This repo contains the playbook needed to set up an on-premises K3s cluster and securize it.
The accompanying blog for this project is found here: https://digitalis.io/blog/kubernetes/k3s-lightweight-kubernetes-made-ready-for-production-part-1/
There is an hardening role, that will target your nodes and securize them using best pratices from CIS Benchmark and STIG Guidelines. You can use your own role or one of the official ansible available roles like:
- https://github.com/ansible-lockdown/RHEL8-STIG/
- https://github.com/ansible-lockdown/RHEL8-CIS/
It is possible to tweak the hardening using host-vars, mainly packages names (that depends on your distribution of choiche):
aide_package: 'aide'
auditd_package: 'audit'
modprobe_package: 'kmod'
unwanted_pkg:
- mcstrans
- rsh
- rsh-server
- setroubleshoot
- telnet-server
- talk
- tftp
- tftp-server
- xinetd
- ypserv
kernel_packages:
- kernel
- kernel-headers
- kernel-develAnd various tweaks on password aging, sessions timeout and so on.
This one will take care of setting up your cluster for K3s. Also here, adjust packages names accoring to your distribution of choiche:
k3s_dependencies:
- conntrack-tools
- curl
- ebtables
- epel-release
- ethtool
- gawk
- grep
- ipvsadm
- iscsi-initiator-utils
- libseccomp
- socat
- util-linuxIt is highly recommended to follow an internal/external network layout for your cluster, as showed in this little diagram
To enable this just give two different names to the internal and external interface, according to your distro of choiche naming scheme
external_interface: eth0
internal_interface: eth1Also you can decide here what CIDR should your cluster use
cluster_cidr: 10.43.0.0/16
service_cidr: 10.44.0.0/16Lots of customization here, you can configure your Kubernetes cluster version
k3s_version: v1.20.5+k3s1You can configure your ingress hostnames, if not specified (default) it will use nip.io to resolve your IPs
ingress_hostname: your.dns.name.ioYou can (really have to) configure your MetalLB ip ranges here
metallb_external_ip_range: 192.168.1.200-192.168.1.240
metallb_internal_ip_range: 10.10.90.100-10.10.90.240Still referring to a dual-network layout. Just leave the internal one empty if not using a dual-layout one
You can then customize the keepalive VIP and interface
keepalived_interface: eth0
keepalived_addr_cidr: 192.168.122.100/24
keepalived_ip: 192.168.122.100And then a plethora of configs possible for falco sidekick. Refer to their docs (https://github.com/falcosecurity/falcosidekick) to customize your integrations
falco_security_enabled: yes
falco_sidekick_slack: ""
falco_sidekick_slack_priority: "warning"
falco_sidekick_alertmanager: "..."
falco_sidekick_alertmanager_priority: "..."
falco_sidekick_discord: "..."
falco_sidekick_discord_priority: "..."
falco_sidekick_googlechat: "..."
falco_sidekick_googlechat_priority: "..."
falco_sidekick_kubeless_function: "..."
falco_sidekick_kubeless_namespace: "..."
falco_sidekick_kubeless_priority: "..."
falco_sidekick_mattermost: "..."
falco_sidekick_mattermost_priority: "..."
falco_sidekick_rocketchat: "..."
falco_sidekick_rocketchat_priority: "..."
falco_sidekick_slack: "..."
falco_sidekick_slack_priority: "..."
falco_sidekick_teams: "..."
falco_sidekick_teams_priority: "..."The playbook and inventory are ready to use, just start from the example inventory ./inventory-k3s.yml and fill your secrets
and infrastructure IPs (metallb ranges, host IPs, interface naming etc...)
This is the cluster layout at the end of the provisioning. Bear in mind that this is customizable in both versions and components
