diff --git a/examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/control-plane/README.md b/examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/control-plane/README.md new file mode 100644 index 000000000..847ed92a6 --- /dev/null +++ b/examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/control-plane/README.md @@ -0,0 +1,103 @@ +# Hardened Kubernetes Control Plane Template + +## Required Component: kubelet-csr-approver + +To meet the following CIS security benchmarks: + +- 1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate +- 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true + +You must install the Postfinance kubelet-csr-approver: + +```bash +helm repo add kubelet-csr-approver https://postfinance.github.io/kubelet-csr-approver +helm upgrade --install kubelet-csr-approver \ + kubelet-csr-approver/kubelet-csr-approver \ + -n kube-system \ + --create-namespace \ + --set maxExpirationSeconds=2592000 \ + --set leaderElection=true \ + --set bypassDnsResolution=true \ + --set rbac.create=true +``` + +**Note**: If you choose not to install the kubelet-csr-approver, you must omit the flags related to the CIS benchmarks mentioned above from your configuration from the `cis-mitigations-cp-patch.yaml` file. + +## Directory Structure + +This directory contains the following files: + +- `harden.sh` - Automated script to simplify the hardening process (recommended method) +- `cis-mitigations-cp-patch.yaml` - Patch file containing CIS hardening configurations +- `kustomization.yaml` - Kustomization file that applies the patch and renames the template +- `nkp-nutanix-.yaml` - The original KubeadmControlPlaneTemplate (generated during the hardening process via `./harden.sh`) + +The `harden.sh` script automates the following tasks: +1. Lists available KubeadmControlPlaneTemplates +2. Prompts for the NKP version +3. Exports the original template +4. Updates all version placeholders in configuration files +5. Applies the kustomization to create the hardened template +6. Provides guidance on patching the ClusterClass to use the hardened template + +## Applying the Hardening + +Simply run the hardening script and follow the prompts. Ensure that you have the `KUBECONFIG` environment variable set to the Management Cluster (or Self-Managed) before running it: + +```bash +#export KUBECONFIG= +./harden.sh +``` + +This script will guide you through the process, automatically generate the required files, and apply the kustomization. + +**Note**: For a fully hardened cluster, you should also apply hardening to the worker nodes by using the scripts in the `../worker` directory. + +## CIS Mitigations Applied + +The following CIS mitigations are applied to the Control Plane Nodes: + +### API Server + +- **1.2.15**: Disabled profiling for API server (`profiling: "false"`) +- **1.2.21**: Enabled service account lookup (`service-account-lookup: "true"`) +- **1.2.3, 1.2.9, 1.2.11, 1.2.14**: Added admission plugins: + - AlwaysPullImages: Enforces that images are always pulled prior to starting containers + - DenyServiceExternalIPs: Prevents services from using arbitrary external IPs + - EventRateLimit: Mitigates event flooding attacks + - NodeRestriction: Limits node access to specific APIs +- **1.2.9**: Configured EventRateLimit with appropriate admission control config file +- **1.2.5**: Set kubelet certificate authority (`kubelet-certificate-authority: /etc/kubernetes/pki/ca.crt`) + - **Note**: This requires kubelet-csr-approver to be installed. If not installed, this flag should be omitted. + +### Controller Manager + +- **1.3.1**: Set terminated pod GC threshold to 10000 for better garbage collection +- **1.3.2**: Disabled profiling (`profiling: "false"`) +- **1.3.6**: Enabled RotateKubeletServerCertificate feature gate (`feature-gates: RotateKubeletServerCertificate=true`) + - **Note**: This requires kubelet-csr-approver to be installed. If not installed, this flag should be omitted. + +### Scheduler + +- **1.4.1**: Disabled profiling (`profiling: "false"`) + +### Kubelet Configuration (Both Init and Join) + +- **1.2.5, 1.3.6**: Enabled kubelet server certificate rotation (`rotate-server-certificates: "true"`) + - **Note**: This requires kubelet-csr-approver to be installed. If not installed, this flag should be omitted. + +### EventRateLimit