bink/cookbook-bifrost
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
No description
This repository has been archived on 2026-04-20. You can view files and clone it, but you cannot make any changes to its state, such as pushing and creating new issues, pull requests or comments.
248 commits 1 branch 97 tags 393 KiB
  • HTML 89.6%
  • Ruby 10.4%
Find a file
Exact
Chris Pressland 0e5f3197f0
Some checks failed
tests / test (push) Failing after 28s
Details
upload / upload (push) Failing after 6s
Details
Upgrade to Kube 1.23.6
2022-05-16 23:26:54 +01:00
.github/workflows Kubernetes 1.23.3 2022-02-05 20:56:27 +00:00
attributes Upgrade to Kube 1.23.6 2022-05-16 23:26:54 +01:00
files/default 4th Generation Kubernetes 2020-08-11 11:32:00 +00:00
recipes Pull from Linkerd's official GitHub Container Registry 2022-02-20 16:08:39 +00:00
templates Remove KeyVault2Kube and aad-pod-identity 2022-01-01 14:00:19 +00:00
test/integration Kubernetes 1.21.4 2021-09-13 14:38:44 +00:00
.gitignore Initial Commit 2018-10-01 10:28:01 +01:00
Berksfile Kubernetes 1.21.4 2021-09-13 14:38:44 +00:00
Berksfile.lock Upgrade to Kube 1.23.6 2022-05-16 23:26:54 +01:00
kitchen.yml Added Linkerd Viz Extension 2021-05-22 21:00:46 +01:00
metadata.rb Upgrade to Kube 1.23.6 2022-05-16 23:26:54 +01:00
README.md Use Azure instead of VirtualBox for Kitchen 2021-01-06 13:37:01 +00:00

README.md

page_title
Bifrost

Build Status

The Bifrost cookbook is the main cookbook that sets up and updates Kubernetes as well as including strange which configures ETCD. There are 2 roles controller and worker which would target the recipe[bifrost::controller] and recipe[bifrost::worker] recipes respectively.

Running tests in Test Kitchen

THIS DOES NOT WORK IN CHEFDK, INSTALL CHEF WORKSTATION

You'll need to setup some environment variables in order to run Test Kitchen, these can be found in 1Password in the DevOps vault as "Test Kitchen Credentials"

CIS Hardening

The CIS Kubernetes 1.5 document references a large amount of options that are outdated so many are skipped. The table below will outline which controls we currently meet, are not applicable or where we should make improvements to our Kubernetes tooling. RBAC and Manifest related controls have been omitted as they will be covered by other tooling. ETCD will be covered in the Strange cookbook. Controls that are not scored have been omitted for now.

Some of the failed tests have not been currently impletented as they will need to be reviewed once upgraded to 1.17.

