From c177c44e5d4c49eeb51b44487a614b865f8bf002 Mon Sep 17 00:00:00 2001 From: "Szekeres, Balazs (Nokia - HU/Budapest)" Date: Thu, 2 May 2019 14:07:07 +0200 Subject: [PATCH] Added seed code for caas-security. Added seed code for caas-security. Change-Id: I206543bc11d68300fd205e3194beae8eb65c66dc Signed-off-by: Szekeres, Balazs (Nokia - HU/Budapest) --- LICENSE | 179 ++++++++++++++ ansible/playbooks/rbac.yaml | 22 ++ ansible/playbooks/security.yaml | 24 ++ ansible/roles/cert/tasks/main.yml | 153 ++++++++++++ ansible/roles/cert/templates/node.conf.j2 | 35 +++ ansible/roles/cert/vars/main.yml | 23 ++ ansible/roles/creategroup/tasks/main.yml | 20 ++ ansible/roles/createuser/tasks/main.yml | 26 +++ ansible/roles/hardening/tasks/hardening.yaml | 112 +++++++++ ansible/roles/hardening/tasks/main.yml | 53 +++++ ansible/roles/hardening/templates/docker.rules | 23 ++ ansible/roles/hardening/templates/hardened_path.sh | 23 ++ ansible/roles/rbac/tasks/main.yml | 21 ++ ansible/roles/security/tasks/main.yml | 98 ++++++++ rbac_manifests/auto-approve-crb.yml | 27 +++ rbac_manifests/auto-renew-crb.yml | 27 +++ rbac_manifests/caas-default-psp.yaml | 69 ++++++ rbac_manifests/caas-infra-psp.yaml | 77 ++++++ rbac_manifests/cpudp-rbac-config.yml | 66 ++++++ rbac_manifests/cpusetter-rbac-config.yml | 67 ++++++ rbac_manifests/custom-metrics-apiserver-rbac.yaml | 89 +++++++ rbac_manifests/danm-rbac-config.yaml | 42 ++++ rbac_manifests/flannel-rbac-config.yml | 71 ++++++ rbac_manifests/fluentd-rbac-config.yml | 63 +++++ rbac_manifests/kubedns-rbac-config.yml | 60 +++++ rbac_manifests/kubernetes-bootstrap-crb.yml | 27 +++ rbac_manifests/metrics-server-rbac.yaml | 98 ++++++++ rbac_manifests/netwatcher-rbac-config.yml | 63 +++++ rbac_manifests/prometheus-rbac.yaml | 67 ++++++ rbac_manifests/svcwatcher-rbac-config.yml | 87 +++++++ rbac_manifests/tiller-rbac-config.yaml | 257 +++++++++++++++++++++ rpmbuild.spec | 70 ++++++ 32 files changed, 2139 insertions(+) create mode 100644 LICENSE create mode 100644 ansible/playbooks/rbac.yaml create mode 100644 ansible/playbooks/security.yaml create mode 100644 ansible/roles/cert/tasks/main.yml create mode 100644 ansible/roles/cert/templates/node.conf.j2 create mode 100644 ansible/roles/cert/vars/main.yml create mode 100644 ansible/roles/creategroup/tasks/main.yml create mode 100644 ansible/roles/createuser/tasks/main.yml create mode 100644 ansible/roles/hardening/tasks/hardening.yaml create mode 100644 ansible/roles/hardening/tasks/main.yml create mode 100644 ansible/roles/hardening/templates/docker.rules create mode 100644 ansible/roles/hardening/templates/hardened_path.sh create mode 100644 ansible/roles/rbac/tasks/main.yml create mode 100644 ansible/roles/security/tasks/main.yml create mode 100644 rbac_manifests/auto-approve-crb.yml create mode 100644 rbac_manifests/auto-renew-crb.yml create mode 100644 rbac_manifests/caas-default-psp.yaml create mode 100644 rbac_manifests/caas-infra-psp.yaml create mode 100644 rbac_manifests/cpudp-rbac-config.yml create mode 100644 rbac_manifests/cpusetter-rbac-config.yml create mode 100644 rbac_manifests/custom-metrics-apiserver-rbac.yaml create mode 100644 rbac_manifests/danm-rbac-config.yaml create mode 100644 rbac_manifests/flannel-rbac-config.yml create mode 100644 rbac_manifests/fluentd-rbac-config.yml create mode 100644 rbac_manifests/kubedns-rbac-config.yml create mode 100644 rbac_manifests/kubernetes-bootstrap-crb.yml create mode 100644 rbac_manifests/metrics-server-rbac.yaml create mode 100644 rbac_manifests/netwatcher-rbac-config.yml create mode 100644 rbac_manifests/prometheus-rbac.yaml create mode 100644 rbac_manifests/svcwatcher-rbac-config.yml create mode 100644 rbac_manifests/tiller-rbac-config.yaml create mode 100644 rpmbuild.spec diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..4959a5e --- /dev/null +++ b/LICENSE @@ -0,0 +1,179 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + diff --git a/ansible/playbooks/rbac.yaml b/ansible/playbooks/rbac.yaml new file mode 100644 index 0000000..1c98cee --- /dev/null +++ b/ansible/playbooks/rbac.yaml @@ -0,0 +1,22 @@ +--- +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# cmframework.requires: master_kube_proxy.yaml +- hosts: caas_master + strategy: free + become: true + become_user: "root" + roles: + - role: rbac diff --git a/ansible/playbooks/security.yaml b/ansible/playbooks/security.yaml new file mode 100644 index 0000000..28cd78e --- /dev/null +++ b/ansible/playbooks/security.yaml @@ -0,0 +1,24 @@ +--- +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# cmframework.requires: common.yaml +- hosts: caas_nodes + strategy: free + become: true + become_user: "root" + roles: + - role: security + - role: hardening + diff --git a/ansible/roles/cert/tasks/main.yml b/ansible/roles/cert/tasks/main.yml new file mode 100644 index 0000000..a23996c --- /dev/null +++ b/ansible/roles/cert/tasks/main.yml @@ -0,0 +1,153 @@ +--- +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: template node.conf + template: + src: "node.conf.j2" + dest: /etc/openssl/node.conf + mode: 0000 + +- name: check instance cert directory + stat: + path: "{{ cert_path }}/ca.pem" + register: cert_path_register + +- name: create cert directory + file: + name: "{{ cert_path }}" + state: directory + when: not cert_path_register.stat.exists + +# The 'create cert directory' and 'changing permissions of cert directory' tasks cannot merged together! +# Since 'state: directory' creates the directory recursively. +# So, if cert_path is e.g: /etc/kubernetes/ssl, then /etc/kubernetes would get 700 as it's permisson. +# And in that case the admin user would get access denied for the /etc/kubernetes folder. +- name: changing permissions of cert directory + file: + path: "{{ cert_path }}" + mode: 0700 + when: not cert_path_register.stat.exists + +- name: adding default acl read to {{ users.admin_user_name }} to {{ cert_path }} + acl: + default: yes + name: "{{ cert_path }}" + entity: "{{ users.admin_user_name }}" + etype: user + permissions: rx + recursive: yes + state: present + +- name: adding acl read to {{ users.admin_user_name }} to {{ cert_path }} + acl: + name: "{{ cert_path }}" + entity: "{{ users.admin_user_name }}" + etype: user + permissions: rx + recursive: yes + state: present + +- name: check instance cert + stat: + path: "{{ cert_path }}/{{ _cert }}" + register: cert + +- name: copy CA to {{ cert_path }} + copy: + src: "/etc/openssl/ca.pem" + dest: "{{ cert_path }}/ca.pem" + when: not cert_path_register.stat.exists + +- name: generate instance certificate + command: "{{ item }}" + with_items: + - "/usr/bin/openssl genrsa -out {{ _key }} 2048" + - "/usr/bin/openssl req -new -key {{ _key }} -out {{ instance }}.csr -subj '{{ _subject }}' {% if _common_key is sameas false %} -config /etc/openssl/{{ _conf_file }} {% endif %} -sha256" + - "/usr/bin/openssl x509 -req -in {{ instance }}.csr -CA ca.pem -CAserial {{ instance }}.slr -CAkey /etc/openssl/ca-key.pem -CAcreateserial -out {{ _cert }} -days {{ _expiry }} -extensions v3_req -extfile /etc/openssl/{{ _conf_file }} -sha256" + args: + chdir: "{{ cert_path }}" + when: not cert.stat.exists + +- name: reducing permission of key file and cert file + file: + path: "{{ cert_path }}/{{ item }}" + mode: 0000 + with_items: + - "{{ _key }}" + - "{{ _cert }}" + when: not cert.stat.exists + +- name: remove cert request and serial file + file: + path: "{{ cert_path }}/{{ item }}" + state: absent + with_items: + - "{{ instance }}.csr" + - "{{ instance }}.slr" + when: not cert.stat.exists + +- name: setting ca.pem permission + file: + path: "{{ cert_path }}/ca.pem" + mode: 0000 + when: not cert_path_register.stat.exists + +- name: adding default acl read to {{ users.admin_user_name }} to {{ cert_path }}/ca.epm + acl: + name: "{{ cert_path }}/ca.pem" + entity: "{{ users.admin_user_name }}" + etype: user + permissions: rx + state: present + +- name: allowing users to access keys + acl: + name: "{{ item[0] }}" + entity: "{{ item[1] }}" + etype: user + permissions: "r" + state: present + with_nested: + - [ "{{ cert_path }}/{{ _key }}", "{{ cert_path }}/{{ _cert }}", "{{ cert_path }}/ca.pem" ] + - "{{ add_users | default([]) }}" + +- name: adding exec flag to {{ cert_path }} directory for users + acl: + name: "{{ cert_path }}" + entity: "{{ item }}" + etype: user + permissions: "rx" + state: present + with_items: "{{ add_users | default([]) }}" + +- name: create kubeconfig from cert + include_role: + name: kubeconfig + vars: + config: + path: "{{ item.path }}" + owner: "{{ item.owner | default('root') }}" + group: "{{ item.group | default('root') }}" + restricted: "{{ item.restricted | default(true) }}" + user: "{{ _cn }}" + cert: "{{ cert_path }}/{{ _cert }}" + key: "{{ cert_path }}/{{ _key }}" + apiserver: "{{ item.apiserver }}" + apiserver_port: "{{ item.apiserver_port }}" + add_users: "{{ add_users | default([]) }}" + with_items: "{{ kube_conf | default([]) }}" + +- name: force IO to write data to disk + shell: "sync" diff --git a/ansible/roles/cert/templates/node.conf.j2 b/ansible/roles/cert/templates/node.conf.j2 new file mode 100644 index 0000000..75389aa --- /dev/null +++ b/ansible/roles/cert/templates/node.conf.j2 @@ -0,0 +1,35 @@ +{# +Copyright 2019 Nokia + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +#} +[req] +req_extensions = v3_req +distinguished_name = req_distinguished_name +[req_distinguished_name] +[ v3_req ] +basicConstraints = critical, CA:FALSE +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, serverAuth +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid +{% if _alt_names.dns | default([]) or _alt_names.ip | default([]) %} +subjectAltName = @alt_names +[alt_names] +{% for element in _alt_names.dns | default([]) %} +DNS.