Configuration + +- **1.2.9**: Created admission configuration files with detailed rate limits: + - Server-wide: 5000 QPS with 20000 burst + - Namespace: 500 QPS with 2000 burst (1000 cache size) + - User: 100 QPS with 400 burst (2000 cache size) + - SourceAndObject: 50 QPS with 100 burst (5000 cache size) + +### File Permissions + +- **4.1.1**: Set appropriate file permissions (0600) for sensitive files including: + - kubelet.service + - kubelet config.yaml + - 10-kubeadm.conf + diff --git a/examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/control-plane/cis-mitigations-cp-patch.yaml b/examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/control-plane/cis-mitigations-cp-patch.yaml new file mode 100644 index 000000000..242603016 --- /dev/null +++ b/examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/control-plane/cis-mitigations-cp-patch.yaml @@ -0,0 +1,70 @@ +apiVersion: controlplane.cluster.x-k8s.io/v1beta1 +kind: KubeadmControlPlaneTemplate +metadata: + name: nkp-nutanix- + namespace: +spec: + template: + spec: + kubeadmConfigSpec: + clusterConfiguration: + apiServer: + extraArgs: + #1.2.15 Ensure that the --profiling argument is set to false + profiling: "false" + #1.2.21 Ensure that the --service-account-lookup argument is set to true + service-account-lookup: "true" + #1.2.3 Ensure that the DenyServiceExternalIPs is set + #1.2.9 Ensure that the admission control plugin EventRateLimit is set + #1.2.11 Ensure that the admission control plugin AlwaysPullImages is set + #1.2.14 Ensure that the admission control plugin NodeRestriction is set + enable-admission-plugins: AlwaysPullImages,EventRateLimit,DenyServiceExternalIPs,NodeRestriction + #1.2.9 Ensure that the admission control plugin EventRateLimit is set + admission-control-config-file: /etc/kubernetes/admission/admissionConfiguration.yaml + #1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate + #This requires https://github.com/postfinance/kubelet-csr-approver to be installed. Install using the below helm command. + #helm upgrade --install kubelet-csr-approver kubelet-csr-approver/kubelet-csr-approver -n kube-system --create-namespace --set maxExpirationSeconds=2592000 --set leaderElection=true --set bypassDnsResolution=true --set rbac.create=true + #If kubelet-csr-approver is not installed, ensure the below flag is omitted using a # + kubelet-certificate-authority: /etc/kubernetes/pki/ca.crt + extraVolumes: + #1.2.9 Ensure that the admission control plugin EventRateLimit is set + - name: admission-config + hostPath: /etc/kubernetes/admission + mountPath: /etc/kubernetes/admission + readOnly: true + pathType: DirectoryOrCreate + controllerManager: + extraArgs: + #1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate + terminated-pod-gc-threshold: "10000" + #1.3.2 Ensure that the --profiling argument is set to false + profiling: "false" + #1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true + #This requires https://github.com/postfinance/kubelet-csr-approver to be installed. Install using the below helm command. + #helm upgrade --install kubelet-csr-approver kubelet-csr-approver/kubelet-csr-approver -n kube-system --create-namespace --set maxExpirationSeconds=2592000 --set leaderElection=true --set bypassDnsResolution=true --set rbac.create=true + #If kubelet-csr-approver is not installed, ensure the below flag is omitted using a # + feature-gates: RotateKubeletServerCertificate=true + scheduler: + extraArgs: + #1.4.1 Ensure that the --profiling argument is set to false + profiling: "false" + + initConfiguration: + nodeRegistration: + kubeletExtraArgs: + #1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate + #1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true + #This requires https://github.com/postfinance/kubelet-csr-approver to be installed. Install using the below helm command. + #helm upgrade --install kubelet-csr-approver kubelet-csr-approver/kubelet-csr-approver -n kube-system --create-namespace --set maxExpirationSeconds=2592000 --set leaderElection=true --set bypassDnsResolution=true --set rbac.create=true + #If kubelet-csr-approver is not installed, ensure the below flag is omitted using a # + rotate-server-certificates: "true" + joinConfiguration: + nodeRegistration: + kubeletExtraArgs: + #1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate + #1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true + #This requires https://github.com/postfinance/kubelet-csr-approver to be installed. Install using the below helm command. + #helm upgrade --install kubelet-csr-approver kubelet-csr-approver/kubelet-csr-approver -n kube-system --create-namespace --set maxExpirationSeconds=2592000 --set leaderElection=true --set bypassDnsResolution=true --set rbac.create=true + #If kubelet-csr-approver is not installed, ensure the below flag is omitted using a # + rotate-server-certificates: "true" + diff --git a/examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/control-plane/harden.sh b/examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/control-plane/harden.sh new file mode 100755 index 000000000..c717b6655 --- /dev/null +++ b/examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/control-plane/harden.sh @@ -0,0 +1,72 @@ +#!/bin/bash + +# Color codes +CYAN='\033[0;36m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +RED='\033[0;31m' +NC='\033[0m' # No Color + +echo -e "${CYAN}Listing all clusters in all namespaces...${NC}" + +kubectl get clusters -A + +echo "" +echo -e "${YELLOW}Please enter the namespace of the cluster you wish to harden (press Enter to use 'default'):${NC}" +read -p "> " NAMESPACE +NAMESPACE=${NAMESPACE:-default} + +echo "" +echo -e "${CYAN}Using namespace: $NAMESPACE${NC}" + +echo "" +echo -e "${CYAN}Listing all the KubeadmControlPlaneTemplates in namespace $NAMESPACE...${NC}" +kubectl get kubeadmcontrolplanetemplates.controlplane.cluster.x-k8s.io -n $NAMESPACE + +echo "" +echo -e "${YELLOW}Please enter the NKP version from the list above (e.g., for NKP version nkp-nutanix-v2.14.0, enter v2.14.0):${NC}" +read -p "> " VERSION + +echo "" +# Validate version format +if [[ ! $VERSION =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + echo -e "${RED}Invalid version format. Please use the format v.. (e.g., v2.14.1)${NC}" + exit 1 +fi + +echo -e "${CYAN}Using NKP version: $VERSION${NC}" + +echo "" +# Clone the Latest KubeadmControlplaneTemplate +echo -e "${CYAN}Cloning the template: nkp-nutanix-${VERSION} from namespace $NAMESPACE...${NC}" +kubectl get kubeadmcontrolplanetemplates.controlplane.cluster.x-k8s.io nkp-nutanix-${VERSION} -n $NAMESPACE -o yaml > nkp-nutanix-${VERSION}.yaml + +echo "" +# Replace with the actual version in all files +echo -e "${CYAN}Replacing with ${VERSION} in all files...${NC}" +sed -i "s//${VERSION}/g" kustomization.yaml +sed -i "s//${VERSION}/g" cis-mitigations-cp-patch.yaml + +# Replace with the actual namespace in all files +echo -e "${CYAN}Replacing with ${NAMESPACE} in all files...${NC}" +sed -i "s//${NAMESPACE}/g" kustomization.yaml +sed -i "s//${NAMESPACE}/g" cis-mitigations-cp-patch.yaml + +echo "" +echo -e "${GREEN}Replacement complete!${NC}" +echo -e "${GREEN}Files have been updated with version: ${VERSION} and namespace: ${NAMESPACE}${NC}" + +echo "" +echo -e "${CYAN}Applying kustomization to create hardened control plane template...${NC}" +kubectl apply -n $NAMESPACE -k . + +echo "" +echo -e "${CYAN}You can now patch the ClusterClass to use the Hardened KubeadmControlPlaneTemplates${NC}" +echo -e "${CYAN}Here are the available ClusterClass in namespace $NAMESPACE${NC}" + +kubectl get clusterclasses.cluster.x-k8s.io -n $NAMESPACE + +echo "" +echo -e "${YELLOW}Run the below command after replacing the with the ClusterClass in use from the list above${NC}" +echo -e "kubectl patch clusterclass -n $NAMESPACE \\ + --type merge -p='{\"spec\":{\"controlPlane\":{\"ref\":{\"name\":\"nkp-nutanix-${VERSION}-hardened\"}}}}'" \ No newline at end of file diff --git a/examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/control-plane/kustomization.yaml b/examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/control-plane/kustomization.yaml new file mode 100644 index 000000000..c13275a9c --- /dev/null +++ b/examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/control-plane/kustomization.yaml @@ -0,0 +1,125 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- nkp-nutanix-.yaml + +patches: +- path: cis-mitigations-cp-patch.yaml +- target: + group: controlplane.cluster.x-k8s.io + version: v1beta1 + kind: KubeadmControlPlaneTemplate + #target <2.15.0 + name: nkp-nutanix-v2.1[0-4].