nutanix-cloud-native
diff --git a/‎examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/control-plane/README.md‎
Lines changed: 19 additions & 75 deletions b/‎examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/control-plane/README.md‎
Lines changed: 19 additions & 75 deletions
diff --git a/‎examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/control-plane/cis-mitigations-cp-patch.yaml‎
Lines changed: 2 additions & 39 deletions b/‎examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/control-plane/cis-mitigations-cp-patch.yaml‎
Lines changed: 2 additions & 39 deletions
diff --git a/‎examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/control-plane/harden.sh‎
Lines changed: 41 additions & 0 deletions b/‎examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/control-plane/harden.sh‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/control-plane/kustomization.yaml‎
Lines changed: 106 additions & 0 deletions b/‎examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/control-plane/kustomization.yaml‎
Lines changed: 106 additions & 0 deletions
@@ -21,80 +21,41 @@ helm upgrade --install kubelet-csr-approver \
   --set rbac.create=true
 ```
 
-**Note**: If you choose not to install the kubelet-csr-approver, you must omit the flags related to the CIS benchmarks mentioned above from your configuration.
+**Note**: If you choose not to install the kubelet-csr-approver, you must omit the flags related to the CIS benchmarks mentioned above from your configuration from the `cis-mitigations-cp-patch.yaml` file.
 
-## Prerequisites
+## Directory Structure
 
-Before applying the kustomization, you need to determine the available Nutanix-provided KubeadmControlPlaneTemplates (those with the "nkp-" prefix) and their versions:
+This directory contains the following files:
 
-```bash
-# List all available KubeadmControlPlaneTemplates
-kubectl get kubeadmcontrolplanetemplates.controlplane.cluster.x-k8s.io
-
-# Example output:
-# NAME                     AGE
-# nkp-nutanix-v2.14.0      4d
-# some-other-template      19h
-```
-
-**Important**: You must use the Nutanix-provided template (starting with "nkp-") for these hardening configurations to work correctly.
-
-Then export the original Nutanix KubeadmControlPlaneTemplate using the appropriate version:
-
-```bash
-# Replace <VERSION> with your actual version (e.g., v2.14.0)
-kubectl get kubeadmcontrolplanetemplates.controlplane.cluster.x-k8s.io nkp-nutanix-<VERSION> -o yaml > nkp-nutanix-<VERSION>.yaml
-```
-
-## Structure
-
-- `nkp-nutanix-<VERSION>.yaml` - The original KubeadmControlPlaneTemplate (generated by user, replace <VERSION> with your actual version)
+- `harden.sh` - Automated script to simplify the hardening process (recommended method)
 - `cis-mitigations-cp-patch.yaml` - Patch file containing CIS hardening configurations
 - `kustomization.yaml` - Kustomization file that applies the patch and renames the template
+- `nkp-nutanix-<VERSION>.yaml` - The original KubeadmControlPlaneTemplate (generated during the hardening process via `./harden.sh`)
 
-**Note**: You need to edit BOTH of these files with your actual version:
-
-1. Edit the `cis-mitigations-cp-patch.yaml` file to replace `<VERSION>` with your actual version in the `metadata.name` field:
-
-```yaml
-apiVersion: controlplane.cluster.x-k8s.io/v1beta1
-kind: KubeadmControlPlaneTemplate
-metadata:
-  name: nkp-nutanix-<VERSION>  # <-- Replace <VERSION> with your actual version
-```
-
-2. Edit the `kustomization.yaml` file to replace `<VERSION>` in the resources section:
-
-```yaml
-resources:
-- nkp-nutanix-<VERSION>.yaml  # <-- Replace <VERSION> with your actual version
-```
+The `harden.sh` script automates the following tasks:
+1. Lists available KubeadmControlPlaneTemplates
+2. Prompts for the NKP version
+3. Exports the original template
+4. Updates all version placeholders in configuration files
+5. Applies the kustomization to create the hardened template
+6. Provides guidance on patching the ClusterClass to use the hardened template
 
-## Applying the Kustomization
+## Applying the Hardening
 
-You can apply this kustomization directly with kubectl:
+Simply run the hardening script and follow the prompts. Ensure that you have the `KUBECONFIG` environment variable set to the Management Cluster (or Self-Managed) before running it:
 
 ```bash
-#Ensure you are in a directory for the kustomization.yaml, cis-mitigations-cp-patch.yaml and the nkp-nutanix-<VERSION>.yaml file
-kubectl apply -k .
+#export KUBECONFIG=<MANAGEMENT_CLUSTER_KUBECONFIG>
+./harden.sh
 ```
 
-## Verification
-
-The kustomization will:
+This script will guide you through the process, automatically generate the required files, and apply the kustomization.
