ci: add cis-1.23 hardening in sles rke2 terraform script

Signed-off-by: Yang Chiu <yang.chiu@suse.com>
longhorn · Jul 18, 2023 · 19a768b · 19a768b
1 parent d359421
commit 19a768b
Show file tree

Hide file tree

Showing 6 changed files with 50 additions and 3 deletions.
diff --git a/test_framework/Jenkinsfile b/test_framework/Jenkinsfile
@@ -17,6 +17,7 @@ def RANCHER_CHART_GIT_REPO = params.RANCHER_CHART_GIT_REPO ? params.RANCHER_CHAR
 def RANCHER_CHART_GIT_BRANCH = params.RANCHER_CHART_GIT_BRANCH ? params.RANCHER_CHART_GIT_BRANCH : ""
 def RANCHER_CHART_INSTALL_VERSION = params.RANCHER_CHART_INSTALL_VERSION ? params.RANCHER_CHART_INSTALL_VERSION : ""
 def LONGHORN_TRANSIENT_VERSION = params.LONGHORN_TRANSIENT_VERSION ? params.LONGHORN_TRANSIENT_VERSION : ""
+def CIS_HARDENING = params.CIS_HARDENING ? params.CIS_HARDENING : false
 def REGISTRY_URL
 def REGISTRY_USERNAME
 def REGISTRY_PASSWORD
@@ -134,6 +135,7 @@ node {
                                        --env TF_VAR_azure_crt_password=${AZURE_CRT_PASSWORD} \
                                        --env TF_VAR_azure_tenant_id=${AZURE_TENANT_ID} \
                                        --env TF_VAR_azure_subscription_id=${AZURE_SUBSCRIPTION_ID} \
+                                       --env TF_VAR_cis_hardening=${CIS_HARDENING} \
                                        ${imageName}
                 """
 

diff --git a/test_framework/scripts/longhorn-setup.sh b/test_framework/scripts/longhorn-setup.sh
@@ -273,6 +273,14 @@ install_longhorn_stable(){
 
 create_longhorn_namespace(){
   kubectl create ns ${LONGHORN_NAMESPACE}
+  if [[ "${TF_VAR_cis_hardening}" == true ]]; then
+    kubectl label ns default ${LONGHORN_NAMESPACE} pod-security.kubernetes.io/enforce=privileged
+    kubectl label ns default ${LONGHORN_NAMESPACE} pod-security.kubernetes.io/enforce-version=latest
+    kubectl label ns default ${LONGHORN_NAMESPACE} pod-security.kubernetes.io/audit=privileged
+    kubectl label ns default ${LONGHORN_NAMESPACE} pod-security.kubernetes.io/audit-version=latest
+    kubectl label ns default ${LONGHORN_NAMESPACE} pod-security.kubernetes.io/warn=privileged
+    kubectl label ns default ${LONGHORN_NAMESPACE} pod-security.kubernetes.io/warn-version=latest
+  fi
 }
 
 

diff --git a/test_framework/terraform/aws/sles/data.tf b/test_framework/terraform/aws/sles/data.tf
@@ -37,6 +37,7 @@ data "template_file" "provision_rke2_server" {
     rke2_cluster_secret = random_password.cluster_secret.result
     rke2_server_public_ip = aws_eip.lh_aws_eip_controlplane[0].public_ip
     rke2_version =  var.k8s_distro_version
+    cis_hardening = var.cis_hardening
   }
 }
 
@@ -47,5 +48,6 @@ data "template_file" "provision_rke2_agent" {
     rke2_server_url = "https://${aws_eip.lh_aws_eip_controlplane[0].public_ip}:9345"
     rke2_cluster_secret = random_password.cluster_secret.result
     rke2_version =  var.k8s_distro_version
+    cis_hardening = var.cis_hardening
   }
 }
diff --git a/test_framework/terraform/aws/sles/user-data-scripts/provision_rke2_agent.sh.tpl b/test_framework/terraform/aws/sles/user-data-scripts/provision_rke2_agent.sh.tpl
@@ -41,5 +41,20 @@ token: ${rke2_cluster_secret}
 EOF
 
 systemctl enable rke2-agent.service
+
+if [ "${cis_hardening}" == true ]; then
+    cat << EOF > /etc/sysctl.d/60-rke2-cis.conf
+vm.panic_on_oom=0
+vm.overcommit_memory=1
+kernel.panic=10
+kernel.panic_on_oops=1
+EOF
+    systemctl restart systemd-sysctl
+    useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U
+    cat << EOF >> /etc/rancher/rke2/config.yaml
+profile: "cis-1.23"
+EOF
+fi
+
 systemctl start rke2-agent.service
 exit $?
diff --git a/test_framework/terraform/aws/sles/user-data-scripts/provision_rke2_server.sh.tpl b/test_framework/terraform/aws/sles/user-data-scripts/provision_rke2_server.sh.tpl
@@ -20,6 +20,21 @@ node-taint:
 EOF
 
 systemctl enable rke2-server.service
+
+if [ "${cis_hardening}" == true ]; then
+    cat << EOF > /etc/sysctl.d/60-rke2-cis.conf
+vm.panic_on_oom=0
+vm.overcommit_memory=1
+kernel.panic=10
+kernel.panic_on_oops=1
+EOF
+    systemctl restart systemd-sysctl
+    useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U
+    cat << EOF >> /etc/rancher/rke2/config.yaml
+profile: "cis-1.23"
+EOF
+fi
+
 systemctl start rke2-server.service
 
 until (KUBECONFIG=/etc/rancher/rke2/rke2.yaml /var/lib/rancher/rke2/bin/kubectl get pods -A | grep 'Running'); do

diff --git a/test_framework/terraform/aws/sles/variables.tf b/test_framework/terraform/aws/sles/variables.tf
@@ -99,12 +99,12 @@ variable "k8s_distro_name" {
 
 variable "k8s_distro_version" {
   type        = string
-  default     = "v1.25.3+k3s1"
+  default     = "v1.27.1+k3s1"
   description = <<-EOT
     kubernetes version that will be deployed
     rke: (default: v1.22.5-rancher1-1)
-    k3s: (default: v1.25.3+k3s1)
-    rke2: (default: v1.25.3+rke2r1)
+    k3s: (default: v1.27.1+k3s1)
+    rke2: (default: v1.27.2+rke2r1)
   EOT
 }
 
@@ -117,3 +117,8 @@ variable "create_load_balancer" {
   type    = bool
   default = false
 }
+
+variable "cis_hardening" {
+  type    = bool
+  default = false
+}