* + namespace: + patch: | + #so that it works in v2.14.0. Make sure to remove after to 2.14.0 + - op: add + path: /spec/template/spec/kubeadmConfigSpec/files + value: [] + - op: add + path: /spec/template/spec/kubeadmConfigSpec/files/- + value: + path: /etc/kubernetes/admission/admissionConfiguration.yaml + permissions: "0600" + content: | + apiVersion: apiserver.config.k8s.io/v1 + kind: AdmissionConfiguration + plugins: + - name: EventRateLimit + path: /etc/kubernetes/admission/eventRateLimit.yaml + - op: add + path: /spec/template/spec/kubeadmConfigSpec/files/- + value: + path: /etc/kubernetes/admission/eventRateLimit.yaml + permissions: "0600" + content: | + apiVersion: eventratelimit.admission.k8s.io/v1alpha1 + kind: Configuration + limits: + - type: Server + qps: 5000 + burst: 20000 + - type: Namespace + qps: 500 + burst: 2000 + cacheSize: 1000 + - type: User + qps: 100 + burst: 400 + cacheSize: 2000 + - type: SourceAndObject + qps: 50 + burst: 100 + cacheSize: 5000 + - op: add + path: /spec/template/spec/kubeadmConfigSpec/postKubeadmCommands/- + value: 'chmod 600 "$(systemctl show -P FragmentPath kubelet.service)"' + - op: add + path: /spec/template/spec/kubeadmConfigSpec/postKubeadmCommands/- + value: 'chmod 600 /var/lib/kubelet/config.yaml' + - op: add + path: /spec/template/spec/kubeadmConfigSpec/postKubeadmCommands/- + value: 'echo "serverTLSBootstrap: true" >> /var/lib/kubelet/config.yaml' + - op: add + path: /spec/template/spec/kubeadmConfigSpec/postKubeadmCommands/- + value: 'chmod 600 /usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf' + +- target: + group: controlplane.cluster.x-k8s.io + version: v1beta1 + kind: KubeadmControlPlaneTemplate + #target only NKP => v2.15.0 + name: nkp-nutanix-v2.1[5-9].* + namespace: + patch: | + - op: add + path: /spec/template/spec/kubeadmConfigSpec/files/- + value: + path: /etc/kubernetes/admission/admissionConfiguration.yaml + permissions: "0600" + content: | + apiVersion: apiserver.config.k8s.io/v1 + kind: AdmissionConfiguration + plugins: + - name: EventRateLimit + path: /etc/kubernetes/admission/eventRateLimit.yaml + - op: add + path: /spec/template/spec/kubeadmConfigSpec/files/- + value: + path: /etc/kubernetes/admission/eventRateLimit.yaml + permissions: "0600" + content: | + apiVersion: eventratelimit.admission.k8s.io/v1alpha1 + kind: Configuration + limits: + - type: Server + qps: 5000 + burst: 20000 + - type: Namespace + qps: 500 + burst: 2000 + cacheSize: 1000 + - type: User + qps: 100 + burst: 400 + cacheSize: 2000 + - type: SourceAndObject + qps: 50 + burst: 100 + cacheSize: 5000 + - op: add + path: /spec/template/spec/kubeadmConfigSpec/postKubeadmCommands/- + value: 'chmod 600 "$(systemctl show -P FragmentPath kubelet.service)"' + - op: add + path: /spec/template/spec/kubeadmConfigSpec/postKubeadmCommands/- + value: 'chmod 600 /var/lib/kubelet/config.yaml' + - op: add + path: /spec/template/spec/kubeadmConfigSpec/postKubeadmCommands/- + value: 'echo "serverTLSBootstrap: true" >> /var/lib/kubelet/config.yaml' + - op: add + path: /spec/template/spec/kubeadmConfigSpec/postKubeadmCommands/- + value: 'chmod 600 /usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf' +namePrefix: "" +nameSuffix: "-hardened" diff --git a/examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/worker/README.md b/examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/worker/README.md new file mode 100644 index 000000000..ca1379f62 --- /dev/null +++ b/examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/worker/README.md @@ -0,0 +1,76 @@ +# Hardened Kubernetes Worker Node Template + +## Required Component: kubelet-csr-approver + +To meet the following CIS security benchmarks: + +- 1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate +- 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true +- Enable Kubelet Server Cert Rotation + +You must install the Postfinance kubelet-csr-approver: + +```bash +helm repo add kubelet-csr-approver https://postfinance.github.io/kubelet-csr-approver +helm upgrade --install kubelet-csr-approver \ + kubelet-csr-approver/kubelet-csr-approver \ + -n kube-system \ + --create-namespace \ + --set maxExpirationSeconds=2592000 \ + --set leaderElection=true \ + --set bypassDnsResolution=true \ + --set rbac.create=true +``` + +**Note**: If you choose not to install the kubelet-csr-approver, you