{{loop.index}} = {{ element }} +{% endfor %} +{% for element in _alt_names.ip | default([]) %} +IP.{{loop.index}} = {{ element }} +{% endfor %} +{% endif %} diff --git a/ansible/roles/cert/vars/main.yml b/ansible/roles/cert/vars/main.yml new file mode 100644 index 0000000..50c63df --- /dev/null +++ b/ansible/roles/cert/vars/main.yml @@ -0,0 +1,23 @@ +--- +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +_cert: "{{ cert_name | default(instance + '.pem') }}" +_key: "{{ key_name | default(instance + '-key.pem') }}" +_cn: "{{ common_name | default('crf-' + instance) }}" +_org: "{{ org_name | default('') }}" +_conf_file: "{{ conf_file | default('node.conf') }}" +_expiry: "{{ cert_expiry | default('1825') }}" +_subject: "/CN={{ _cn }}{% if _org %}/O={{ _org }}{% endif %}" +_alt_names: "{{ alt_names | default( {'dns':[], 'ip':[]} ) }}" diff --git a/ansible/roles/creategroup/tasks/main.yml b/ansible/roles/creategroup/tasks/main.yml new file mode 100644 index 0000000..427a08b --- /dev/null +++ b/ansible/roles/creategroup/tasks/main.yml @@ -0,0 +1,20 @@ +--- +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: create group + group: + name: "{{ _name }}" + state: present + gid: "{{ _gid }}" diff --git a/ansible/roles/createuser/tasks/main.yml b/ansible/roles/createuser/tasks/main.yml new file mode 100644 index 0000000..0b655c7 --- /dev/null +++ b/ansible/roles/createuser/tasks/main.yml @@ -0,0 +1,26 @@ +--- +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: create user + user: + name: "{{ _name }}" + state: present + group: "{{ _group }}" + groups: "{{ _groups }}" + uid: "{{ _uid }}" + shell: "{{ _shell }}" + home: "{{ _home | default('/dev/null') }}" + createhome: "{{ _home is defined | ternary('yes', 'no') }}" + password: "{{ _password | default('') }}" diff --git a/ansible/roles/hardening/tasks/hardening.yaml b/ansible/roles/hardening/tasks/hardening.yaml new file mode 100644 index 0000000..3fd1c64 --- /dev/null +++ b/ansible/roles/hardening/tasks/hardening.yaml @@ -0,0 +1,112 @@ +--- +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: set /etc/openssl directory with proper rights + file: + path: /etc/openssl + state: directory + mode: 0755 + +- name: templating path hardener profile.d script + template: + src: hardened_path.sh + dest: /etc/profile.d/hardened_path.sh + mode: 0644 + +- name: removing root spool/mail if exists + file: + path: /var/spool/mail/root + state: absent + +- name: creating root spool/mail + file: + path: /var/spool/mail/root + state: directory + mode: 0660 + owner: root + group: mail + +- name: removing unused users + user: + name: "{{ item }}" + state: absent + remove: yes # deletes home, spool etc + ignore_errors: yes # sometimes spool not exists, sometimes group is not primary. + with_items: + - "lp" + - "operator" + - "games" + - "ftp" + +- name: remove not needed user groups + group: + name: "{{ item }}" + state: absent + with_items: + - "cdrom" + - "floppy" + - "games" + - "tape" + +- name: system uids to 999 instead of 199 + replace: + dest: /etc/profile + regexp: 'if \[ \$UID -gt 199 \]' + replace: 'if [ $UID -gt 999 ]' + +- name: Removing home per bin from path in skeleton and in the already existing root + lineinfile: + dest: "{{ item }}" + state: absent + regexp: '^PATH=.*$HOME/bin' + with_items: + - /etc/skel/.bash_profile + - /root/.bash_profile + +- name: create /etc/cron.allow with root + copy: + content: 'root' + dest: /etc/cron.allow + owner: root + group: root + mode: 0600 + force: yes + +- name: remove linked files + file: + path: "{{ item }}" + state: absent + with_items: + - /etc/prelink.conf.d/fipscheck.conf + - /etc/prelink.conf.d/grub2.conf + - /etc/prelink.conf.d/nss-softokn-prelink.conf + +- name: change auditd config + lineinfile: + dest: /etc/audit/auditd.conf + state: present + regexp: '^ *{{ item.key }} *=.