nutanix-cloud-native
diff --git a/‎examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/control-plane/README.md‎
Lines changed: 159 additions & 0 deletions b/‎examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/control-plane/README.md‎
Lines changed: 159 additions & 0 deletions
diff --git a/‎examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/control-plane/cis-mitigations-cp-patch.yaml‎
Lines changed: 106 additions & 0 deletions b/‎examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/control-plane/cis-mitigations-cp-patch.yaml‎
Lines changed: 106 additions & 0 deletions
diff --git a/‎examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/control-plane/kustomization.yaml‎
Lines changed: 11 additions & 0 deletions b/‎examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/control-plane/kustomization.yaml‎
Lines changed: 11 additions & 0 deletions
@@ -0,0 +1,159 @@
+# Hardened Kubernetes Control Plane Template
+
+## Required Component: kubelet-csr-approver
+
+To meet the following CIS security benchmarks:
+
+- 1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate
+- 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true
+
+You must install the Postfinance kubelet-csr-approver:
+
+```bash
+helm repo add kubelet-csr-approver https://postfinance.github.io/kubelet-csr-approver
+helm upgrade --install kubelet-csr-approver \
+  kubelet-csr-approver/kubelet-csr-approver \
+  -n kube-system \
+  --create-namespace \
+  --set maxExpirationSeconds=2592000 \
+  --set leaderElection=true \
+  --set bypassDnsResolution=true \
+  --set rbac.create=true
+```
+
+**Note**: If you choose not to install the kubelet-csr-approver, you must omit the flags related to the CIS benchmarks mentioned above from your configuration.
+
+## Prerequisites
+
+Before applying the kustomization, you need to determine the available Nutanix-provided KubeadmControlPlaneTemplates (those with the "nkp-" prefix) and their versions:
+
+```bash
+# List all available KubeadmControlPlaneTemplates
+kubectl get kubeadmcontrolplanetemplates.controlplane.cluster.x-k8s.io
+
+# Example output:
+# NAME                     AGE
+# nkp-nutanix-v2.14.0      4d
+# some-other-template      19h
+```
+
+**Important**: You must use the Nutanix-provided template (starting with "nkp-") for these hardening configurations to work correctly.
+
+Then export the original Nutanix KubeadmControlPlaneTemplate using the appropriate version:
+
+```bash
+# Replace <VERSION> with your actual version (e.g., v2.14.0)
+kubectl get kubeadmcontrolplanetemplates.controlplane.cluster.x-k8s.io nkp-nutanix-<VERSION> -o yaml > nkp-nutanix-<VERSION>.yaml
+```
+
+## Structure
+
+- `nkp-nutanix-<VERSION>.yaml` - The original KubeadmControlPlaneTemplate (generated by user, replace <VERSION> with your actual version)
+- `cis-mitigations-cp-patch.yaml` - Patch file containing CIS hardening configurations
+- `kustomization.yaml` - Kustomization file that applies the patch and renames the template
+
+**Note**: You need to edit BOTH of these files with your actual version:
+
+1. Edit the `cis-mitigations-cp-patch.yaml` file to replace `<VERSION>` with your actual version in the `metadata.name` field:
+
+```yaml
+apiVersion: controlplane.cluster.x-k8s.io/v1beta1
+kind: KubeadmControlPlaneTemplate
+metadata:
+  name: nkp-nutanix-<VERSION>  # <-- Replace <VERSION> with your actual version
+```
+
+2. Edit the `kustomization.yaml` file to replace `<VERSION>` in the resources section:
+
+```yaml
+resources:
+- nkp-nutanix-<VERSION>.yaml  # <-- Replace <VERSION> with your actual version
+```
+
+## Applying the Kustomization
+
+You can apply this kustomization directly with kubectl:
+
+```bash
+#Ensure you are in a directory for the kustomization.yaml, cis-mitigations-cp-patch.yaml and the nkp-nutanix-<VERSION>.yaml file
+kubectl apply -k .
