Merge pull request #1295 from felipeac/bottlerocket-eks-cis-scan

Change/add params to support CIS scan

packages/kubernetes-1.15/kubelet-config

@@ -50,11 +50,13 @@ kubeReserved:
   ephemeral-storage: "{{default "1Gi" settings.kubernetes.kube-reserved.ephemeral-storage}}"
 resolvConf: "/etc/resolv.conf"
 hairpinMode: hairpin-veth
+readOnlyPort: 0
 cgroupDriver: systemd
 cgroupRoot: "/"
 runtimeRequestTimeout: 15m
 featureGates:
   RotateKubeletServerCertificate: true
+protectKernelDefaults: true
 serializeImagePulls: false
 serverTLSBootstrap: true
 configMapAndSecretChangeDetectionStrategy: Cache

packages/kubernetes-1.15/kubelet-sysctl.conf

@@ -0,0 +1,2 @@
+# Overcommit handling mode - 1: Always overcommit
+vm.overcommit_memory = 1

packages/kubernetes-1.15/kubernetes-1.15.spec

@@ -23,6 +23,7 @@ Source5: kubernetes-ca-crt
 Source6: kubelet-exec-start-conf
 Source7: kubelet-bootstrap-kubeconfig
 Source8: kubernetes-tmpfiles.conf
+Source9: kubelet-sysctl.conf
 Source1000: clarify.toml
 Patch1: 0001-always-set-relevant-variables-for-cross-compiling.patch
 
@@ -92,6 +93,9 @@ ln -rs \
   %{buildroot}%{_sharedstatedir}/kubelet/plugins \
   %{buildroot}%{_cross_libexecdir}/kubernetes/kubelet-plugins
 
+mkdir -p %{buildroot}%{_cross_sysctldir}
+install -p -m 0644 %{S:9} %{buildroot}%{_cross_sysctldir}/90-kubelet.conf
+
 %cross_scan_attribution --clarify %{S:1000} go-vendor vendor
 
 %files -n %{_cross_os}kubelet-1.15
@@ -110,5 +114,6 @@ ln -rs \
 %{_cross_tmpfilesdir}/kubernetes.conf
 %dir %{_cross_libexecdir}/kubernetes
 %{_cross_libexecdir}/kubernetes/kubelet-plugins
+%{_cross_sysctldir}/90-kubelet.conf
 
 %changelog

packages/kubernetes-1.16/kubelet-config

@@ -50,11 +50,13 @@ kubeReserved:
   ephemeral-storage: "{{default "1Gi" settings.kubernetes.kube-reserved.ephemeral-storage}}"
 resolvConf: "/etc/resolv.conf"
 hairpinMode: hairpin-veth
+readOnlyPort: 0
 cgroupDriver: systemd
 cgroupRoot: "/"
 runtimeRequestTimeout: 15m
 featureGates:
   RotateKubeletServerCertificate: true
+protectKernelDefaults: true
 serializeImagePulls: false
 serverTLSBootstrap: true
 configMapAndSecretChangeDetectionStrategy: Cache

packages/kubernetes-1.16/kubelet-sysctl.conf

@@ -0,0 +1,2 @@
+# Overcommit handling mode - 1: Always overcommit
+vm.overcommit_memory = 1

packages/kubernetes-1.16/kubernetes-1.16.spec

@@ -23,6 +23,7 @@ Source5: kubernetes-ca-crt
 Source6: kubelet-exec-start-conf
 Source7: kubelet-bootstrap-kubeconfig
 Source8: kubernetes-tmpfiles.conf
+Source9: kubelet-sysctl.conf
 Source1000: clarify.toml
 Patch1: 0001-always-set-relevant-variables-for-cross-compiling.patch
 
@@ -88,6 +89,9 @@ ln -rs \
   %{buildroot}%{_sharedstatedir}/kubelet/plugins \
   %{buildroot}%{_cross_libexecdir}/kubernetes/kubelet-plugins
 
