\u5728kubespray.io\u8fd9\u4e2a\u770b\u8d77\u6765\u50cf\u662f\u5b98\u65b9\u6587\u6863\u9875\u9762\u7684\u7f51\u7ad9\u4e0a\uff0c\u4e3a\u4ec0\u4e48\u8fd8\u6ca1\u6709\u6307\u5411\u76f8\u5173\u9875\u9762\u7684\u94fe\u63a5\u5462\uff08\u96be\u9053\u8fd8\u5728\u6d4b\u8bd5\u4e2d\uff1f\uff09\uff1f\u4f46\u662f\uff0c\u4eceKubespray\u7684Github\u9875\u9762\u4e0a\u53ef\u4ee5\u770b\u5230\uff0c\u4ece2022\u5e745\u670830\u65e5\u8d77\uff0cKubespray\u5df2\u7ecf\u6dfb\u52a0\u4e86\u4e00\u4e2a\u540d\u4e3a”Cluster Hardening”\u7684\u9875\u9762\uff0c\u7528\u4e8e\u5728CIS Benchmarks\u65b9\u9762\u901a\u8fc7Kubespray\u8fdb\u884c\u90e8\u7f72\u65f6\u7684\u914d\u7f6e\u3002\u8fd9\u6b21\u7684\u76ee\u7684\u662f\u4ecb\u7ecd\u8fd9\u4e2a\u9875\u9762\u5e76\u5206\u4eab\u4e00\u4e9b\u5c0f\u6280\u5de7\u3002\u6839\u636e\u6211\u7684\u89c2\u5bdf\u8303\u56f4\uff0c\u6211\u6ca1\u6709\u627e\u5230\u65e5\u8bed\u89e3\u91ca\u76f8\u5173\u5185\u5bb9\u7684\u6587\u7ae0…<\/p>\n
\u4ee5\u4e0b\u662f\u76f8\u5173\u94fe\u63a5\uff1a
\nhttps:\/\/kubespray.io\/#\/docs\/hardening
\nhttps:\/\/github.com\/kubernetes-sigs\/kubespray\/blob\/master\/docs\/hardening.md<\/p>\n
\u4f5c\u4e3a\u521b\u5efa\u975e\u6258\u7ba1Kubernetes\u73af\u5883\u7684\u4e00\u79cd\u65b9\u6cd5\u4e4b\u4e00\uff0c\u5b83\u662f\u901a\u8fc7ansible-playbook\u6765\u8fdb\u884c\u6784\u5efa\u7684\uff08\u53c2\u8003\uff1aAnsible Playbook \u662f\u4ec0\u4e48\uff09\u3002
\n\u5b83\u53ef\u4ee5\u7528\u4e8e\u4e91\u73af\u5883\u4e2d\u51c6\u5907\u7684\u865a\u62df\u673a\uff0c\u4e5f\u53ef\u4ee5\u7528\u4e8e\u4e3a\u5bb6\u5eadKubernetes\u7fa4\u4f53\u51c6\u5907\u7684\u672c\u5730\u5b9e\u4f53\u673a\u5668\u6216\u865a\u62df\u673a\u3002
\n\u6709\u5173ansible\u7684\u8bf4\u660e\u548cKubespray\u672c\u8eab\uff0c\u8bf7\u53c2\u8003\u5148\u524d\u6587\u7ae0\u7684\u76f8\u5173\u5185\u5bb9\u3002<\/p>\n
\u6682\u65f6\u7684\uff0c\u4ee5\u4e0b\u5185\u5bb9\u662f\u5173\u4e8e\u201c\u96c6\u7fa4\u52a0\u56fa\uff08Cluster Hardening\uff09\u201d\u7684\uff08\u622a\u81f32022\/12\/17\uff09\u3002<\/p>\n
Kubespray\u63d0\u4f9b\u4e86\u201c\u96c6\u7fa4\u52a0\u56fa\u201d\u8bbe\u7f6e\u96c6\uff0c\u7528\u4e8e\u589e\u5f3a\u5b89\u5168\u6027\u3002
\n\u901a\u8fc7\u5728\u8c03\u7528playbook\u65f6\uff0c\u4f7f\u7528\u52a0\u56fa\u8bbe\u7f6e\u8986\u76d6\u9ed8\u8ba4\u914d\u7f6e\uff0c\u4ee5\u5e94\u7528\u8fd9\u4e9b\u8bbe\u7f6e\uff0c\u56e0\u6b64\u53ef\u80fd\u9700\u8981\u6839\u636e\u4e2a\u4eba\u73af\u5883\u8fdb\u884c\u4e00\u4e9b\u5fae\u5c0f\u7684\u66f4\u6539\u3002<\/p>\n
\u8be5\u8bbe\u7f6e\u5305\u62ec\u542f\u7528RBAC\u548c\u5ba1\u8ba1\u3001\u52a0\u5bc6\u5bc6\u7801\u7b49\uff0c\u901a\u8fc7\u4ec5\u4ec5\u7814\u7a76\u76f8\u5173\u672f\u8bed\uff0c\u60a8\u5c06\u4e86\u89e3Kubernetes\u4e2d\u7684\u5b89\u5168\u6027\uff0c\u5e76\u5f97\u5230\u4e00\u4e2a\u826f\u597d\u7684\u8d77\u70b9\u3002<\/p>\n