+```
+
+## Verification
+
+The kustomization will:
+
+1. Take the user-generated KubeadmControlPlaneTemplate `nkp-nutanix-<VERSION>`
+2. Apply the CIS mitigations patch that adds:
+   - API Server hardening (profiling disabled, service account lookup, admission plugins)
+   - Controller Manager settings (terminated pod GC threshold, profiling disabled)
+   - Scheduler settings (profiling disabled)
+   - Required configuration files for EventRateLimit
+   - Additional postKubeadmCommands for file permission hardening
+3. Rename it to `nkp-nutanix-<VERSION>-hardened`
+
+## CIS Mitigations Applied
+
+The following CIS mitigations are applied:
+
+### API Server
+
+- **1.2.15**: Disabled profiling for API server (`profiling: "false"`)
+- **1.2.21**: Enabled service account lookup (`service-account-lookup: "true"`)
+- **1.2.3, 1.2.9, 1.2.11, 1.2.14**: Added admission plugins:
+  - AlwaysPullImages: Enforces that images are always pulled prior to starting containers
+  - DenyServiceExternalIPs: Prevents services from using arbitrary external IPs
+  - EventRateLimit: Mitigates event flooding attacks
+  - NodeRestriction: Limits node access to specific APIs
+- **1.2.9**: Configured EventRateLimit with appropriate admission control config file
+- **1.2.5**: Set kubelet certificate authority (`kubelet-certificate-authority: /etc/kubernetes/pki/ca.crt`)
+  - **Note**: This requires kubelet-csr-approver to be installed. If not installed, this flag should be omitted.
+
+### Controller Manager
+
+- **1.3.1**: Set terminated pod GC threshold to 10000 for better garbage collection
+- **1.3.2**: Disabled profiling (`profiling: "false"`)
+- **1.3.6**: Enabled RotateKubeletServerCertificate feature gate (`feature-gates: RotateKubeletServerCertificate=true`)
+  - **Note**: This requires kubelet-csr-approver to be installed. If not installed, this flag should be omitted.
+
+### Scheduler
+
+- **1.4.1**: Disabled profiling (`profiling: "false"`)
+
+### Kubelet Configuration (Both Init and Join)
+
+- **1.2.5, 1.3.6**: Enabled kubelet server certificate rotation (`rotate-server-certificates: "true"`)
+  - **Note**: This requires kubelet-csr-approver to be installed. If not installed, this flag should be omitted.
+
+### EventRateLimit Configuration
+
+- **1.2.9**: Created admission configuration files with detailed rate limits:
+  - Server-wide: 5000 QPS with 20000 burst
+  - Namespace: 500 QPS with 2000 burst (1000 cache size)
+  - User: 100 QPS with 400 burst (2000 cache size)
+  - SourceAndObject: 50 QPS with 100 burst (5000 cache size)
+
+### File Permissions
+
+- **4.1.1**: Set appropriate file permissions (0600) for sensitive files including:
+  - kubelet.service
+  - kubelet config.yaml
+  - 10-kubeadm.conf
+
+## Applying to Cluster Class
+
+After generating the hardened template, you need to update the cluster class to use it:
+
+1. First, identify the cluster class name and version:
+
+```bash
+kubectl get clusterclasses.cluster.x-k8s.io
+```
+
+2. Patch the cluster class to use the hardened control plane template (replace `<VERSION>` and cluster class name as needed):
+
+```bash
+kubectl patch clusterclass nkp-nutanix-<VERSION> \
+  --type merge \
+  -p='{"spec":{"controlPlane":{"ref":{"name":"nkp-nutanix-<VERSION>-hardened"}}}}'  
+```
@@ -0,0 +1,106 @@
+apiVersion: controlplane.cluster.x-k8s.io/v1beta1
+kind: KubeadmControlPlaneTemplate
+metadata:
+  name: nkp-nutanix-<VERSION>
+spec:
+  template:
+    spec:
+      kubeadmConfigSpec:
+        clusterConfiguration:
+          apiServer:
+            extraArgs:
+              #1.2.15 Ensure that the --profiling argument is set to false
+              profiling: "false"
+              #1.2.21 Ensure that the --service-account-lookup argument is set to true
+              service-account-lookup: "true"
+              #1.2.3 Ensure that the DenyServiceExternalIPs is set
+              #1.2.9 Ensure that the admission control plugin EventRateLimit is set
+              #1.2.11 Ensure that the admission control plugin AlwaysPullImages is set
+              #1.2.14 Ensure that the admission control plugin NodeRestriction is set
+              enable-admission-plugins: AlwaysPullImages,EventRateLimit,DenyServiceExternalIPs,NodeRestriction
+              #1.2.9 Ensure that the admission control plugin EventRateLimit is set
+              admission-control-config-file: /etc/kubernetes/admission/admissionConfiguration.yaml
+              #1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate
+              #This requires https://github.com/postfinance/kubelet-csr-approver to be installed. Install using the below helm command.
