public/rancher-docs
1
0
Fork 0
mirror of https://github.com/rancher/rancher-docs.git synced 2026-05-14 00:53:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2616 from paraglade/DOCS-2368

Browse Source 
DOCS-2368 address issues found in hardening-2.3 guide
This commit is contained in:
Nelson Roberts
2020-07-23 15:12:42 -07:00
committed by GitHub
parent e0759e76b0 25aae71467
commit 469e90ea8b
1 changed files with 7 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
content/rancher/v2.x/en/security/hardening-2.3/_index.md
+7 -11
View File
@@ -608,22 +608,20 @@ To pass the following controls for the kube-api server ensure RKE configuration
services:
kube-api:
pod_security_policy: true
event_rate_limit:
enabled: true
extra_args:
anonymous-auth: "false"
profiling: "false"
service-account-lookup: "true"
enable-admission-plugins: "ServiceAccount,NamespaceLifecycle,LimitRanger,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,AlwaysPullImages,DenyEscalatingExec,NodeRestriction,EventRateLimit,PodSecurityPolicy"
encryption-provider-config: /opt/kubernetes/encryption.yaml
admission-control-config-file: "/opt/kubernetes/admission.yaml"
audit-log-path: "/var/log/kube-audit/audit-log.json"
audit-log-maxage: "5"
audit-log-maxbackup: "5"
audit-log-maxsize: "100"
audit-log-format: "json"
audit-policy-file: /opt/kubernetes/audit.yaml
tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
extra_binds:
- "/var/log/kube-audit:/var/log/kube-audit"
- "/opt/kubernetes:/opt/kubernetes"
```
@@ -1269,13 +1267,13 @@ services:
generate_serving_certificate: true
kube-api:
pod_security_policy: true
event_rate_limit:
enabled: true
extra_args:
anonymous-auth: "false"
profiling: "false"
service-account-lookup: "true"
enable-admission-plugins: "ServiceAccount,NamespaceLifecycle,LimitRanger,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,AlwaysPullImages,DenyEscalatingExec,NodeRestriction,EventRateLimit,PodSecurityPolicy"
encryption-provider-config: /opt/kubernetes/encryption.yaml
admission-control-config-file: "/opt/kubernetes/admission.yaml"
audit-log-path: "/var/log/kube-audit/audit-log.json"
audit-log-maxage: "5"
audit-log-maxbackup: "5"
@@ -1284,7 +1282,6 @@ services:
audit-policy-file: /opt/kubernetes/audit.yaml
tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
extra_binds:
- "/var/log/kube-audit:/var/log/kube-audit"
- "/opt/kubernetes:/opt/kubernetes"
scheduler:
extra_args:
@@ -1438,6 +1435,7 @@ addons: |
#
# Cluster Config
#
default_pod_security_policy_template_id: restricted
docker_root_dir: /var/lib/docker
enable_cluster_alerting: false
enable_cluster_monitoring: false
@@ -1500,24 +1498,22 @@ rancher_kubernetes_engine_config:
uid: 1001
kube_api:
always_pull_images: false
event_rate_limit:
enabled: true
extra_args:
admission-control-config-file: /opt/kubernetes/admission.yaml
anonymous-auth: 'false'
audit-log-format: json
audit-log-maxage: '5'
audit-log-maxbackup: '5'
audit-log-maxsize: '100'
audit-log-path: /var/log/kube-audit/audit-log.json
audit-policy-file: /opt/kubernetes/audit.yaml
enable-admission-plugins: >-
ServiceAccount,NamespaceLifecycle,LimitRanger,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,AlwaysPullImages,DenyEscalatingExec,NodeRestriction,EventRateLimit,PodSecurityPolicy
encryption-provider-config: /opt/kubernetes/encryption.yaml
profiling: 'false'
service-account-lookup: 'true'
tls-cipher-suites: >-
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
extra_binds:
- '/var/log/kube-audit:/var/log/kube-audit'
- '/opt/kubernetes:/opt/kubernetes'
pod_security_policy: true
service_node_port_range: 30000-32767