+mkdir -p %{buildroot}%{_cross_sysctldir}
+install -p -m 0644 %{S:9} %{buildroot}%{_cross_sysctldir}/90-kubelet.conf  
+
 %cross_scan_attribution --clarify %{S:1000} go-vendor vendor
 
 %files -n %{_cross_os}kubelet-1.16
@@ -106,5 +110,6 @@ ln -rs \
 %{_cross_tmpfilesdir}/kubernetes.conf
 %dir %{_cross_libexecdir}/kubernetes
 %{_cross_libexecdir}/kubernetes/kubelet-plugins
+%{_cross_sysctldir}/90-kubelet.conf
 
 %changelog

packages/kubernetes-1.17/kubelet-config

@@ -50,12 +50,14 @@ kubeReserved:
   ephemeral-storage: "{{default "1Gi" settings.kubernetes.kube-reserved.ephemeral-storage}}"
 resolvConf: "/etc/resolv.conf"
 hairpinMode: hairpin-veth
+readOnlyPort: 0
 cgroupDriver: systemd
 cgroupRoot: "/"
 runtimeRequestTimeout: 15m
 featureGates:
   RotateKubeletServerCertificate: true
   CSIMigration: false
+protectKernelDefaults: true
 serializeImagePulls: false
 serverTLSBootstrap: true
 configMapAndSecretChangeDetectionStrategy: Cache

packages/kubernetes-1.17/kubelet-sysctl.conf

@@ -0,0 +1,2 @@
+# Overcommit handling mode - 1: Always overcommit
+vm.overcommit_memory = 1

packages/kubernetes-1.17/kubernetes-1.17.spec

@@ -23,6 +23,7 @@ Source5: kubernetes-ca-crt
 Source6: kubelet-exec-start-conf
 Source7: kubelet-bootstrap-kubeconfig
 Source8: kubernetes-tmpfiles.conf
+Source9: kubelet-sysctl.conf
 Source1000: clarify.toml
 Patch1: 0001-always-set-relevant-variables-for-cross-compiling.patch
 
@@ -88,6 +89,9 @@ ln -rs \
   %{buildroot}%{_sharedstatedir}/kubelet/plugins \
   %{buildroot}%{_cross_libexecdir}/kubernetes/kubelet-plugins
 
+mkdir -p %{buildroot}%{_cross_sysctldir}
+install -p -m 0644 %{S:9} %{buildroot}%{_cross_sysctldir}/90-kubelet.conf
+
 %cross_scan_attribution --clarify %{S:1000} go-vendor vendor
 
 %files -n %{_cross_os}kubelet-1.17
@@ -106,5 +110,6 @@ ln -rs \
 %{_cross_tmpfilesdir}/kubernetes.conf
 %dir %{_cross_libexecdir}/kubernetes
 %{_cross_libexecdir}/kubernetes/kubelet-plugins
+%{_cross_sysctldir}/90-kubelet.conf
 
 %changelog

packages/kubernetes-1.18/kubelet-config

@@ -50,12 +50,14 @@ kubeReserved:
   ephemeral-storage: "{{default "1Gi" settings.kubernetes.kube-reserved.ephemeral-storage}}"
 resolvConf: "/etc/resolv.conf"
 hairpinMode: hairpin-veth
+readOnlyPort: 0
 cgroupDriver: systemd
 cgroupRoot: "/"
 runtimeRequestTimeout: 15m
 featureGates:
   RotateKubeletServerCertificate: true
   CSIMigration: false
+protectKernelDefaults: true
 serializeImagePulls: false
 serverTLSBootstrap: true
 configMapAndSecretChangeDetectionStrategy: Cache

packages/kubernetes-1.18/kubelet-sysctl.conf

@@ -0,0 +1,2 @@
+# Overcommit handling mode - 1: Always overcommit
+vm.overcommit_memory = 1

packages/kubernetes-1.18/kubernetes-1.18.spec

@@ -23,6 +23,7 @@ Source5: kubernetes-ca-crt
 Source6: kubelet-exec-start-conf
 Source7: kubelet-bootstrap-kubeconfig
 Source8: kubernetes-tmpfiles.conf
+Source9: kubelet-sysctl.conf
 Source1000: clarify.toml
 Patch1: 0001-always-set-relevant-variables-for-cross-compiling.patch
 
