From 8f6deb34561c1d511ecb6f777c6e312130873e78 Mon Sep 17 00:00:00 2001 From: Derek Nola Date: Tue, 3 Oct 2023 10:30:47 -0700 Subject: [PATCH 1/2] Write pod-manifests as 0600 in cis mode Signed-off-by: Derek Nola --- pkg/podexecutor/staticpod.go | 6 ++++++ pkg/staticpod/staticpod.go | 11 ++++++++--- tests/e2e/vagrantdefaults.rb | 5 +++++ 3 files changed, 19 insertions(+), 3 deletions(-) diff --git a/pkg/podexecutor/staticpod.go b/pkg/podexecutor/staticpod.go index dceedbee9c..080643059d 100644 --- a/pkg/podexecutor/staticpod.go +++ b/pkg/podexecutor/staticpod.go @@ -217,6 +217,7 @@ func (s *StaticPodConfig) KubeProxy(_ context.Context, args []string) error { Command: "kube-proxy", Args: args, Image: image, + CISMode: s.CISMode, HealthPort: 10256, HealthProto: "HTTP", CPURequest: s.ControlPlaneResources.KubeProxyCPURequest, @@ -318,6 +319,7 @@ func (s *StaticPodConfig) APIServer(_ context.Context, etcdReady <-chan struct{} Args: args, Image: image, Dirs: dirs, + CISMode: s.CISMode, CPURequest: s.ControlPlaneResources.KubeAPIServerCPURequest, CPULimit: s.ControlPlaneResources.KubeAPIServerCPULimit, MemoryRequest: s.ControlPlaneResources.KubeAPIServerMemoryRequest, @@ -370,6 +372,7 @@ func (s *StaticPodConfig) Scheduler(_ context.Context, apiReady <-chan struct{}, Command: "kube-scheduler", Args: args, Image: image, + CISMode: s.CISMode, HealthPort: 10259, HealthProto: "HTTPS", CPURequest: s.ControlPlaneResources.KubeSchedulerCPURequest, @@ -439,6 +442,7 @@ func (s *StaticPodConfig) ControllerManager(_ context.Context, apiReady <-chan s Args: args, Image: image, Dirs: onlyExisting(ssldirs), + CISMode: s.CISMode, HealthPort: 10257, HealthProto: "HTTPS", CPURequest: s.ControlPlaneResources.KubeControllerManagerCPURequest, @@ -469,6 +473,7 @@ func (s *StaticPodConfig) CloudControllerManager(_ context.Context, ccmRBACReady Args: args, Image: image, Dirs: onlyExisting(ssldirs), + CISMode: s.CISMode, HealthPort: 10258, HealthProto: "HTTPS", CPURequest: s.ControlPlaneResources.CloudControllerManagerCPURequest, @@ -542,6 +547,7 @@ func (s *StaticPodConfig) ETCD(ctx context.Context, args executor.ETCDConfig, ex args.PeerTrust.KeyFile, args.PeerTrust.TrustedCAFile, }, + CISMode: s.CISMode, HealthPort: 2381, HealthPath: "/health?serializable=true", HealthProto: "HTTP", diff --git a/pkg/staticpod/staticpod.go b/pkg/staticpod/staticpod.go index 999847dced..e016a72b08 100644 --- a/pkg/staticpod/staticpod.go +++ b/pkg/staticpod/staticpod.go @@ -7,6 +7,7 @@ import ( "encoding/hex" "fmt" "io" + "io/fs" "io/ioutil" "os" "path/filepath" @@ -50,6 +51,7 @@ type Args struct { Image name.Reference Dirs []string Files []string + CISMode bool // CIS requires that the manifest be saved with 600 permissions ExcludeFiles []string HealthExec []string HealthPort int32 @@ -123,10 +125,13 @@ func Run(dir string, args Args) error { if err != nil { return err } - return writeFile(manifestPath, b) + if args.CISMode { + return writeFile(manifestPath, b, 0600) + } + return writeFile(manifestPath, b, 0644) } -func writeFile(dest string, content []byte) error { +func writeFile(dest string, content []byte, perm fs.FileMode) error { name := filepath.Base(dest) dir := filepath.Dir(dest) if err := os.MkdirAll(dir, 0700); err != nil { @@ -149,7 +154,7 @@ func writeFile(dest string, content []byte) error { defer os.RemoveAll(tmpdir) tmp := filepath.Join(tmpdir, name) - if err := ioutil.WriteFile(tmp, content, 0644); err != nil { + if err := os.WriteFile(tmp, content, perm); err != nil { return err } return os.Rename(tmp, dest) diff --git a/tests/e2e/vagrantdefaults.rb b/tests/e2e/vagrantdefaults.rb index db1c4e320f..c0bcb5a49f 100644 --- a/tests/e2e/vagrantdefaults.rb +++ b/tests/e2e/vagrantdefaults.rb @@ -20,4 +20,9 @@ def getInstallType(vm, version, branch) scripts_location = Dir.exists?("./scripts") ? "./scripts" : "../scripts" vm.provision "shell", path: scripts_location + "/latest_commit.sh", args: [branch, "/tmp/rke2_commits"] return "INSTALL_RKE2_COMMIT=$(head\ -n\ 1\ /tmp/rke2_commits)" +end + +def cisPrep(vm) + vm.provision "shell", inline: "useradd -r -c 'etcd user' -s /sbin/nologin -M etcd -U" + vm.provision "shell", inline: "printf 'vm.panic_on_oom=0\nvm.overcommit_memory=1\nkernel.panic=10\nkernel.panic_on_oops=1' > /etc/sysctl.d/60-rke2-cis.conf; systemctl restart systemd-sysctl" end \ No newline at end of file From 669eaffa7dc2a891a00779e7b1feff2b99e98521 Mon Sep 17 00:00:00 2001 From: Derek Nola Date: Tue, 3 Oct 2023 10:34:39 -0700 Subject: [PATCH 2/2] Spellcheck Signed-off-by: Derek Nola --- Vagrantfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vagrantfile b/Vagrantfile index e1b9febb2f..6002a9f0d8 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -108,7 +108,7 @@ EOF # SELinux is Enforcing by default. # To set SELinux as Disabled on a VM that has already been provisioned: # SELINUX=Disabled vagrant up --provision-with=selinux - # To set SELinux as Permissive on a VM that has already been provsioned + # To set SELinux as Permissive on a VM that has already been provisioned # SELINUX=Permissive vagrant up --provision-with=selinux config.vm.provision "selinux", type: "shell", run: "once" do |sh| sh.upload_path = "/tmp/vagrant-selinux"