add extra confiuguration for CIS hardening

AshleyDumaine · AshleyDumaine · commit b66b1b1489bf · 2024-04-23T10:37:42.000-04:00
diff --git a/templates/flavors/rke2/rke2ConfigTemplate.yaml b/templates/flavors/rke2/rke2ConfigTemplate.yaml
@@ -10,6 +10,7 @@ spec:
         version: ${KUBERNETES_VERSION}
         nodeName: '{{ ds.meta_data.label }}'
         cisProfile: ${CIS_PROFILE:-"cis-1.23"}
+        protectKernelDefaults: true
       # TODO: use MDS to get public and private IP instead because hostname ordering can't always be assumed
       preRKE2Commands:
         - |
@@ -18,3 +19,6 @@ spec:
         - sed -i '/swap/d' /etc/fstab
         - swapoff -a
         - hostnamectl set-hostname '{{ ds.meta_data.label }}' && hostname -F /etc/hostname
+        - cp -f /usr/local/share/rke2/rke2-cis-sysctl.conf /etc/sysctl.d/60-rke2-cis.conf
+        - systemctl restart systemd-sysctl
+        - useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U
diff --git a/templates/flavors/rke2/rke2ControlPlane.yaml b/templates/flavors/rke2/rke2ControlPlane.yaml
@@ -34,11 +34,15 @@ spec:
     version: ${KUBERNETES_VERSION}
     nodeName: '{{ ds.meta_data.label }}'
     cisProfile: ${CIS_PROFILE:-"cis-1.23"}
+    protectKernelDefaults: true
   preRKE2Commands:
     - |
       mkdir -p /etc/rancher/rke2/config.yaml.d/
       echo "node-ip: $(hostname -I | grep -oE 192\.168\.[0-9]+\.[0-9]+)" >> /etc/rancher/rke2/config.yaml.d/capi-config.yaml
     - sed -i '/swap/d' /etc/fstab
     - swapoff -a
     - hostnamectl set-hostname '{{ ds.meta_data.label }}' && hostname -F /etc/hostname
+    - cp -f /usr/local/share/rke2/rke2-cis-sysctl.conf /etc/sysctl.d/60-rke2-cis.conf
+    - systemctl restart systemd-sysctl
+    - useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U
   replicas: ${CONTROL_PLANE_MACHINE_COUNT}