Control ID Control Y/N Notes
1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive N/A Not ran as a pod
1.1.2 Ensure that the API server pod specification file ownership is set to root:root N/A Not ran as a pod
1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive N/A Not ran as a pod
1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root N/A Not ran as a pod
1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive N/A Not ran as a pod
1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root N/A Not ran as a pod
1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive Y
1.1.10 Ensure that the Container Network Interface file ownership is set to root:root Y
1.1.13 Ensure that the admin.conf file permissions are set to 644 or more restrictive N/A Does not exist
1.1.14 Ensure that the admin.conf file ownership is set to root:root N/A Does not exist
1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive Y
1.1.16 Ensure that the scheduler.conf file ownership is set to root:root Y
1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive Y
1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root Y
1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root Y
1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive Y
1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 Y
API Server
1.2.1 Ensure that the --anonymous-auth argument is set to false N Deprecated in upcoming Kubernetes release
1.2.2 Ensure that the --basic-auth-file argument is not set Y
1.2.3 Ensure that the --token-auth-file parameter is not set Y
1.2.4 Ensure that the --kubelet-https argument is set to true Y
1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate Y
1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate N DEVOPS-743
1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow Y
1.2.8 Ensure that the --authorization-mode argument includes Node Y
1.2.9 Ensure that the --authorization-mode argument includes RBAC Y
1.2.10 Ensure that the admission control plugin EventRateLimit is set N DEVOPS-744
1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set Y
1.2.12 Ensure that the admission control plugin AlwaysPullImages is set N DEVOPS-744
1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used N DEVOPS-744
1.2.14 Ensure that the admission control plugin ServiceAccount is set N DEVOPS-744
1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set N DEVOPS-744
1.2.16 Ensure that the admission control plugin PodSecurityPolicy is set N DEVOPS-744
1.2.17 Ensure that the admission control plugin NodeRestriction is set N DEVOPS-744
1.2.18 Ensure that the --insecure-bind-address argument is not set Y
1.2.19 Ensure that the --insecure-port argument is set to 0 N Will need to be fixed in upcoming Kubernetes upgrade
1.2.20 Ensure that the --secure-port argument is not set to 0 N Will need to be fixed in upcoming Kubernetes upgrade
1.2.21 Ensure that the --profiling argument is set to false Y
1.2.22 Ensure that the --audit-log-path argument is set N DEVOPS-745
1.2.23 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate N DEVOPS-745
1.2.24 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate N DEVOPS-745
1.2.25 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate N DEVOPS-745
1.2.26 Ensure that the --request-timeout argument is set as appropriate Y Default of 60s is acceptable
1.2.27 Ensure that the --service-account-lookup argument is set to true Y
1.2.28 Ensure that the --service-account-key-file argument is set as appropriate Y
1.2.29 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate Y
1.2.30 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate Y
1.2.31 Ensure that the --client-ca-file argument is set as appropriate Y
1.2.32 Ensure that the --etcd-cafile argument is set as appropriate Y
1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate N/A Full disk encryption has been deployed rendering this control unnecessary
1.2.34 Ensure that encryption providers are appropriately configured N/A
1.2.35 Ensure that the API Server only makes use of Strong Cryptographic Ciphers N DEVOPS-746
3.2.1 Ensure that a minimal audit policy is created N DEVOPS-745
Controller Manager
1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate Y Default is fine
1.3.2 Ensure that the --profiling argument is set to false Y
1.3.3 Ensure that the --use-service-account-credentials argument is set to true N DEVOPS-747
1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate Y
1.3.5 Ensure that the --root-ca-file argument is set as appropriate Y
1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true N DEVOPS-747
1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 N DEVOPS-747
Scheduler
1.4.1 Ensure that the --profiling argument is set to false Y
1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 N DEVOPS-747
Kubelet
4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive Y
4.1.2 Ensure that the kubelet service file ownership is set to root:root Y
4.1.3 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive Y
4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root Y
4.1.5 Ensure that the kubelet.conf file permissions are set to 644 or more restrictive Y
4.1.6 Ensure that the kubelet.conf file ownership is set to root:root Y
4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive Y
4.1.8 Ensure that the client certificate authorities file ownership is set to root:root Y
4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive Y
4.1.10 Ensure that the kubelet configuration file ownership is set to root:root Y
4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow Y
4.2.3 Ensure that the --client-ca-file argument is set as appropriate N DEVOPS-748
4.2.4 Ensure that the --read-only-port argument is set to 0 N DEVOPS-748
4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 N DEVOPS-748
4.2.6 Ensure that the --protect-kernel-defaults argument is set to true N DEVOPS-748
4.2.7 Ensure that the --make-iptables-util-chains argument is set to true N DEVOPS-748
4.2.8 Ensure that the --hostname-override argument is not set N DEVOPS-748
4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture N DEVOPS-748
4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate Y
4.2.11 Ensure that the --rotate-certificates argument is not set to false N DEVOPS-748
4.2.12 Ensure that the RotateKubeletServerCertificate argument is set to true N DEVOPS-748
4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers N DEVOPS-746