mirror of
https://github.com/k3s-io/k3s.git
synced 2024-06-07 19:41:36 +00:00
75f77ab951
* Improve test-pad rancher script Signed-off-by: Derek Nola <derek.nola@suse.com> * Improve hardened script and added kube-bench utility script Signed-off-by: Derek Nola <derek.nola@suse.com> * Apply same audits for 1.22 and older Signed-off-by: Derek Nola <derek.nola@suse.com> Signed-off-by: Derek Nola <derek.nola@suse.com>
37 lines
1008 B
Bash
37 lines
1008 B
Bash
#!/bin/bash
|
|
|
|
echo "vm.panic_on_oom=0
|
|
vm.overcommit_memory=1
|
|
kernel.panic=10
|
|
kernel.panic_on_oops=1
|
|
kernel.keys.root_maxbytes=25000000
|
|
" >> /etc/sysctl.d/90-kubelet.conf
|
|
sysctl -p /etc/sysctl.d/90-kubelet.conf
|
|
|
|
mkdir -p /var/lib/rancher/k3s/server
|
|
mkdir -m 700 /var/lib/rancher/k3s/server/logs
|
|
echo "apiVersion: audit.k8s.io/v1
|
|
kind: Policy
|
|
rules:
|
|
- level: Metadata" >> /var/lib/rancher/k3s/server/audit.yaml
|
|
|
|
if [ "$1" = "psa" ]; then
|
|
echo "apiVersion: apiserver.config.k8s.io/v1
|
|
kind: AdmissionConfiguration
|
|
plugins:
|
|
- name: PodSecurity
|
|
configuration:
|
|
apiVersion: pod-security.admission.config.k8s.io/v1beta1
|
|
kind: PodSecurityConfiguration
|
|
defaults:
|
|
enforce: \"restricted\"
|
|
enforce-version: \"latest\"
|
|
audit: \"restricted\"
|
|
audit-version: \"latest\"
|
|
warn: \"restricted\"
|
|
warn-version: \"latest\"
|
|
exemptions:
|
|
usernames: []
|
|
runtimeClasses: []
|
|
namespaces: [kube-system, cis-operator-system]" >> /var/lib/rancher/k3s/server/psa.yaml
|
|
fi |