digitalis-io / k3s-on-prem-production Goto Github PK

View Code? Open in Web Editor NEW

152.0 13.0 45.0 379 KB

Playbooks needed to set up an on-premises K3s cluster and securize it

License: Apache License 2.0

Jinja 53.22% YAML 46.78%

kubernetes kubernetes-cluster kubernetes-deployment k3s k3s-cluster security onprem onpremise onpremises ansible

k3s-on-prem-production's People

Contributors

Stargazers

Watchers

Forkers

lukekalbfleisch mihai-satmarean acjzz kjm0001 heartshare traderays remkolems atrakic provenvelocity morriq kobevanolst2 ferry qxvlada aldycool htwalid casualuser fegmorte codedspirit litocruz iisteev seandrexler fa-at-pulsit alexandrumarian-portal robcoward mah007 findus-proptech johnhammet geanttechnology scloud-swebz dotnetcloudbase rizerzero rcdelacruz doytsujin sinequanonsoftware crypteguy dekoder daoutgino devopstoday11 jamu85 pythoninthegrass angrite thedigitaloctopus fkb56 adrian0ribeir0 kkharal

k3s-on-prem-production's Issues

/dev/kmsg Issue

Hi @89luca89 ,

I'm still trying to adapt this to run in Ubuntu 20.04, now on the k3s-deploy role, I'm getting this error:

"Failed to run kubelet" err="failed to run Kubelet: failed to create kubelet: open /dev/kmsg: permission denied"

I've searched this error, and everything points to either non-root user, or LXD, but I know none of these is actually used in the configuration.

Do you know something that may have caused this? Thanks.

limits.yml in hardening role has wrong content ?

Hi,
FYI, content in limits.yml is already defined in crontab.yml.
I think there must be something else... right?

README should feature example installation

The README describes several attributes that can be changed but does not describe the basic workflow for using.

It would be good to show an example playbook.

I haven't read all of the Ansible tasks, but I'm currently using Ubuntu distros for the nodes, and fixing here and there for the difference in packages (such as replacing crond with cron, audit with auditd, and so on). I'm beginning to wonder, or maybe it is mentioned somewhere in the README, is it tested / meant for CentOS only? I gave up at the error: "Update Grub and Initramfs /RedHat". Thanks.

PodSecurityPolicy FEATURE STATE: Kubernetes v1.21 [deprecated]

Hello!

I would first like to say that I am amazed by the content of your blog post/repository. I am learning a lot and it gives me great ideas. Therefore, thank you for sharing!!!

I do want to ask what your opinion is on the PodSecurityPolicy Admission Controller since it is deprecated now (https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy)

Do you think for example that the SecurityContextDeny Controller would be a good replacement? Rancher is referring to it regarding the cis benchmark requirements here: https://rancher.com/docs/k3s/latest/en/security/self_assessment/#1-2-13

Thank you,
Gera

Nginx Ingress Update Templates to Stable

Hi,

considering now the nginx ingress has moved to stable in its latest version as described here, it has removed many of its "v1beta1" resources. Can you suggest on how to update the nginx templates in the roles/k3s-deploy/templates/ingress/*.j2 files? I've tried just only updating the k3s_version: v1.22.4+k3s1 and the nginx_ingress_version: 1.0.5 in the default's main.yml without modifying any of the templates, but it errors with: "failed to list *v1beta1.Ingress: the server could not find the requested resource", which is still looking for the deprecated v1beta1 resource. The official migration example here from the nginx ingress only lists basic examples, while the templates uses different approaches (such as PodSecurityPolicy, WebHook, etc) which I'm not yet familiar with. Thank you.

fails at [hardening : Wait for system to become reachable]

some idea on what i did wrong?
i used centos-stream-8 as image?

worker-02 was failing earlier with the same error message

TASK [hardening : Wait for system to become reachable] ********************************************************************************
fatal: [worker-03]: FAILED! => {"changed": false, "elapsed": 301, "msg": "timed out waiting for ping module test: Failed to connect to the host via ssh: #################################################################################\n#                            Welcom
e to worker-03\n#           Authorized uses only. All activity may be monitored and reported.\n#              Disconnect IMMEDIATELY if you are not an authorized user!\n#################################################################################\nroot@<MYIP>
5: Permission denied (publickey,password)."}
fatal: [worker-01]: FAILED! => {"changed": false, "elapsed": 301, "msg": "timed out waiting for ping module test: Failed to connect to the host via ssh: #################################################################################\n#                            Welcom
e to worker-01\n#           Authorized uses only. All activity may be monitored and reported.\n#              Disconnect IMMEDIATELY if you are not an authorized user!\n#################################################################################\nroot@<MYIP>
: Permission denied (publickey,password)."}
fatal: [master-02]: FAILED! => {"changed": false, "elapsed": 301, "msg": "timed out waiting for ping module test: Failed to connect to the host via ssh: #################################################################################\n#                            Welcom
e to master-02\n#           Authorized uses only. All activity may be monitored and reported.\n#              Disconnect IMMEDIATELY if you are not an authorized user!\n#################################################################################\nroot@<MYIP>:
Permission denied (publickey,password)."}
fatal: [master-03]: FAILED! => {"changed": false, "elapsed": 302, "msg": "timed out waiting for ping module test: Failed to connect to the host via ssh: #################################################################################\n#                            Welcom
e to master-03\n#           Authorized uses only. All activity may be monitored and reported.\n#              Disconnect IMMEDIATELY if you are not an authorized user!\n#################################################################################\nroot@<MYIP>
: Permission denied (publickey,password)."}
fatal: [master-01]: FAILED! => {"changed": false, "elapsed": 302, "msg": "timed out waiting for ping module test: Failed to connect to the host via ssh: #################################################################################\n#                            Welcom
e to master-01\n#           Authorized uses only. All activity may be monitored and reported.\n#              Disconnect IMMEDIATELY if you are not an authorized user!\n#################################################################################\nroot@<MYIP>:
Permission denied (publickey,password)."}

NO MORE HOSTS LEFT ********************************************************************************************************************

NO MORE HOSTS LEFT ********************************************************************************************************************

PLAY RECAP ****************************************************************************************************************************
master-01                  : ok=78   changed=55   unreachable=0    failed=1    skipped=4    rescued=0    ignored=0
master-02                  : ok=78   changed=55   unreachable=0    failed=1    skipped=4    rescued=0    ignored=0
master-03                  : ok=78   changed=55   unreachable=0    failed=1    skipped=4    rescued=0    ignored=0
worker-01                  : ok=78   changed=55   unreachable=0    failed=1    skipped=4    rescued=0    ignored=0
worker-02                  : ok=59   changed=43   unreachable=1    failed=0    skipped=1    rescued=0    ignored=0
worker-03                  : ok=78   changed=55   unreachable=0    failed=1    skipped=4    rescued=0    ignored=0

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.