 
-1. Take the user-generated KubeadmControlPlaneTemplate `nkp-nutanix-<VERSION>`
-2. Apply the CIS mitigations patch that adds:
-   - API Server hardening (profiling disabled, service account lookup, admission plugins)
-   - Controller Manager settings (terminated pod GC threshold, profiling disabled)
-   - Scheduler settings (profiling disabled)
-   - Required configuration files for EventRateLimit
-   - Additional postKubeadmCommands for file permission hardening
-3. Rename it to `nkp-nutanix-<VERSION>-hardened`
+**Note**: For a fully hardened cluster, you should also apply hardening to the worker nodes by using the scripts in the `../worker` directory.
 
 ## CIS Mitigations Applied
 
-The following CIS mitigations are applied:
+The following CIS mitigations are applied to the Control Plane Nodes:
 
 ### API Server
 
@@ -140,20 +101,3 @@ The following CIS mitigations are applied:
   - kubelet config.yaml
   - 10-kubeadm.conf
 
-## Applying to Cluster Class
-
-After generating the hardened template, you need to update the cluster class to use it:
-
-1. First, identify the cluster class name and version:
-
-```bash
-kubectl get clusterclasses.cluster.x-k8s.io
-```
-
-2. Patch the cluster class to use the hardened control plane template (replace `<VERSION>` and cluster class name as needed):
-
-```bash
-kubectl patch clusterclass nkp-nutanix-<VERSION> \
-  --type merge \
-  -p='{"spec":{"controlPlane":{"ref":{"name":"nkp-nutanix-<VERSION>-hardened"}}}}'  
-```
@@ -47,38 +47,7 @@ spec:
             extraArgs:
               #1.4.1 Ensure that the --profiling argument is set to false
               profiling: "false"
-        files:
-          #1.2.9 Ensure that the admission control plugin EventRateLimit is set
-        - content: |
-            apiVersion: apiserver.config.k8s.io/v1
-            kind: AdmissionConfiguration
-            plugins:
-              - name: EventRateLimit
-                path: /etc/kubernetes/admission/eventRateLimit.yaml
-          path: /etc/kubernetes/admission/admissionConfiguration.yaml
-          permissions: "0600"
-          #1.2.9 Ensure that the admission control plugin EventRateLimit is set
-        - content: |
-            apiVersion: eventratelimit.admission.k8s.io/v1alpha1
-            kind: Configuration
-            limits:
-            - type: Server
-              qps: 5000
-              burst: 20000
-            - type: Namespace
-              qps: 500
-              burst: 2000
-              cacheSize: 1000
-            - type: User
-              qps: 100
-              burst: 400
-              cacheSize: 2000
-            - type: SourceAndObject
-              qps: 50
-              burst: 100
-              cacheSize: 5000
-          path: /etc/kubernetes/admission/eventRateLimit.yaml
-          permissions: "0600"
+
         initConfiguration:
           nodeRegistration:
             kubeletExtraArgs:
@@ -97,10 +66,4 @@ spec:
               #helm upgrade --install kubelet-csr-approver kubelet-csr-approver/kubelet-csr-approver -n kube-system --create-namespace --set maxExpirationSeconds=2592000 --set leaderElection=true --set bypassDnsResolution=true --set rbac.create=true
               #If kubelet-csr-approver is not installed, ensure the below flag is omitted using a #
               rotate-server-certificates: "true"
-        postKubeadmCommands:
-        - echo export KUBECONFIG=/etc/kubernetes/admin.conf >> /root/.bashrc
-        - echo "after kubeadm call" > /var/log/postkubeadm.log
-        #4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive
-        - chmod 600 "$(systemctl show -P FragmentPath kubelet.service)"
-        - chmod 600 /var/lib/kubelet/config.yaml
-        - chmod 600 /usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf
+
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+# List all the KubeadmControlPlaneTemplates to find the latest version
+echo "Listing all KubeadmControlPlaneTemplates:"
+kubectl get kubeadmcontrolplanetemplates.controlplane.cluster.x-k8s.io
+
+# Prompt for the NKP version
+echo "Please enter the NKP version from the list above (e.g., for NKP version nkp-nutanix-v2.14.0, enter v2.14.0):"
+read -p "> " VERSION
+
+# Validate version format
+if [[ ! $VERSION =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+  echo "Invalid version format. Please use the format v<major>.<minor>.<patch> (e.g., v2.14.1)"
+  exit 1
+fi
+
+echo "Using NKP version: $VERSION"
+
+# Clone the Latest KubeadmControlplaneTemplate
+echo "Cloning the template: nkp-nutanix-${VERSION}"
+kubectl get kubeadmcontrolplanetemplates.controlplane.cluster.x-k8s.io nkp-nutanix-${VERSION} -o yaml > nkp-nutanix-${VERSION}.yaml
+
+# Replace <VERSION> with the actual version in all files
+echo "Replacing <VERSION> with ${VERSION} in all files..."
+sed -i "s/<VERSION>/${VERSION}/g" kustomization.yaml
+sed -i "s/<VERSION>/${VERSION}/g" cis-mitigations-cp-patch.yaml
+
+echo "Replacement complete!"