must omit the flags related to the CIS benchmarks mentioned above from your configuration from the `cis-mitigations-worker-patch.yaml` file. + +## Directory Structure + +This directory contains the following files: + +- `harden.sh` - Automated script to simplify the hardening process (recommended method) +- `cis-mitigations-worker-patch.yaml` - Patch file containing CIS hardening configurations +- `kustomization.yaml` - Kustomization file that applies the patch and renames the template +- `nkp-nutanix-worker-.yaml` - The original KubeadmConfigTemplate (generated during the hardening process via `./harden.sh`) + +The `harden.sh` script automates the following tasks: +1. Lists available KubeadmConfigTemplates for workers +2. Prompts for the NKP version +3. Exports the original template +4. Updates all version placeholders in configuration files +5. Applies the kustomization to create the hardened template +6. Provides guidance on patching the ClusterClass to use the hardened template + +## Applying the Hardening + +Simply run the hardening script and follow the prompts. Ensure that you have the `KUBECONFIG` environment variable set to the Management Cluster (or Self-Managed) before running it: + +```bash +#export KUBECONFIG= +./harden.sh +``` + +This script will guide you through the process, automatically generate the required files, and apply the kustomization. + +**Note**: For a fully hardened cluster, you should also apply hardening to the control plane nodes by using the scripts in the `../control-plane` directory. + +## CIS Mitigations Applied + +The following CIS mitigations are applied to worker nodes: + +### Kubelet Configuration + +- **4.1.1**: Set kubelet service file permissions to 600 or more restrictive +- **4.2.4**: Disable read-only port (`read-only-port: 0`) +- **4.2.5**: Set streaming connection idle timeout (`streaming-connection-idle-timeout: 5m`) +- **4.2.6**: Enable make-iptables-util-chains (`make-iptables-util-chains: true`) +- **4.2.8**: Set appropriate event QPS (`event-qps: 5`) +- **4.2.12**: Enforce strong TLS cryptographic ciphers with an updated suite of recommended ciphers +- **4.2.13**: Set pod-max-pids limit to 4096 + +### File Permissions + +- **4.1.1**: Set appropriate file permissions (0600) for sensitive files including: + - kubelet.service + - kubelet config.yaml + - 10-kubeadm.conf diff --git a/examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/worker/cis-mitigations-worker-patch.yaml b/examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/worker/cis-mitigations-worker-patch.yaml new file mode 100644 index 000000000..7ee0ddd08 --- /dev/null +++ b/examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/worker/cis-mitigations-worker-patch.yaml @@ -0,0 +1,30 @@ +apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 +kind: KubeadmConfigTemplate +metadata: + name: nkp-nutanix-worker- + namespace: +spec: + template: + spec: + joinConfiguration: + nodeRegistration: + kubeletExtraArgs: + # 4.2.4 Ensure that the --read-only-port argument is set to 0 + read-only-port: "0" + # 4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 + # Recommendation: Set to 5m instead of 4h as per CIS guidelines + streaming-connection-idle-timeout: "5m" + # 4.2.6 Ensure that the --make-iptables-util-chains argument is set to true + make-iptables-util-chains: "true" + # 4.2.8 Ensure that the event-qps argument is set to a level which ensures appropriate event capture + event-qps: "5" + # 4.2.13 Ensure that a limit is set on pod PIDs + pod-max-pids: "4096" + # 4.2.12 Updated with recommended strong cipher suites + tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 + #1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate + #1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true + #This requires https://github.com/postfinance/kubelet-csr-approver to be installed. Install using the below helm command. + #helm upgrade --install kubelet-csr-approver kubelet-csr-approver/kubelet-csr-approver -n kube-system --create-namespace --set maxExpirationSeconds=2592000 --set leaderElection=true --set bypassDnsResolution=true --set rbac.create=true + rotate-server-certificates: "true" + diff --git a/examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/worker/harden.sh b/examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/worker/harden.sh new file mode 100755 index 000000000..83d774b96 --- /dev/null +++ b/examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/worker/harden.sh @@ -0,0 +1,74 @@ +#!