\u786c\u5316.yaml:<\/p>\n
# Hardening<\/span>\r\n---<\/span>\r\n\r\n## kube-apiserver<\/span>\r\nauthorization_modes<\/span>:<\/span> [<\/span>'<\/span>Node'<\/span>,<\/span> '<\/span>RBAC'<\/span>]<\/span>\r\n# AppArmor-based OS<\/span>\r\n# kube_apiserver_feature_gates: ['AppArmor=true']<\/span>\r\nkube_apiserver_request_timeout<\/span>:<\/span> 120s<\/span>\r\nkube_apiserver_service_account_lookup<\/span>:<\/span> true<\/span>\r\n\r\n# enable kubernetes audit<\/span>\r\nkubernetes_audit<\/span>:<\/span> true<\/span>\r\naudit_log_path<\/span>:<\/span> \"<\/span>\/var\/log\/kube-apiserver-log.json\"<\/span>\r\naudit_log_maxage<\/span>:<\/span> 30<\/span>\r\naudit_log_maxbackups<\/span>:<\/span> 10<\/span>\r\naudit_log_maxsize<\/span>:<\/span> 100<\/span>\r\n\r\ntls_min_version<\/span>:<\/span> VersionTLS12<\/span>\r\ntls_cipher_suites<\/span>:<\/span>\r\n -<\/span> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256<\/span>\r\n -<\/span> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256<\/span>\r\n -<\/span> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305<\/span>\r\n\r\n# enable encryption at rest<\/span>\r\nkube_encrypt_secret_data<\/span>:<\/span> true<\/span>\r\nkube_encryption_resources<\/span>:<\/span> [<\/span>secrets<\/span>]<\/span>\r\nkube_encryption_algorithm<\/span>:<\/span> \"<\/span>secretbox\"<\/span>\r\n\r\nkube_apiserver_enable_admission_plugins<\/span>:<\/span>\r\n -<\/span> EventRateLimit<\/span>\r\n -<\/span> AlwaysPullImages<\/span>\r\n -<\/span> ServiceAccount<\/span>\r\n -<\/span> NamespaceLifecycle<\/span>\r\n -<\/span> NodeRestriction<\/span>\r\n -<\/span> LimitRanger<\/span>\r\n -<\/span> ResourceQuota<\/span>\r\n -<\/span> MutatingAdmissionWebhook<\/span>\r\n -<\/span> ValidatingAdmissionWebhook<\/span>\r\n -<\/span> PodNodeSelector<\/span>\r\n -<\/span> PodSecurity<\/span>\r\nkube_apiserver_admission_control_config_file<\/span>:<\/span> true<\/span>\r\n# EventRateLimit plugin configuration<\/span>\r\nkube_apiserver_admission_event_rate_limits<\/span>:<\/span>\r\n limit_1<\/span>:<\/span>\r\n type<\/span>:<\/span> Namespace<\/span>\r\n qps<\/span>:<\/span> 50<\/span>\r\n burst<\/span>:<\/span> 100<\/span>\r\n cache_size<\/span>:<\/span> 2000<\/span>\r\n limit_2<\/span>:<\/span>\r\n type<\/span>:<\/span> User<\/span>\r\n qps<\/span>:<\/span> 50<\/span>\r\n burst<\/span>:<\/span> 100<\/span>\r\nkube_profiling<\/span>:<\/span> false<\/span>\r\n\r\n## kube-controller-manager<\/span>\r\nkube_controller_manager_bind_address<\/span>:<\/span> 127.0.0.1<\/span>\r\nkube_controller_terminated_pod_gc_threshold<\/span>:<\/span> 