@@ -85,6 +86,9 @@ ln -rs \
   %{buildroot}%{_sharedstatedir}/kubelet/plugins \
   %{buildroot}%{_cross_libexecdir}/kubernetes/kubelet-plugins
 
+mkdir -p %{buildroot}%{_cross_sysctldir}
+install -p -m 0644 %{S:9} %{buildroot}%{_cross_sysctldir}/90-kubelet.conf
+
 %cross_scan_attribution --clarify %{S:1000} go-vendor vendor
 
 %files -n %{_cross_os}kubelet-1.18
@@ -103,5 +107,6 @@ ln -rs \
 %{_cross_tmpfilesdir}/kubernetes.conf
 %dir %{_cross_libexecdir}/kubernetes
 %{_cross_libexecdir}/kubernetes/kubelet-plugins
+%{_cross_sysctldir}/90-kubelet.conf
 
 %changelog

packages/kubernetes-1.19/kubelet-config

@@ -50,12 +50,14 @@ kubeReserved:
   ephemeral-storage: "{{default "1Gi" settings.kubernetes.kube-reserved.ephemeral-storage}}"
 resolvConf: "/etc/resolv.conf"
 hairpinMode: hairpin-veth
+readOnlyPort: 0
 cgroupDriver: systemd
 cgroupRoot: "/"
 runtimeRequestTimeout: 15m
 featureGates:
   RotateKubeletServerCertificate: true
   CSIMigration: false
+protectKernelDefaults: true
 serializeImagePulls: false
 serverTLSBootstrap: true
 configMapAndSecretChangeDetectionStrategy: Cache

packages/kubernetes-1.19/kubelet-sysctl.conf

@@ -0,0 +1,2 @@
+# Overcommit handling mode - 1: Always overcommit
+vm.overcommit_memory = 1

packages/kubernetes-1.19/kubernetes-1.19.spec

@@ -23,6 +23,7 @@ Source5: kubernetes-ca-crt
 Source6: kubelet-exec-start-conf
 Source7: kubelet-bootstrap-kubeconfig
 Source8: kubernetes-tmpfiles.conf
+Source9: kubelet-sysctl.conf
 Source1000: clarify.toml
 Patch1: 0001-always-set-relevant-variables-for-cross-compiling.patch
 
@@ -82,6 +83,9 @@ ln -rs \
   %{buildroot}%{_sharedstatedir}/kubelet/plugins \
   %{buildroot}%{_cross_libexecdir}/kubernetes/kubelet-plugins
 
+mkdir -p %{buildroot}%{_cross_sysctldir}
+install -p -m 0644 %{S:9} %{buildroot}%{_cross_sysctldir}/90-kubelet.conf
+
 %cross_scan_attribution --clarify %{S:1000} go-vendor vendor
 
 %files -n %{_cross_os}kubelet-1.19
@@ -100,5 +104,6 @@ ln -rs \
 %{_cross_tmpfilesdir}/kubernetes.conf
 %dir %{_cross_libexecdir}/kubernetes
 %{_cross_libexecdir}/kubernetes/kubelet-plugins
+%{_cross_sysctldir}/90-kubelet.conf
 
 %changelog

packages/release/release-sysctl.conf

@@ -2,8 +2,11 @@
 # Maximize console logging level for kernel printk messages
 kernel.printk = 8 4 1 7
 
-# Wait 30 seconds and then reboot
-kernel.panic = 30
+# Wait 10 seconds and then reboot
+kernel.panic = 10
+
+# Controls the kernel's behaviour when an oops or BUG is encountered
+kernel.panic_on_oops = 1
 
 # Allow neighbor cache entries to expire even when the cache is not full
 net.ipv4.neigh.default.gc_thresh1 = 0