Tomasz Szostak toszo
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kind: simplified-datafile | |
| version: 0.2.0 | |
| environment_name: Playground | |
| azure: | |
| subscription_name: YOUR-SUBSCRIPTION-NAME | |
| resource_group: 'playground' | |
| location: 'West Europe' | |
| image_offer: RHEL #UbuntuServer | |
| boot_storage: 'epiplaygrnd1' | |
| image_sku: 7.5 #18.04-LTS |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # We simply kill the process when there is a failure. Another systemd service will | |
| # automatically restart the process. | |
| function docker_monitoring { | |
| while [ 1 ]; do | |
| if ! timeout 10 docker ps > /dev/null; then | |
| echo "Docker daemon failed!" | |
| pkill docker | |
| # Wait for a while, as we don't want to kill it again before it is really up. | |
| sleep 30 | |
| else |
toszo
/ k3s on raspberry pi demo
Created
March 31, 2019 19:48
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Raspbian download | |
| # https://www.raspberrypi.org/downloads/ | |
| # OS Flash on USB - Etcher | |
| # https://www.balena.io/etcher/ | |
| # All nodes | |
| sudo raspi-config # Change User Password, Network Options/Hostname, Advances Options/Memory Split |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Exec on Master | |
| # Master init | |
| kubeadm init --pod-network-cidr 10.244.0.0/16 | |
| # Wynikiem tej komendy będzie token (TWOJ_JOIN_TOKEN) i discovery token (TWOJ_DISCO_TOKEN), który będzie wykorzystany do dołączania worker Node'ów. | |
| # Deployment pluginu sieciowego na Masterze. | |
| kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/a70459be0084506e4ec919aa1c114638878db11b/Documentation/kube-flannel.yml | |
| # Exec on Node |
toszo
/ run-kube-bench.sh
Created
April 8, 2019 06:34
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v $(which kubectl):/usr/bin/kubectl aquasec/kube-bench:latest master |
toszo
/ run-kube-bench-node.sh
Created
April 8, 2019 06:52
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sudo docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v $(which kubectl):/usr/bin/kubectl aquasec/kube-bench:latest node |
toszo
/ master-sec-benchmark-result.txt
Created
April 8, 2019 07:19
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [INFO] 1 Master Node Security Configuration | |
| [INFO] 1.1 API Server | |
| [FAIL] 1.1.1 Ensure that the --allow-privileged argument is set to false (Scored) | |
| [FAIL] 1.1.2 Ensure that the --anonymous-auth argument is set to false (Scored) | |
| [PASS] 1.1.3 Ensure that the --basic-auth-file argument is not set (Scored) | |
| [PASS] 1.1.4 Ensure that the --insecure-allow-any-token argument is not set (Scored) | |
| [PASS] 1.1.5 Ensure that the --kubelet-https argument is set to true (Scored) | |
| [PASS] 1.1.6 Ensure that the --insecure-bind-address argument is not set (Scored) | |
| [PASS] 1.1.7 Ensure that the --insecure-port argument is set to 0 (Scored) | |
| [PASS] 1.1.8 Ensure that the --secure-port argument is not set to 0 (Scored) |
toszo
/ kube-bench-example.txt
Created
April 8, 2019 07:31
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [FAIL] 1.1.1 Ensure that the --allow-privileged argument is set to false (Scored) | |
| [FAIL] 1.1.2 Ensure that the --anonymous-auth argument is set to false (Scored) | |
| ... | |
| == Remediations == | |
| 1.1.1 Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_ALLOW_PRIV parameter to "--allow-privileged=false" | |
| 1.1.2 Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS parameter to "--anonymous-auth=false" | |
| ... |
toszo
/ kube-bench-node.txt
Created
April 8, 2019 07:37
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [INFO] 2 Worker Node Security Configuration | |
| [INFO] 2.1 Kubelet | |
| [FAIL] 2.1.1 Ensure that the --allow-privileged argument is set to false (Scored) | |
| [FAIL] 2.1.2 Ensure that the --anonymous-auth argument is set to false (Scored) | |
| [FAIL] 2.1.3 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored) | |
| [FAIL] 2.1.4 Ensure that the --client-ca-file argument is set as appropriate (Scored) | |
| [FAIL] 2.1.5 Ensure that the --read-only-port argument is set to 0 (Scored) | |
| [FAIL] 2.1.6 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored) | |
| [FAIL] 2.1.7 Ensure that the --protect-kernel-defaults argument is set to true (Scored) | |
| [PASS] 2.1.8 Ensure that the --make-iptables-util-chains argument is set to true (Scored) |
toszo
/ liveness.yaml
Last active
April 30, 2019 20:23
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #httpGet | |
| #... | |
| livenessProbe: | |
| httpGet: | |
| path: / | |
| port: 80 | |
| initialDelaySeconds: 15 | |
| periodSeconds: 15 | |
| #... | |
| #exec |
OlderNewer