:netwatcher
+subjects:
+- kind: ServiceAccount
+ namespace: kube-system
+ name: netwatcher
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: caas:netwatcher-psp
+subjects:
+- kind: ServiceAccount
+ name: netwatcher
+ namespace: kube-system
+roleRef:
+ kind: ClusterRole
+ name: caas:infra-psp
+ apiGroup: rbac.authorization.k8s.io
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: prometheus
+ namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: caas:prometheus
+rules:
+- apiGroups: [""]
+ resources:
+ - nodes
+ - nodes/proxy
+ - services
+ - endpoints
+ - pods
+ verbs: ["get", "list", "watch"]
+- apiGroups:
+ - extensions
+ resources:
+ - ingresses
+ verbs: ["get", "list", "watch"]
+- nonResourceURLs: ["/metrics"]
+ verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: caas:prometheus
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: caas:prometheus
+subjects:
+- kind: ServiceAccount
+ name: prometheus
+ namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: caas:prometheus-psp
+subjects:
+- kind: ServiceAccount
+ name: prometheus
+ namespace: kube-system
+roleRef:
+ kind: ClusterRole
+ name: caas:infra-psp
+ apiGroup: rbac.authorization.k8s.io
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: svcwatcher
+ namespace: kube-system
+ labels:
+ kubernetes.io/cluster-service: "true"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: caas:svcwatcher
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - endpoints
+ verbs:
+ - list
+ - watch
+ - get
+ - update
+ - create
+ - delete
+- apiGroups:
+ - ""
+ resources:
+ - services
+ - pods
+ verbs:
+ - list
+ - watch
+ - get
+- apiGroups:
+ - "danm.k8s.io"
+ resources:
+ - danmnets
+ - danmeps
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: caas:svcwatcher
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: caas:svcwatcher
+subjects:
+- kind: ServiceAccount
+ namespace: kube-system
+ name: svcwatcher
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: caas:svcwatcher-psp
+subjects:
+- kind: ServiceAccount
+ name: svcwatcher
+ namespace: kube-system
+roleRef:
+ kind: ClusterRole
+ name: caas:infra-psp
+ apiGroup: rbac.authorization.k8s.io
--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: tiller
+ namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: caas:tiller
+rules:
+# copied from admin role, with some limits
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ - pods/attach
+ - pods/exec
+ - pods/portforward
+ - pods/proxy
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ - endpoints
+ - persistentvolumeclaims
+ - replicationcontrollers
+ - replicationcontrollers/scale
+ - secrets
+ - serviceaccounts
+ - services
+ - services/proxy
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - bindings
+ - events
+ - limitranges
+ - namespaces/status
+ - pods/log
+ - pods/status
+ - replicationcontrollers/status
+ - resourcequotas
+ - resourcequotas/status
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - namespaces
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - apps
+ resources:
+ - daemonsets
+ - deployments
+ - deployments/rollback
+ - deployments/scale
+ - replicasets
+ - replicasets/scale
+ - statefulsets
+ - statefulsets/scale
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - autoscaling
+ resources:
+ - horizontalpodautoscalers
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - batch
+ resources:
+ - cronjobs
+ - jobs
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - extensions
+ resources:
+ - daemonsets
+ - deployments
+ - deployments/rollback
+ - deployments/scale
+ - ingresses
+ - networkpolicies
+ - replicasets
+ - replicasets/scale
+ - replicationcontrollers/scale
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - policy
+ resources:
+ - poddisruptionbudgets
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - authorization.k8s.io
+ resources:
+ - localsubjectaccessreviews
+ verbs:
+ - create
+ - apiGroups:
+ - rbac.authorization.k8s.io
+ resources:
+ - rolebindings
+ - roles
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - apiregistration.k8s.io
+ resources:
+ - apiservices
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - danm.k8s.io
+ resources:
+ - danmnets
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - mutatingwebhookconfigurations
+ - validatingwebhookconfigurations
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - get
+ - list
+ - patch
+ - update
+ - watch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: caas:tiller
+subjects:
+- kind: ServiceAccount
+ name: tiller
+ namespace: kube-system
+roleRef:
+ kind: ClusterRole
+ name: caas:tiller
+ apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: caas:tiller-psp
+subjects:
+- kind: ServiceAccount
+ name: tiller
+ namespace: kube-system
+roleRef:
+ kind: ClusterRole
+ name: caas:infra-psp
+ apiGroup: rbac.authorization.k8s.io
--- /dev/null
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+%define COMPONENT security
+%define RPM_NAME caas-%{COMPONENT}
+%define RPM_MAJOR_VERSION 1.0.0
+%define RPM_MINOR_VERSION 1
+%define RBAC_MANIFEST_DIR /var/lib/caas/rbac_manifests/
+
+Name: %{RPM_NAME}
+Version: %{RPM_MAJOR_VERSION}
+Release: %{RPM_MINOR_VERSION}%{?dist}
+Summary: Containers as a Service security related playbooks + manifests
+License: %{_platform_license}
+BuildArch: x86_64
+Vendor: %{_platform_vendor}
+Source0: %{name}-%{version}.tar.gz
+
+%description
+This rpm contains the necessary security related playbooks + manifests for the caas subsystem.
+
+%prep
+%autosetup
+
+%build
+
+%install
+mkdir -p %{buildroot}/%{RBAC_MANIFEST_DIR}/
+rsync -av rbac_manifests/* %{buildroot}/%{RBAC_MANIFEST_DIR}/
+
+mkdir -p %{buildroot}/%{_playbooks_path}/
+rsync -av ansible/playbooks/* %{buildroot}/%{_playbooks_path}/
+
+mkdir -p %{buildroot}/%{_roles_path}/
+rsync -av ansible/roles/* %{buildroot}/%{_roles_path}/
+
+%files
+%{RBAC_MANIFEST_DIR}/*
+%{_playbooks_path}/*
+%{_roles_path}/*
+
+
+%preun
+
+%post
+mkdir -p %{_postconfig_path}/
+ln -sf %{_playbooks_path}/rbac.yaml %{_postconfig_path}
+ln -sf %{_playbooks_path}/security.yaml %{_postconfig_path}
+
+
+%postun
+if [ $1 -eq 0 ]; then
+ rm -f %{_postconfig_path}/rbac.yaml
+ rm -f %{_postconfig_path}/security.yaml
+fi
+
+
+%clean
+rm -rf ${buildroot}
Code Review / ta / caas-security.git / commitdiff