50<\/span>\r\n# AppArmor-based OS<\/span>\r\n# kube_controller_feature_gates: [\"RotateKubeletServerCertificate=true\", \"AppArmor=true\"]<\/span>\r\nkube_controller_feature_gates<\/span>:<\/span> [<\/span>\"<\/span>RotateKubeletServerCertificate=true\"<\/span>]<\/span>\r\n\r\n## kube-scheduler<\/span>\r\nkube_scheduler_bind_address<\/span>:<\/span> 127.0.0.1<\/span>\r\nkube_kubeadm_scheduler_extra_args<\/span>:<\/span>\r\n profiling<\/span>:<\/span> false<\/span>\r\n# AppArmor-based OS<\/span>\r\n# kube_scheduler_feature_gates: [\"AppArmor=true\"]<\/span>\r\n\r\n## etcd<\/span>\r\netcd_deployment_type<\/span>:<\/span> kubeadm<\/span>\r\n\r\n## kubelet<\/span>\r\nkubelet_authentication_token_webhook<\/span>:<\/span> true<\/span>\r\nkube_read_only_port<\/span>:<\/span> 0<\/span>\r\nkubelet_rotate_server_certificates<\/span>:<\/span> true<\/span>\r\nkubelet_protect_kernel_defaults<\/span>:<\/span> true<\/span>\r\nkubelet_event_record_qps<\/span>:<\/span> 1<\/span>\r\nkubelet_rotate_certificates<\/span>:<\/span> true<\/span>\r\nkubelet_streaming_connection_idle_timeout<\/span>:<\/span> \"<\/span>5m\"<\/span>\r\nkubelet_make_iptables_util_chains<\/span>:<\/span> true<\/span>\r\nkubelet_feature_gates<\/span>:<\/span> [<\/span>\"<\/span>RotateKubeletServerCertificate=true\"<\/span>,<\/span> \"<\/span>SeccompDefault=true\"<\/span>]<\/span>\r\nkubelet_seccomp_default<\/span>:<\/span> true<\/span>\r\nkubelet_systemd_hardening<\/span>:<\/span> true<\/span>\r\n# In case you have multiple interfaces in your<\/span>\r\n# control plane nodes and you want to specify the right<\/span>\r\n# IP addresses, kubelet_secure_addresses allows you<\/span>\r\n# to specify the IP from which the kubelet<\/span>\r\n# will receive the packets.<\/span>\r\nkubelet_secure_addresses<\/span>:<\/span> \"<\/span>192.168.10.110<\/span> 192.168.10.111<\/span> 192.168.10.112\"<\/span>\r\n\r\n# additional configurations<\/span>\r\nkube_owner<\/span>:<\/span> root<\/span>\r\nkube_cert_group<\/span>:<\/span> root<\/span>\r\n\r\n# create a default Pod Security Configuration and deny running of insecure pods<\/span>\r\n# kube_system namespace is exempted by default<\/span>\r\nkube_pod_security_use_default<\/span>:<\/span> true<\/span>\r\nkube_pod_security_default_enforce<\/span>:<\/span> restricted<\/span>\r\n<\/code><\/pre>\n\u9002\u7528\u547d\u4ee4\u793a\u4f8b\uff1a<\/p>\n
ansible-playbook -v<\/span> cluster.yml \\<\/span>\r\n -i<\/span> inventory.ini \\<\/span>\r\n -b<\/span> --become-user<\/span>=<\/span>root \\<\/span>\r\n --private-key<\/span> ~\/.ssh\/id_ecdsa \\<\/span>\r\n -e<\/span> \"@vars.yaml\"<\/span> \\<\/span>\r\n -e<\/span> \"@hardening.yaml\"<\/span>\r\n<\/code><\/pre>\n\u5173\u4e8e\u4e00\u4e9b\u5c0f\u6280\u5de7\uff08\u5982\u5728\u8fdb\u884c\u201c\u96c6\u7fa4\u786c\u5316\u201d\u5e76\u5728Kubernetes\u4e0a\u6258\u7ba1\u201cPrometheus\u201d\u7b49\u65f6\u7684\u6ce8\u610f\u4e8b\u9879\uff09\u3002<\/h2>\n
