Skip to content
This repository was archived by the owner on Jan 11, 2023. It is now read-only.

Commit e08eb94

Browse files
JunSun17jackfrancis
JunSun17
authored and
jackfrancis
committed
Added CIS-reported apiserver config changes (#1989)
1 parent b05ffb5 commit e08eb94

File tree

2 files changed

+21
-4
lines changed

2 files changed

+21
-4
lines changed

docs/clusterdefinition.md

+10-2
Original file line numberDiff line numberDiff line change
@@ -280,17 +280,25 @@ Below is a list of apiserver options that are *not* currently user-configurable,
280280

281281
|apiserver option|default value|
282282
|---|---|
283-
|"--admission-control"|"NamespaceLifecycle, LimitRanger, ServiceAccount, DefaultStorageClass, ResourceQuota, DenyEscalatingExec"|
283+
|"--admission-control"|"NamespaceLifecycle, LimitRanger, ServiceAccount, DefaultStorageClass, ResourceQuota, DenyEscalatingExec, AlwaysPullImages, SecurityContextDeny"|
284284
|"--address"|"0.0.0.0"|
285285
|"--advertise-address"|*calculated value that represents listening URI for API server*|
286286
|"--allow-privileged"|"true"|
287+
|"--anonymous-auth"|"false|
288+
|"--audit-log-maxage"|"30"|
289+
|"--audit-log-maxbackup"|"10"|
290+
|"--audit-log-maxsize"|"100"|
291+
|"--audit-log-path"|"/var/log/apiserver/audit.log"|
287292
|"--insecure-port"|"8080"|
288293
|"--secure-port"|"443"|
294+
|"--service-account-lookup"|"true"|
289295
|"--etcd-cafile"|"/etc/kubernetes/certs/ca.crt"|
290296
|"--etcd-certfile"|"/etc/kubernetes/certs/etcdclient.crt"|
291297
|"--etcd-keyfile"|"/etc/kubernetes/certs/etcdclient.key"|
292298
|"--etcd-servers"|*calculated value that represents etcd servers*|
293299
|"--etcd-quorum-read"|"true"|
300+
|"--profiling"|"false"|
301+
|"--repair-malformed-updates"|"false"|
294302
|"--tls-cert-file"|"/etc/kubernetes/certs/apiserver.crt"|
295303
|"--tls-private-key-file"|"/etc/kubernetes/certs/apiserver.key"|
296304
|"--client-ca-file"|"/etc/kubernetes/certs/ca.crt"|
@@ -300,7 +308,7 @@ Below is a list of apiserver options that are *not* currently user-configurable,
300308
|"--service-cluster-ip-range"|*see serviceCIDR*|
301309
|"--storage-backend"|*calculated value that represents etcd version*|
302310
|"--v"|"4"|
303-
|"--authorization-mode"|"RBAC" (*if enabledRbac is true*)|
311+
|"--authorization-mode"|"Node", and "RBAC" (*if enabledRbac is true*)|
304312
|"--experimental-encryption-provider-config"|"/etc/kubernetes/encryption-config.yaml" (*if enableDataEncryptionAtRest is true*)|
305313
|"--requestheader-client-ca-file"|"/etc/kubernetes/certs/proxy-ca.crt" (*if enableAggregatedAPIs is true*)|
306314
|"--proxy-client-cert-file"|"/etc/kubernetes/certs/proxy.crt" (*if enableAggregatedAPIs is true*)|

pkg/acsengine/defaults-apiserver.go

+11-2
Original file line numberDiff line numberDiff line change
@@ -10,12 +10,19 @@ import (
1010
func setAPIServerConfig(cs *api.ContainerService) {
1111
o := cs.Properties.OrchestratorProfile
1212
staticLinuxAPIServerConfig := map[string]string{
13-
"--admission-control": "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,DenyEscalatingExec",
13+
"--admission-control": "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,DenyEscalatingExec,AlwaysPullImages,SecurityContextDeny",
1414
"--address": "0.0.0.0",
1515
"--advertise-address": "<kubernetesAPIServerIP>",
1616
"--allow-privileged": "true",
17+
"--anonymous-auth": "false",
18+
"--audit-log-maxage": "30",
19+
"--audit-log-maxbackup": "10",
20+
"--audit-log-maxsize": "100",
21+
"--audit-log-path": "/var/log/apiserver/audit.log",
22+
"--authorization-mode": "Node",
1723
"--insecure-port": "8080",
1824
"--secure-port": "443",
25+
"--service-account-lookup": "true",
1926
"--etcd-cafile": "/etc/kubernetes/certs/ca.crt",
2027
"--etcd-certfile": "/etc/kubernetes/certs/etcdclient.crt",
2128
"--etcd-keyfile": "/etc/kubernetes/certs/etcdclient.key",
@@ -24,6 +31,8 @@ func setAPIServerConfig(cs *api.ContainerService) {
2431
"--tls-cert-file": "/etc/kubernetes/certs/apiserver.crt",
2532
"--tls-private-key-file": "/etc/kubernetes/certs/apiserver.key",
2633
"--client-ca-file": "/etc/kubernetes/certs/ca.crt",
34+
"--profiling": "false",
35+
"--repair-malformed-updates": "false",
2736
"--service-account-key-file": "/etc/kubernetes/certs/apiserver.key",
2837
"--kubelet-client-certificate": "/etc/kubernetes/certs/client.crt",
2938
"--kubelet-client-key": "/etc/kubernetes/certs/client.key",
@@ -34,7 +43,7 @@ func setAPIServerConfig(cs *api.ContainerService) {
3443

3544
// RBAC configuration
3645
if helpers.IsTrueBoolPointer(o.KubernetesConfig.EnableRbac) {
37-
staticLinuxAPIServerConfig["--authorization-mode"] = "RBAC"
46+
staticLinuxAPIServerConfig["--authorization-mode"] = "Node,RBAC"
3847
}
3948

4049
// Data Encryption at REST configuration

0 commit comments

Comments
 (0)