/bin/bash + +# Color codes +CYAN='\033[0;36m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +RED='\033[0;31m' +NC='\033[0m' # No Color + + +echo -e "${CYAN}Listing all clusters in all namespaces...${NC}" + +kubectl get clusters -A + +echo "" +echo -e "${YELLOW}Please enter the namespace of the cluster you wish to harden (press Enter to use 'default'):${NC}" +read -p "> " NAMESPACE +NAMESPACE=${NAMESPACE:-default} + +echo "" +echo -e "${CYAN}Using namespace: $NAMESPACE${NC}" + +echo "" +echo -e "${CYAN}Listing all the KubeadmConfigTemplates for workers in namespace $NAMESPACE...${NC}" +kubectl get kubeadmconfigtemplates.bootstrap.cluster.x-k8s.io -n $NAMESPACE | grep worker + +echo "" +echo -e "${YELLOW}Please enter the NKP version from the list above (e.g., for NKP worker version nkp-nutanix-worker-v2.14.0, enter v2.14.0):${NC}" +read -p "> " VERSION + +echo "" +# Validate version format +if [[ ! $VERSION =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + echo -e "${RED}Invalid version format. Please use the format v.. (e.g., v2.14.1)${NC}" + exit 1 +fi + +echo -e "${CYAN}Using NKP version: $VERSION${NC}" + +echo "" +# Clone the latest KubeadmConfigTemplate for workers +echo -e "${CYAN}Cloning the worker template: nkp-nutanix-worker-${VERSION} from namespace $NAMESPACE...${NC}" +kubectl get kubeadmconfigtemplates.bootstrap.cluster.x-k8s.io nkp-nutanix-worker-${VERSION} -n $NAMESPACE -o yaml > nkp-nutanix-worker-${VERSION}.yaml + +echo "" +# Replace with the actual version in all files +echo -e "${CYAN}Replacing with ${VERSION} in all files...${NC}" +sed -i "s//${VERSION}/g" kustomization.yaml +sed -i "s//${VERSION}/g" cis-mitigations-worker-patch.yaml + +# Replace with the actual namespace in all files +echo -e "${CYAN}Replacing with ${NAMESPACE} in all files...${NC}" +sed -i "s//${NAMESPACE}/g" kustomization.yaml +sed -i "s//${NAMESPACE}/g" cis-mitigations-worker-patch.yaml + +echo "" +echo -e "${GREEN}Replacement complete!${NC}" +echo -e "${GREEN}Files have been updated with version: ${VERSION} and namespace: ${NAMESPACE}${NC}" + +echo "" +echo -e "${CYAN}Applying kustomization to create hardened worker template...${NC}" +kubectl apply -n $NAMESPACE -k . + +echo "" +echo -e "${CYAN}You can now patch the ClusterClass to use the Hardened KubeadmConfigTemplate for workers${NC}" +echo -e "${CYAN}Here are the available ClusterClasses in namespace $NAMESPACE:${NC}" + +kubectl get clusterclasses.cluster.x-k8s.io -n $NAMESPACE + +echo "" +echo -e "${YELLOW}Run the below command after replacing the with the ClusterClass in use from the list above${NC}" +echo -e "kubectl patch clusterclass -n $NAMESPACE \\ + --type json \\ + -p='[{\n \"op\":\"replace\",\n \"path\":\"/spec/workers/machineDeployments/0/template/bootstrap/ref/name\",\n \"value\":\"nkp-nutanix-worker-${VERSION}-hardened\"\n }]'" diff --git a/examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/worker/kustomization.yaml b/examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/worker/kustomization.yaml new file mode 100644 index 000000000..98e9acf52 --- /dev/null +++ b/examples/capi-quick-start/nutanix-cluster-hardened-clusterclass/worker/kustomization.yaml @@ -0,0 +1,31 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- nkp-nutanix-worker-.yaml + +patches: +- path: cis-mitigations-worker-patch.yaml +- target: + group: bootstrap.cluster.x-k8s.io + version: v1beta1 + kind: KubeadmConfigTemplate + name: nkp-nutanix-worker- + namespace: + # 4.1.1 Ensure that the kubelet service file permissions are set to 600 or more restrictive + patch: | + - op: add + path: /spec/template/spec/postKubeadmCommands/- + value: 'chmod 600 "$(systemctl show -P FragmentPath kubelet.service)"' + - op: add + path: /spec/template/spec/postKubeadmCommands/- + value: 'chmod 600 /var/lib/kubelet/config.yaml' + - op: add + path: /spec/template/spec/postKubeadmCommands/- + value: 'echo "serverTLSBootstrap: true" >> /var/lib/kubelet/config.yaml' + - op: add + path: /spec/template/spec/postKubeadmCommands/- + value: 'chmod 600 /usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf' + +namePrefix: "" +nameSuffix: "-hardened"