Skip to content

Commit

Permalink
Correct CIS validation issues and set kubelet arg properly
Browse files Browse the repository at this point in the history 
Correcting issues from #389:
* Don't check kernel.keys.root_maxbytes
* Check to see if the user has set the protect-kernel-parameters to a
  value that conflicts with the profile's required setting.
* Set protect-kernel-defaults via existing CLI flag, instead of appending
  it to kubelet args.

Signed-off-by: Brad Davidson <[email protected]>
  • Loading branch information
@brandond
brandond committed Sep 30, 2020
1 parent 8da413f commit 47ebf7b
Show file tree
Hide file tree
Showing 5 changed files with 24 additions and 20 deletions.
3 changes: 3 additions & 0 deletions pkg/cli/cmds/agent.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,9 @@ func AgentRun(clx *cli.Context) error {
if err := validateCISReqs("agent"); err != nil {
logrus.Fatal(err)
}
if err := setCISFlags(clx); err != nil {
logrus.Fatal(err)
}
case "":
logrus.Warn("not running in CIS 1.5 mode")
default:
Expand Down
26 changes: 16 additions & 10 deletions pkg/cli/cmds/root.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,8 @@ var (
}
)

const pkdFlagName = "protect-kernel-defaults"

func init() {
// hack - force "file,dns" lookup order if go dns is used
if os.Getenv("RES_OPTIONS") == "" {
Expand All @@ -56,17 +58,11 @@ func init() {
// kernelRuntimeParameters contains the names and values
// of the expected values from the Rancher Hardening guide
// for CIS 1.5 compliance.
//
// vm.panic_on_oom=0
// kernel.panic=10
// kernel.panic_on_oops=1
// kernel.keys.root_maxbytes=25000000
var kernelRuntimeParameters = map[string]int{
"vm.overcommit_memory": 1,
"vm.panic_on_oom": 0,
"kernel.panic": 10,
"kernel.panic_on_oops": 1,
"kernel.keys.root_maxbytes": 25000000,
"vm.overcommit_memory": 1,
"vm.panic_on_oom": 0,
"kernel.panic": 10,
"kernel.panic_on_oops": 1,
}

// sysctl retrieves the value of the given sysctl.
Expand Down Expand Up @@ -129,6 +125,16 @@ func validateCISReqs(nodeType string) error {
return nil
}

// setCISFlags validates and sets any CLI flags necessary to ensure
// compliance with the profile.
func setCISFlags(clx *cli.Context) error {
// If the user has specifically set this to false, raise an error
if clx.IsSet(pkdFlagName) && !clx.Bool(pkdFlagName) {
return fmt.Errorf("--%s must be true when using --profile=%s", pkdFlagName, profile)
}
return clx.Set(pkdFlagName, "true")
}

func NewApp() *cli.App {
app := cli.NewApp()
app.Name = appName
Expand Down
3 changes: 3 additions & 0 deletions pkg/cli/cmds/server.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,9 @@ func ServerRun(clx *cli.Context) error {
if err := validateCISReqs("server"); err != nil {
logrus.Fatal(err)
}
if err := setCISFlags(clx); err != nil {
logrus.Fatal(err)
}
case "":
logrus.Warn("not running in CIS 1.5 mode")
default:
Expand Down
10 changes: 1 addition & 9 deletions pkg/cli/defaults/defaults.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ import (
"google.golang.org/grpc/grpclog"
)

func Set(clx *cli.Context, images images.Images, dataDir string, cisMode bool) error {
func Set(clx *cli.Context, images images.Images, dataDir string) error {
logsDir := filepath.Join(dataDir, "agent", "logs")
if err := os.MkdirAll(logsDir, 0755); err != nil {
return errors.Wrapf(err, "failed to create directory %s", logsDir)
Expand Down Expand Up @@ -45,14 +45,6 @@ func Set(clx *cli.Context, images images.Images, dataDir string, cisMode bool) e
},
cmds.AgentConfig.ExtraKubeletArgs...)

if cisMode {
cmds.AgentConfig.ExtraKubeletArgs = append(
[]string{
"protect-kernel-defaults=true",
},
cmds.AgentConfig.ExtraKubeletArgs...)
}

if !cmds.Debug {
l := grpclog.NewLoggerV2(ioutil.Discard, ioutil.Discard, os.Stderr)
grpclog.SetLoggerV2(l)
Expand Down
2 changes: 1 addition & 1 deletion pkg/rke2/rke2.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ func setup(clx *cli.Context, cfg Config) error {
}

images := images.New(cfg.SystemDefaultRegistry)
if err := defaults.Set(clx, images, dataDir, cisMode); err != nil {
if err := defaults.Set(clx, images, dataDir); err != nil {
return err
}

Expand Down

0 comments on commit 47ebf7b

Please sign in to comment.