diff --git a/pkg/podexecutor/staticpod.go b/pkg/podexecutor/staticpod.go index 758b5c0ede..e9cf129ca4 100644 --- a/pkg/podexecutor/staticpod.go +++ b/pkg/podexecutor/staticpod.go @@ -214,6 +214,7 @@ func (s *StaticPodConfig) KubeProxy(_ context.Context, args []string) error { Command: "kube-proxy", Args: args, Image: image, + CISMode: s.CISMode, HealthPort: 10256, HealthProto: "HTTP", CPURequest: s.ControlPlaneResources.KubeProxyCPURequest, @@ -315,6 +316,7 @@ func (s *StaticPodConfig) APIServer(_ context.Context, etcdReady <-chan struct{} Args: args, Image: image, Dirs: dirs, + CISMode: s.CISMode, CPURequest: s.ControlPlaneResources.KubeAPIServerCPURequest, CPULimit: s.ControlPlaneResources.KubeAPIServerCPULimit, MemoryRequest: s.ControlPlaneResources.KubeAPIServerMemoryRequest, @@ -367,6 +369,7 @@ func (s *StaticPodConfig) Scheduler(_ context.Context, apiReady <-chan struct{}, Command: "kube-scheduler", Args: args, Image: image, + CISMode: s.CISMode, HealthPort: 10259, HealthProto: "HTTPS", CPURequest: s.ControlPlaneResources.KubeSchedulerCPURequest, @@ -436,6 +439,7 @@ func (s *StaticPodConfig) ControllerManager(_ context.Context, apiReady <-chan s Args: args, Image: image, Dirs: onlyExisting(ssldirs), + CISMode: s.CISMode, HealthPort: 10257, HealthProto: "HTTPS", CPURequest: s.ControlPlaneResources.KubeControllerManagerCPURequest, @@ -466,6 +470,7 @@ func (s *StaticPodConfig) CloudControllerManager(_ context.Context, ccmRBACReady Args: args, Image: image, Dirs: onlyExisting(ssldirs), + CISMode: s.CISMode, HealthPort: 10258, HealthProto: "HTTPS", CPURequest: s.ControlPlaneResources.CloudControllerManagerCPURequest, @@ -539,6 +544,7 @@ func (s *StaticPodConfig) ETCD(ctx context.Context, args executor.ETCDConfig, ex args.PeerTrust.KeyFile, args.PeerTrust.TrustedCAFile, }, + CISMode: s.CISMode, HealthPort: 2381, HealthPath: "/health?serializable=true", HealthProto: "HTTP", diff --git a/pkg/staticpod/staticpod.go b/pkg/staticpod/staticpod.go index 999847dced..e016a72b08 100644 --- a/pkg/staticpod/staticpod.go +++ b/pkg/staticpod/staticpod.go @@ -7,6 +7,7 @@ import ( "encoding/hex" "fmt" "io" + "io/fs" "io/ioutil" "os" "path/filepath" @@ -50,6 +51,7 @@ type Args struct { Image name.Reference Dirs []string Files []string + CISMode bool // CIS requires that the manifest be saved with 600 permissions ExcludeFiles []string HealthExec []string HealthPort int32 @@ -123,10 +125,13 @@ func Run(dir string, args Args) error { if err != nil { return err } - return writeFile(manifestPath, b) + if args.CISMode { + return writeFile(manifestPath, b, 0600) + } + return writeFile(manifestPath, b, 0644) } -func writeFile(dest string, content []byte) error { +func writeFile(dest string, content []byte, perm fs.FileMode) error { name := filepath.Base(dest) dir := filepath.Dir(dest) if err := os.MkdirAll(dir, 0700); err != nil { @@ -149,7 +154,7 @@ func writeFile(dest string, content []byte) error { defer os.RemoveAll(tmpdir) tmp := filepath.Join(tmpdir, name) - if err := ioutil.WriteFile(tmp, content, 0644); err != nil { + if err := os.WriteFile(tmp, content, perm); err != nil { return err } return os.Rename(tmp, dest) diff --git a/tests/e2e/vagrantdefaults.rb b/tests/e2e/vagrantdefaults.rb index db1c4e320f..c0bcb5a49f 100644 --- a/tests/e2e/vagrantdefaults.rb +++ b/tests/e2e/vagrantdefaults.rb @@ -20,4 +20,9 @@ def getInstallType(vm, version, branch) scripts_location = Dir.exists?("./scripts") ? "./scripts" : "../scripts" vm.provision "shell", path: scripts_location + "/latest_commit.sh", args: [branch, "/tmp/rke2_commits"] return "INSTALL_RKE2_COMMIT=$(head\ -n\ 1\ /tmp/rke2_commits)" +end + +def cisPrep(vm) + vm.provision "shell", inline: "useradd -r -c 'etcd user' -s /sbin/nologin -M etcd -U" + vm.provision "shell", inline: "printf 'vm.panic_on_oom=0\nvm.overcommit_memory=1\nkernel.panic=10\nkernel.panic_on_oops=1' > /etc/sysctl.d/60-rke2-cis.conf; systemctl restart systemd-sysctl" end \ No newline at end of file