+echo "Files have been updated with version: ${VERSION}"
+
+echo "Applying kustomization to create hardened control plane template..."
+kubectl apply -k .
+
+echo "You can now patch the ClusterClass to use the Hardened KubeadmControlPlaneTemplates"
+echo "Here are the available ClusterClass"
+
+kubectl get clusterclasses.cluster.x-k8s.io
+
+echo "Run the below command after replacing the <CLUSTER_CLASS> with the ClusterClass in use from the list above"
+echo "kubectl patch clusterclass <CLUSTER_CLASS> \\
+  --type merge -p='{\"spec\":{\"controlPlane\":{\"ref\":{\"name\":\"nkp-nutanix-${VERSION}-hardened\"}}}}'"
@@ -6,6 +6,112 @@ resources:
 
 patches:
 - path: cis-mitigations-cp-patch.yaml
+- target:
+    group: controlplane.cluster.x-k8s.io
+    version: v1beta1
+    kind: KubeadmControlPlaneTemplate
+    #target <2.15.0
+    name: nkp-nutanix-v2.1[0-4].*
+  patch: |
+    #so that it works in v2.14.0. Make sure to remove after to 2.14.0
+    - op: add
+      path: /spec/template/spec/kubeadmConfigSpec/files
+      value: []
+    - op: add
+      path: /spec/template/spec/kubeadmConfigSpec/files/-
+      value:
+        path: /etc/kubernetes/admission/admissionConfiguration.yaml
+        permissions: "0600"
+        content: |
+          apiVersion: apiserver.config.k8s.io/v1
+          kind: AdmissionConfiguration
+          plugins:
+          - name: EventRateLimit
+            path: /etc/kubernetes/admission/eventRateLimit.yaml
+    - op: add
+      path: /spec/template/spec/kubeadmConfigSpec/files/-
+      value:
+        path: /etc/kubernetes/admission/eventRateLimit.yaml
+        permissions: "0600"
+        content: |
+          apiVersion: eventratelimit.admission.k8s.io/v1alpha1
+          kind: Configuration
+          limits:
+          - type: Server
+            qps: 5000
+            burst: 20000
+          - type: Namespace
+            qps: 500
+            burst: 2000
+            cacheSize: 1000
+          - type: User
+            qps: 100
+            burst: 400
+            cacheSize: 2000
+          - type: SourceAndObject
+            qps: 50
+            burst: 100
+            cacheSize: 5000
+    - op: add
+      path: /spec/template/spec/kubeadmConfigSpec/postKubeadmCommands/-
+      value: 'chmod 600 "$(systemctl show -P FragmentPath kubelet.service)"'
+    - op: add
+      path: /spec/template/spec/kubeadmConfigSpec/postKubeadmCommands/-
+      value: 'chmod 600 /var/lib/kubelet/config.yaml'
+    - op: add
+      path: /spec/template/spec/kubeadmConfigSpec/postKubeadmCommands/-
+      value: 'chmod 600 /usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf'
 
+- target:
+    group: controlplane.cluster.x-k8s.io
+    version: v1beta1
+    kind: KubeadmControlPlaneTemplate
+    #target only NKP => v2.15.0
+    name: nkp-nutanix-v2.1[5-9].* 
+  patch: |
+    - op: add
+      path: /spec/template/spec/kubeadmConfigSpec/files/-
+      value:
+        path: /etc/kubernetes/admission/admissionConfiguration.yaml
+        permissions: "0600"
+        content: |
+          apiVersion: apiserver.config.k8s.io/v1
+          kind: AdmissionConfiguration
+          plugins:
+          - name: EventRateLimit
+            path: /etc/kubernetes/admission/eventRateLimit.yaml
+    - op: add
+      path: /spec/template/spec/kubeadmConfigSpec/files/-
+      value:
+        path: /etc/kubernetes/admission/eventRateLimit.yaml
+        permissions: "0600"
+        content: |
+          apiVersion: eventratelimit.admission.k8s.io/v1alpha1
+          kind: Configuration
+          limits:
+          - type: Server
+            qps: 5000
+            burst: 20000
+          - type: Namespace
+            qps: 500
+            burst: 2000
+            cacheSize: 1000
+          - type: User
+            qps: 100
+            burst: 400
+            cacheSize: 2000
+          - type: SourceAndObject
+            qps: 50
+            burst: 100
+            cacheSize: 5000
+    - op: add
+      path: /spec/template/spec/kubeadmConfigSpec/postKubeadmCommands/-
+      value: 'chmod 600 "$(systemctl show -P FragmentPath kubelet.service)"'
+    - op: add
+      path: /spec/template/spec/kubeadmConfigSpec/postKubeadmCommands/-
+      value: 'chmod 600 /var/lib/kubelet/config.yaml'
+    - op: add
+      path: /spec/template/spec/kubeadmConfigSpec/postKubeadmCommands/-
+      value: 'chmod 600 /usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf'
 namePrefix: ""
 nameSuffix: "-hardened"