\u5982\u4e0a\u6240\u8ff0\uff0c\u8fdb\u884c”\u96c6\u7fa4\u52a0\u56fa”\u5c06\u786e\u4fdd\u6700\u4f4e\u9650\u5ea6\u7684\u5b89\u5168\u6027\uff0c\u5e76\u4e14\u6211\u5efa\u8bae\u60a8\u8003\u8651\u8fd9\u4e2a\u9009\u9879\uff0c\u4f46\u9700\u8981\u6ce8\u610f\u7684\u662f\uff1a\u7531\u4e8e\u914d\u7f6e\u91cd\u70b9\u653e\u5728\u63d0\u5347\u5b89\u5168\u6027\u4e0a\uff0c\u6240\u4ee5\u4e00\u4e9b\u5e94\u7528\u7a0b\u5e8f\u53ef\u80fd\u65e0\u6cd5\u6b63\u5e38\u5de5\u4f5c\u3002\u4f8b\u5982\uff0cPrometheus\u5728\u914d\u7f6e\u4e0a\u4e0ekubelet\u8fdb\u884c\u901a\u4fe1\u4ee5\u8fdb\u884c\u6293\u53d6\uff0c\u4f46\u76f4\u63a5\u5e94\u7528\u4e0a\u8ff0\u914d\u7f6e\u5c06\u5bfc\u81f4\u88ab\u9632\u706b\u5899\u963b\u6b62\u800c\u65e0\u6cd5\u8fd0\u884c\u3002\u4e3a\u4e86\u5e94\u5bf9\u8fd9\u4e2a\u60c5\u51b5\uff0c\u6211\u5c06\u4ecb\u7ecd\u9700\u8981\u8fdb\u884c\u4fee\u6b63\u7684\u4f4d\u7f6e\u3002<\/p>\n
kube-controller-manager\u7684\u7ed1\u5b9a\u914d\u7f6e<\/h3>\n# kube_controller_manager_bind_address: 127.0.0.1<\/span>\r\nkube_controller_manager_bind_address<\/span>:<\/span> 0.0.0.0<\/span> # 127.0.0.1\u306e\u5834\u5408\u3001prometheus\u304b\u3089\u306escrape\u306b\u5931\u6557\u3059\u308b\u306e\u3067\u3001\u5909\u66f4\u3057\u307e\u3059\u3002\u305d\u306e\u4ee3\u308f\u308a\u306b\u5225\u9014FW\u3084NetworkPolicy\u7b49\u3067\u4fdd\u8b77\u3059\u308b\u5fc5\u8981\u304c\u3042\u308b\u306e\u3067\u6ce8\u610f\u3002<\/span>\r\n<\/code><\/pre>\nkube-scheduler\u7684\u7ed1\u5b9a\u914d\u7f6e<\/h3>\n# kube_scheduler_bind_address: 127.0.0.1<\/span>\r\nkube_scheduler_bind_address<\/span>:<\/span> 0.0.0.0<\/span> # 127.0.0.1\u306e\u5834\u5408\u3001prometheus\u304b\u3089\u306escrape\u306b\u5931\u6557\u3059\u308b\u306e\u3067\u3001\u5909\u66f4\u3057\u307e\u3059\u3002\u305d\u306e\u4ee3\u308f\u308a\u306b\u5225\u9014FW\u3084NetworkPolicy\u7b49\u3067\u4fdd\u8b77\u3059\u308b\u5fc5\u8981\u304c\u3042\u308b\u306e\u3067\u6ce8\u610f\u3002<\/span>\r\n<\/code><\/pre>\netcd\u7684\u7ed1\u5b9a\u914d\u7f6e<\/h3>\n
\u5982\u679c\u4e0d\u6dfb\u52a0\u4e0b\u9762\u7684\u8bbe\u7f6e\uff0c\u5c06\u4f1a\u7ed1\u5b9a\u5230127.0.0.1\uff08\u53ef\u80fd\u4e3alocalhost\uff09\uff0c\u5bfc\u81f4\u4eceprometheus\u8fdb\u884c\u6293\u53d6\u5931\u8d25\uff0c\u56e0\u6b64\u9700\u8981\u8fdb\u884c\u66f4\u6539\u3002\u8bf7\u6ce8\u610f\uff0c\u9700\u8981\u901a\u8fc7\u5176\u4ed6\u65b9\u5f0f\u5982\u9632\u706b\u5899\u6216\u7f51\u7edc\u7b56\u7565\u6765\u4fdd\u62a4\u3002<\/p>\n
etcd_extra_vars<\/span>