From 5cfe3a36ce2eb2631614e6b467fe08fdd3c6b736 Mon Sep 17 00:00:00 2001 From: James Landrein Date: Fri, 10 Mar 2023 16:53:52 +0100 Subject: [PATCH] Add Documentation for Kubelet CSR Approver Co-Authored-By: Arthur Outhenin-Chalandre --- docs/hardening.md | 5 ++--- docs/vars.md | 6 +++--- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/docs/hardening.md b/docs/hardening.md index 521e7d8c00f..d791c4dee66 100644 --- a/docs/hardening.md +++ b/docs/hardening.md @@ -117,7 +117,8 @@ Let's take a deep look to the resultant **kubernetes** configuration: * The `anonymous-auth` (on `kube-apiserver`) is set to `true` by default. This is fine, because it is considered safe if you enable `RBAC` for the `authorization-mode`. * The `enable-admission-plugins` has not the `PodSecurityPolicy` admission plugin. This because it is going to be definitely removed from **kubernetes** `v1.25`. For this reason we decided to set the newest `PodSecurity` (for more details, please take a look here: ). Then, we set the `EventRateLimit` plugin, providing additional configuration files (that are automatically created under the hood and mounted inside the `kube-apiserver` container) to make it work. * The `encryption-provider-config` provide encryption at rest. This means that the `kube-apiserver` encrypt data that is going to be stored before they reach `etcd`. So the data is completely unreadable from `etcd` (in case an attacker is able to exploit this). -* The `rotateCertificates` in `KubeletConfiguration` is set to `true` along with `serverTLSBootstrap`. This could be used in alternative to `tlsCertFile` and `tlsPrivateKeyFile` parameters. Additionally it automatically generates certificates by itself, but you need to manually approve them or at least using an operator to do this (for more details, please take a look here: ). +* The `rotateCertificates` in `KubeletConfiguration` is set to `true` along with `serverTLSBootstrap`. This could be used in alternative to `tlsCertFile` and `tlsPrivateKeyFile` parameters. Additionally it automatically generates certificates by itself. By default the CSRs are approved automatically via [kubelet-csr-approver](https://github.com/postfinance/kubelet-csr-approver). You can customize approval configuration by modifying Helm values via `kubelet_csr_approver_values`. + See for more information on the subject. * If you are installing **kubernetes** in an AppArmor-based OS (eg. Debian/Ubuntu) you can enable the `AppArmor` feature gate uncommenting the lines with the comment `# AppArmor-based OS` on top. * The `kubelet_systemd_hardening`, both with `kubelet_secure_addresses` setup a minimal firewall on the system. To better understand how these variables work, here's an explanatory image: ![kubelet hardening](img/kubelet-hardening.png) @@ -134,5 +135,3 @@ ansible-playbook -v cluster.yml \ ``` **N.B.** The `vars.yaml` contains our general cluster information (SANs, load balancer, dns, etc..) and `hardening.yaml` is the file described above. - -Once completed the cluster deployment, don't forget to approve the generated certificates (check them with `kubectl get csr`, approve with `kubectl certificate approve `). This action is necessary because the `secureTLSBootstrap` option and `RotateKubeletServerCertificate` feature gate for `kubelet` are enabled (CIS [4.2.11](https://www.tenable.com/audits/items/CIS_Kubernetes_v1.20_v1.0.0_Level_1_Worker.audit:05af3dfbca8e0c3fb3559c6c7de29191), [4.2.12](https://www.tenable.com/audits/items/CIS_Kubernetes_v1.20_v1.0.0_Level_1_Worker.audit:5351c76f8c5bff8f98c29a5200a35435)). diff --git a/docs/vars.md b/docs/vars.md index 06f1e6f6fbc..6ff12c3cd18 100644 --- a/docs/vars.md +++ b/docs/vars.md @@ -199,9 +199,9 @@ Stack](https://github.com/kubernetes-sigs/kubespray/blob/master/docs/dns-stack.m * *kubelet_rotate_server_certificates* - Auto rotate the kubelet server certificates by requesting new certificates from the kube-apiserver when the certificate expiration approaches. - **Note** that server certificates are **not** approved automatically. Approve them manually - (`kubectl get csr`, `kubectl certificate approve`) or implement custom approving controller like - [kubelet-rubber-stamp](https://github.com/kontena/kubelet-rubber-stamp). + Note that enabling this also activates *kubelet_csr_approver* which approves automatically the CSRs. + To customize its behavior, you can override the Helm values via *kubelet_csr_approver_values*. + See [kubelet-csr-approver](https://github.com/postfinance/kubelet-csr-approver) for more information. * *kubelet_streaming_connection_idle_timeout* - Set the maximum time a streaming connection can be idle before the connection is automatically closed.