+$' + line: '{{ item.key }} = {{ item.val }}' + with_items: + - key: num_logs + val: 10 + - key: max_log_file + val: 15 + +- name: No root login access on terminals /etc/securetty + copy: + content: 'console' + dest: /etc/securetty + force: yes diff --git a/ansible/roles/hardening/tasks/main.yml b/ansible/roles/hardening/tasks/main.yml new file mode 100644 index 0000000..00d6c20 --- /dev/null +++ b/ansible/roles/hardening/tasks/main.yml @@ -0,0 +1,53 @@ +--- +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- import_tasks: hardening.yaml + +- name: setting umask for init scripts + lineinfile: + dest: /etc/sysconfig/init + regexp: ^umask + line: umask 027 + +- name: disable interactive boot + lineinfile: + dest: /etc/sysconfig/init + state: present + regexp: '^ *PROMPT *= *\w+$' + line: PROMPT=no + +- name: removing wheel group altogether + group: + name: wheel + state: absent + +- name: removing postfix + yum: + name: postfix + state: absent + +- name: change permission of files to 0500 + file: + path: /usr/sbin/tcpdump + state: file + mode: 0500 + +- name: change permission of files to 0X00 + file: + path: /root + state: directory + recurse: yes + mode: "g-rwx,o-rwx" + diff --git a/ansible/roles/hardening/templates/docker.rules b/ansible/roles/hardening/templates/docker.rules new file mode 100644 index 0000000..7baf141 --- /dev/null +++ b/ansible/roles/hardening/templates/docker.rules @@ -0,0 +1,23 @@ +{# +Copyright 2019 Nokia + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +#} +-w /usr/bin/docker -k docker +-w /var/lib/docker/manifests -k docker" +-w /etc/docker -k docker +-w /usr/lib/systemd/system/docker.service -k docker +-w /var/run/docker.sock -k docker +-w /etc/sysconfig/docker-proxy -k docker +-w /etc/sysconfig/docker-storage -k docker +-w /etc/sysconfig/docker-registries -k docker diff --git a/ansible/roles/hardening/templates/hardened_path.sh b/ansible/roles/hardening/templates/hardened_path.sh new file mode 100644 index 0000000..837752a --- /dev/null +++ b/ansible/roles/hardening/templates/hardened_path.sh @@ -0,0 +1,23 @@ +#!/bin/sh +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +IFS=':' read -ra PATH_ELEMENTS <<< "$PATH" +PATH="" +for element in "${PATH_ELEMENTS[@]}"; do + if [[ ! -z "$element" ]] && [[ -d "$element" ]] && [[ ! -z "`/usr/bin/ls -A \"$element\"`" ]]; then + PATH=$PATH:$element + fi +done +PATH=${PATH#":"} diff --git a/ansible/roles/rbac/tasks/main.yml b/ansible/roles/rbac/tasks/main.yml new file mode 100644 index 0000000..3c0ee05 --- /dev/null +++ b/ansible/roles/rbac/tasks/main.yml @@ -0,0 +1,21 @@ +--- +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: create rbac objects + kubectl: + manifest: "{{ item }}" + state: present + with_fileglob: "{{ caas.rbac_manifests_directory }}/*" + when: ( nodename | search("caas_master1") ) diff --git a/ansible/roles/security/tasks/main.yml b/ansible/roles/security/tasks/main.yml new file mode 100644 index 0000000..22e3197 --- /dev/null +++ b/ansible/roles/security/tasks/main.yml @@ -0,0 +1,98 @@ +--- +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + - name: protect grub with root password + blockinfile: + dest: /etc/grub.d/40_custom + state: present + insertafter: 'EOF' + content: | + # define superusers + set superusers="root" + #define users + password_pbkdf2 root {{ host_os.grub2_password }} + when: + - host_os is defined + - host_os.grub2_password | default(False, True) + + - name: generate grub config + command: /usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg + + - name: chsh/chfn right setting + file: + path: "{{ item }}" + state: file + mode: 04700 + owner: root + group: root + with_items: + - /usr/bin/chsh + - /usr/bin/chfn + + - name: permission change for ssh certificates + file: + path: "{{ item }}" + state: file + mode: 0600 + owner: root + group: root + with_fileglob: + - /etc/ssh/ssh_host_*_key + + - name: reload audit config + command: augenrules --load + + - name: Checking existing file id for permission set 0600 + stat: + path: "{{ item }}" + register: file_perm_status + with_items: + - /var/log/boot.log + - /var/log/cloud-init.log + - /var/log/cloud-init-output.log + - /var/log/dmesg + - /var/log/dmesg.old + - /var/log/java_install.log + - /var/log/ntp.log + - /var/log/rhsm/rhsmcertd.log + - /var/log/rhsm/rhsm.log + - /var/log/tuned/tuned.log + - /var/log/up2date + - /var/log/wpa_supplicant.log + - /etc/cron.d/0hourly + - /etc/cron.daily/0yum-daily.cron + - /etc/cron.daily/man-db.cron + - /etc/cron.hourly/0anacron + - /etc/cron.hourly/0yum-hourly.cron + - /boot/grub2/grub.cfg + - /etc/rsyslog.conf + - /etc/sysctl.conf + - /etc/ntp.conf + - /etc/audit/audit.rules + + - name: change permission of of files to 0600 + file: + path: "{{ item.stat.path }}" + state: file + mode: 0600 + when: item.stat.exists + with_items: "{{ file_perm_status.results }}" + + - name: delete broken links + file: + path: "{{ item }}" + state: absent + with_lines: + - find /run/udev/watch/ -xtype l diff --git a/rbac_manifests/auto-approve-crb.yml b/rbac_manifests/auto-approve-crb.yml new file mode 100644 index 0000000..d222d8a --- /dev/null +++ b/rbac_manifests/auto-approve-crb.yml @@ -0,0 +1,27 @@ +--- +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: auto-approve-bootstrappers-certs +subjects: +- kind: Group + name: system:bootstrappers + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: system:certificates.k8s.io:certificatesigningrequests:nodeclient + apiGroup: rbac.authorization.k8s.io diff --git a/rbac_manifests/auto-renew-crb.yml b/rbac_manifests/auto-renew-crb.yml new file mode 100644 index 0000000..4d05f07 --- /dev/null +++ b/rbac_manifests/auto-renew-crb.yml @@ -0,0 +1,27 @@ +--- +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: auto-renew-node-certs +subjects: +- kind: Group + name: system:nodes + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient + apiGroup: rbac.authorization.k8s.io diff --git a/rbac_manifests/caas-default-psp.yaml b/rbac_manifests/caas-default-psp.yaml new file mode 100644 index 0000000..d3d3712 --- /dev/null +++ b/rbac_manifests/caas-default-psp.yaml @@ -0,0 +1,69 @@ +--- +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: extensions/v1beta1 +kind: PodSecurityPolicy +metadata: + name: caas-default +spec: + privileged: false + allowPrivilegeEscalation: true + readOnlyRootFilesystem: false + hostIPC: false + hostNetwork: false + hostPID: false + volumes: + - 'configMap' + - 'downwardAPI' + - 'emptyDir' + - 'persistentVolumeClaim' + - 'projected' + - 'secret' + - 'hostPath' + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: caas:default-psp +rules: +- apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: ['caas-default'] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: caas:default-psp +roleRef: + kind: ClusterRole + name: caas:default-psp + apiGroup: rbac.authorization.k8s.io +subjects: +# Authorize system:nodes group to be able to create mirror pods +- kind: Group + apiGroup: rbac.authorization.k8s.io + name: system:nodes +- kind: Group + apiGroup: rbac.authorization.k8s.io + name: system:serviceaccounts diff --git a/rbac_manifests/caas-infra-psp.yaml b/rbac_manifests/caas-infra-psp.yaml new file mode 100644 index 0000000..8392e87 --- /dev/null +++ b/rbac_manifests/caas-infra-psp.yaml @@ -0,0 +1,77 @@ +--- +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: extensions/v1beta1 +kind: PodSecurityPolicy +metadata: + name: caas-infra +spec: + privileged: true + readOnlyRootFilesystem: false + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + volumes: + - 'emptyDir' + - 'hostPath' + - 'persistentVolumeClaim' + - 'configMap' + - 'secret' + - 'rbd' + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny + allowedCapabilities: + - NET_BIND_SERVICE + - ALL + - IPC_LOCK + - SYS_RESOURCE + - SYS_PTRACE + - SYS_ADMIN + - NET_ADMIN + - NET_RAW +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: caas:infra-psp +rules: +- apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: ['caas-infra'] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: caas:infra-psp +roleRef: + kind: ClusterRole + name: caas:infra-psp + apiGroup: rbac.authorization.k8s.io +subjects: +# Authorize system:nodes group to be able to create mirror pods +- kind: Group + apiGroup: rbac.authorization.k8s.io + name: system:nodes +- kind: ServiceAccount + name: default + namespace: kube-system diff --git a/rbac_manifests/cpudp-rbac-config.yml b/rbac_manifests/cpudp-rbac-config.yml new file mode 100644 index 0000000..cbc9cd8 --- /dev/null +++ b/rbac_manifests/cpudp-rbac-config.yml @@ -0,0 +1,66 @@ +--- +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cpu-device-plugin + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: caas:cpu-device-plugin +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: caas:cpu-device-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: caas:cpu-device-plugin +subjects: +- kind: ServiceAccount + name: cpu-device-plugin + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: caas:cpu-device-plugin-psp +subjects: +- kind: ServiceAccount + name: cpu-device-plugin + namespace: kube-system +roleRef: + kind: ClusterRole + name: caas:infra-psp + apiGroup: rbac.authorization.k8s.io diff --git a/rbac_manifests/cpusetter-rbac-config.yml b/rbac_manifests/cpusetter-rbac-config.yml new file mode 100644 index 0000000..7cd170a --- /dev/null +++ b/rbac_manifests/cpusetter-rbac-config.yml @@ -0,0 +1,67 @@ +--- +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cpu-setter + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: caas:cpu-setter +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: caas:cpu-setter +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: caas:cpu-setter +subjects: +- kind: ServiceAccount + name: cpu-setter + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: caas:cpu-setter-psp +subjects: +- kind: ServiceAccount + name: cpu-setter + namespace: kube-system +roleRef: + kind: ClusterRole + name: caas:infra-psp + apiGroup: rbac.authorization.k8s.io diff --git a/rbac_manifests/custom-metrics-apiserver-rbac.yaml b/rbac_manifests/custom-metrics-apiserver-rbac.yaml new file mode 100644 index 0000000..05dc74f --- /dev/null +++ b/rbac_manifests/custom-metrics-apiserver-rbac.yaml @@ -0,0 +1,89 @@ +--- +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: custom-metrics-apiserver + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: caas:custom-metrics-server-resource-reader +rules: +- apiGroups: + - "" + resources: + - namespaces + - pods + - services + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: caas:custom-metrics-server:extension-apiserver-authentication-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: custom-metrics-apiserver + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: caas:custom-metrics-server:system:auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: custom-metrics-apiserver + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: caas:custom-metrics-server-psp +subjects: +- kind: ServiceAccount + name: custom-metrics-apiserver + namespace: kube-system +roleRef: + kind: ClusterRole + name: caas:infra-psp + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: caas:custom-metrics-server:custom-apiserver-resource-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: caas:custom-metrics-server-resource-reader +subjects: +- kind: ServiceAccount + name: custom-metrics-apiserver + namespace: kube-system diff --git a/rbac_manifests/danm-rbac-config.yaml b/rbac_manifests/danm-rbac-config.yaml new file mode 100644 index 0000000..a08796f --- /dev/null +++ b/rbac_manifests/danm-rbac-config.yaml @@ -0,0 +1,42 @@ +--- +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: caas:danm +rules: + - apiGroups: + - danm.k8s.io + resources: + - danmnets + - danmeps + verbs: [ "*" ] + - apiGroups: [ "" ] + resources: [ "pods" ] + verbs: [ "get","watch","list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: caas:danm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: caas:danm +subjects: + - kind: User + apiGroup: rbac.authorization.k8s.io + name: danm diff --git a/rbac_manifests/flannel-rbac-config.yml b/rbac_manifests/flannel-rbac-config.yml new file mode 100644 index 0000000..afb1b78 --- /dev/null +++ b/rbac_manifests/flannel-rbac-config.yml @@ -0,0 +1,71 @@ +--- +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: flannel + namespace: kube-system +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: caas:flannel +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch + - apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: caas:flannel +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: caas:flannel +subjects: + - kind: ServiceAccount + name: flannel + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: caas:flannel-psp +subjects: +- kind: ServiceAccount + name: flannel + namespace: kube-system +roleRef: + kind: ClusterRole + name: caas:infra-psp + apiGroup: rbac.authorization.k8s.io diff --git a/rbac_manifests/fluentd-rbac-config.yml b/rbac_manifests/fluentd-rbac-config.yml new file mode 100644 index 0000000..4d6832d --- /dev/null +++ b/rbac_manifests/fluentd-rbac-config.yml @@ -0,0 +1,63 @@ +--- +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + k8s-app: fluentd + name: fluentd + namespace: kube-system +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: caas:fluentd +rules: + - apiGroups: + - "" + resources: + - "namespaces" + - "pods" + verbs: + - "list" + - "get" + - "watch" +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: caas:fluentd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: caas:fluentd +subjects: +- kind: ServiceAccount + name: fluentd + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: caas:fluentd-psp +subjects: +- kind: ServiceAccount + name: fluentd + namespace: kube-system +roleRef: + kind: ClusterRole + name: caas:infra-psp + apiGroup: rbac.authorization.k8s.io diff --git a/rbac_manifests/kubedns-rbac-config.yml b/rbac_manifests/kubedns-rbac-config.yml new file mode 100644 index 0000000..0cd6967 --- /dev/null +++ b/rbac_manifests/kubedns-rbac-config.yml @@ -0,0 +1,60 @@ +--- +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kube-dns + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: caas:kube-dns +rules: +- apiGroups: + - "" + resources: + - endpoints + - services + verbs: + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: caas:kube-dns +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: caas:kube-dns +subjects: +- kind: ServiceAccount + name: kube-dns + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: caas:kube-dns-psp +subjects: +- kind: ServiceAccount + name: kube-dns + namespace: kube-system +roleRef: + kind: ClusterRole + name: caas:infra-psp + apiGroup: rbac.authorization.k8s.io diff --git a/rbac_manifests/kubernetes-bootstrap-crb.yml b/rbac_manifests/kubernetes-bootstrap-crb.yml new file mode 100644 index 0000000..61296b5 --- /dev/null +++ b/rbac_manifests/kubernetes-bootstrap-crb.yml @@ -0,0 +1,27 @@ +--- +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kubelet-bootstrap-cbr +subjects: +- kind: Group + name: system:bootstrappers + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: system:node-bootstrapper + apiGroup: rbac.authorization.k8s.io diff --git a/rbac_manifests/metrics-server-rbac.yaml b/rbac_manifests/metrics-server-rbac.yaml new file mode 100644 index 0000000..cf69a75 --- /dev/null +++ b/rbac_manifests/metrics-server-rbac.yaml @@ -0,0 +1,98 @@ +--- +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: metrics-apiserver + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: caas:metrics-server:extension-apiserver-authentication-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: metrics-apiserver + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: caas:metrics-server +rules: +- apiGroups: + - "" + resources: + - pods + - nodes + - nodes/stats + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + resources: + - deployments + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: caas:metrics-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: caas:metrics-server +subjects: +- kind: ServiceAccount + name: metrics-apiserver + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: caas:metrics-server:system:auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: metrics-apiserver + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: caas:metrics-apiserver-psp +subjects: +- kind: ServiceAccount + name: metrics-apiserver + namespace: kube-system +roleRef: + kind: ClusterRole + name: caas:infra-psp + apiGroup: rbac.authorization.k8s.io diff --git a/rbac_manifests/netwatcher-rbac-config.yml b/rbac_manifests/netwatcher-rbac-config.yml new file mode 100644 index 0000000..fae1c23 --- /dev/null +++ b/rbac_manifests/netwatcher-rbac-config.yml @@ -0,0 +1,63 @@ +--- +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: netwatcher + namespace: kube-system + labels: + kubernetes.io/cluster-service: "true" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: caas:netwatcher +rules: +- apiGroups: + - "danm.k8s.io" + resources: + - danmnets + verbs: + - get + - list + - watch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: caas:netwatcher +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: caas:netwatcher +subjects: +- kind: ServiceAccount + namespace: kube-system + name: netwatcher +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: caas:netwatcher-psp +subjects: +- kind: ServiceAccount + name: netwatcher + namespace: kube-system +roleRef: + kind: ClusterRole + name: caas:infra-psp + apiGroup: rbac.authorization.k8s.io diff --git a/rbac_manifests/prometheus-rbac.yaml b/rbac_manifests/prometheus-rbac.yaml new file mode 100644 index 0000000..bda6aee --- /dev/null +++ b/rbac_manifests/prometheus-rbac.yaml @@ -0,0 +1,67 @@ +--- +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: prometheus + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: caas:prometheus +rules: +- apiGroups: [""] + resources: + - nodes + - nodes/proxy + - services + - endpoints + - pods + verbs: ["get", "list", "watch"] +- apiGroups: + - extensions + resources: + - ingresses + verbs: ["get", "list", "watch"] +- nonResourceURLs: ["/metrics"] + verbs: ["get"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: caas:prometheus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: caas:prometheus +subjects: +- kind: ServiceAccount + name: prometheus + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: caas:prometheus-psp +subjects: +- kind: ServiceAccount + name: prometheus + namespace: kube-system +roleRef: + kind: ClusterRole + name: caas:infra-psp + apiGroup: rbac.authorization.k8s.io diff --git a/rbac_manifests/svcwatcher-rbac-config.yml b/rbac_manifests/svcwatcher-rbac-config.yml new file mode 100644 index 0000000..d827b72 --- /dev/null +++ b/rbac_manifests/svcwatcher-rbac-config.yml @@ -0,0 +1,87 @@ +--- +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: svcwatcher + namespace: kube-system + labels: + kubernetes.io/cluster-service: "true" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: caas:svcwatcher +rules: +- apiGroups: + - "" + resources: + - endpoints + verbs: + - list + - watch + - get + - update + - create + - delete +- apiGroups: + - "" + resources: + - services + - pods + verbs: + - list + - watch + - get +- apiGroups: + - "danm.k8s.io" + resources: + - danmnets + - danmeps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: caas:svcwatcher +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: caas:svcwatcher +subjects: +- kind: ServiceAccount + namespace: kube-system + name: svcwatcher +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: caas:svcwatcher-psp +subjects: +- kind: ServiceAccount + name: svcwatcher + namespace: kube-system +roleRef: + kind: ClusterRole + name: caas:infra-psp + apiGroup: rbac.authorization.k8s.io diff --git a/rbac_manifests/tiller-rbac-config.yaml b/rbac_manifests/tiller-rbac-config.yaml new file mode 100644 index 0000000..40715eb --- /dev/null +++ b/rbac_manifests/tiller-rbac-config.yaml @@ -0,0 +1,257 @@ +--- +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tiller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: caas:tiller +rules: +# copied from admin role, with some limits + - apiGroups: + - "" + resources: + - pods + - pods/attach + - pods/exec + - pods/portforward + - pods/proxy + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - configmaps + - endpoints + - persistentvolumeclaims + - replicationcontrollers + - replicationcontrollers/scale + - secrets + - serviceaccounts + - services + - services/proxy + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - bindings + - events + - limitranges + - namespaces/status + - pods/log + - pods/status + - replicationcontrollers/status + - resourcequotas + - resourcequotas/status + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - daemonsets + - deployments + - deployments/rollback + - deployments/scale + - replicasets + - replicasets/scale + - statefulsets + - statefulsets/scale + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - extensions + resources: + - daemonsets + - deployments + - deployments/rollback + - deployments/scale + - ingresses + - networkpolicies + - replicasets + - replicasets/scale + - replicationcontrollers/scale + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - authorization.k8s.io + resources: + - localsubjectaccessreviews + verbs: + - create + - apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - danm.k8s.io + resources: + - danmnets + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: caas:tiller +subjects: +- kind: ServiceAccount + name: tiller + namespace: kube-system +roleRef: + kind: ClusterRole + name: caas:tiller + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: caas:tiller-psp +subjects: +- kind: ServiceAccount + name: tiller + namespace: kube-system +roleRef: + kind: ClusterRole + name: caas:infra-psp + apiGroup: rbac.authorization.k8s.io diff --git a/rpmbuild.spec b/rpmbuild.spec new file mode 100644 index 0000000..ff5b344 --- /dev/null +++ b/rpmbuild.spec @@ -0,0 +1,70 @@ +# Copyright 2019 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +%define COMPONENT security +%define RPM_NAME caas-%{COMPONENT} +%define RPM_MAJOR_VERSION 1.0.0 +%define RPM_MINOR_VERSION 1 +%define RBAC_MANIFEST_DIR /var/lib/caas/rbac_manifests/ + +Name: %{RPM_NAME} +Version: %{RPM_MAJOR_VERSION} +Release: %{RPM_MINOR_VERSION}%{?dist} +Summary: Containers as a Service security related playbooks + manifests +License: %{_platform_license} +BuildArch: x86_64 +Vendor: %{_platform_vendor} +Source0: %{name}-%{version}.tar.gz + +%description +This rpm contains the necessary security related playbooks + manifests for the caas subsystem. + +%prep +%autosetup + +%build + +%install +mkdir -p %{buildroot}/%{RBAC_MANIFEST_DIR}/ +rsync -av rbac_manifests/* %{buildroot}/%{RBAC_MANIFEST_DIR}/ + +mkdir -p %{buildroot}/%{_playbooks_path}/ +rsync -av ansible/playbooks/* %{buildroot}/%{_playbooks_path}/ + +mkdir -p %{buildroot}/%{_roles_path}/ +rsync -av ansible/roles/* %{buildroot}/%{_roles_path}/ + +%files +%{RBAC_MANIFEST_DIR}/* +%{_playbooks_path}/* +%{_roles_path}/* + + +%preun + +%post +mkdir -p %{_postconfig_path}/ +ln -sf %{_playbooks_path}/rbac.yaml %{_postconfig_path} +ln -sf %{_playbooks_path}/security.yaml %{_postconfig_path} + + +%postun +if [ $1 -eq 0 ]; then + rm -f %{_postconfig_path}/rbac.yaml + rm -f %{_postconfig_path}/security.yaml +fi + + +%clean +rm -rf ${buildroot} -- 2.16.6