+              #helm upgrade --install kubelet-csr-approver kubelet-csr-approver/kubelet-csr-approver -n kube-system --create-namespace --set maxExpirationSeconds=2592000 --set leaderElection=true --set bypassDnsResolution=true --set rbac.create=true
+              #If kubelet-csr-approver is not installed, ensure the below flag is omitted using a #
+              kubelet-certificate-authority: /etc/kubernetes/pki/ca.crt
+            extraVolumes:
+              #1.2.9 Ensure that the admission control plugin EventRateLimit is set
+            - name: admission-config
+              hostPath: /etc/kubernetes/admission
+              mountPath: /etc/kubernetes/admission
+              readOnly: true
+              pathType: DirectoryOrCreate
+          controllerManager:
+            extraArgs:
+              #1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate
+              terminated-pod-gc-threshold: "10000"
+              #1.3.2 Ensure that the --profiling argument is set to false
+              profiling: "false"
+              #1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true
+              #This requires https://github.com/postfinance/kubelet-csr-approver to be installed. Install using the below helm command.
+              #helm upgrade --install kubelet-csr-approver kubelet-csr-approver/kubelet-csr-approver -n kube-system --create-namespace --set maxExpirationSeconds=2592000 --set leaderElection=true --set bypassDnsResolution=true --set rbac.create=true
+              #If kubelet-csr-approver is not installed, ensure the below flag is omitted using a #
+              feature-gates: RotateKubeletServerCertificate=true
+          scheduler:
+            extraArgs:
+              #1.4.1 Ensure that the --profiling argument is set to false
+              profiling: "false"
+        files:
+          #1.2.9 Ensure that the admission control plugin EventRateLimit is set
+        - content: |
+            apiVersion: apiserver.config.k8s.io/v1
+            kind: AdmissionConfiguration
+            plugins:
+              - name: EventRateLimit
+                path: /etc/kubernetes/admission/eventRateLimit.yaml
+          path: /etc/kubernetes/admission/admissionConfiguration.yaml
+          permissions: "0600"
+          #1.2.9 Ensure that the admission control plugin EventRateLimit is set
+        - content: |
+            apiVersion: eventratelimit.admission.k8s.io/v1alpha1
+            kind: Configuration
+            limits:
+            - type: Server
+              qps: 5000
+              burst: 20000
+            - type: Namespace
+              qps: 500
+              burst: 2000
+              cacheSize: 1000
+            - type: User
+              qps: 100
+              burst: 400
+              cacheSize: 2000
+            - type: SourceAndObject
+              qps: 50
+              burst: 100
+              cacheSize: 5000
+          path: /etc/kubernetes/admission/eventRateLimit.yaml
+          permissions: "0600"
+        initConfiguration:
+          nodeRegistration:
+            kubeletExtraArgs:
+              #1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate
+              #1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true
+              #This requires https://github.com/postfinance/kubelet-csr-approver to be installed. Install using the below helm command.
+              #helm upgrade --install kubelet-csr-approver kubelet-csr-approver/kubelet-csr-approver -n kube-system --create-namespace --set maxExpirationSeconds=2592000 --set leaderElection=true --set bypassDnsResolution=true --set rbac.create=true
+              #If kubelet-csr-approver is not installed, ensure the below flag is omitted using a #
+              rotate-server-certificates: "true"
+        joinConfiguration:
+          nodeRegistration:
+            kubeletExtraArgs:
+              #1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate
+              #1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true
+              #This requires https://github.com/postfinance/kubelet-csr-approver to be installed. Install using the below helm command.
+              #helm upgrade --install kubelet-csr-approver kubelet-csr-approver/kubelet-csr-approver -n kube-system --create-namespace --set maxExpirationSeconds=2592000 --set leaderElection=true --set bypassDnsResolution=true --set rbac.create=true
+              #If kubelet-csr-approver is not installed, ensure the below flag is omitted using a #
+              rotate-server-certificates: "true"
+        postKubeadmCommands:
+        - echo export KUBECONFIG=/etc/kubernetes/admin.conf >> /root/.bashrc
+        - echo "after kubeadm call" > /var/log/postkubeadm.log
+        #4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive
+        - chmod 600 "$(systemctl show -P FragmentPath kubelet.service)"
+        - chmod 600 /var/lib/kubelet/config.yaml
+        - chmod 600 /usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf
@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- nkp-nutanix-<VERSION>.yaml
+
+patches:
+- path: cis-mitigations-cp-patch.yaml
+
+namePrefix: ""
+nameSuffix: "-hardened"