This repo contains the playbook needed to set up an on-premises K3s cluster and securize it.
The accompanying blog for this project is found here: https://digitalis.io/blog/kubernetes/k3s-lightweight-kubernetes-made-ready-for-production-part-1/
There is an hardening role, that will target your nodes and securize them using best pratices from CIS Benchmark and STIG Guidelines. You can use your own role or one of the official ansible available roles like:
- https://github.com/ansible-lockdown/RHEL8-STIG/
- https://github.com/ansible-lockdown/RHEL8-CIS/
It is possible to tweak the hardening using host-vars, mainly packages names (that depends on your distribution of choiche):
aide_package: 'aide'
auditd_package: 'audit'
modprobe_package: 'kmod'
unwanted_pkg:
- mcstrans
- rsh
- rsh-server
- setroubleshoot
- telnet-server
- talk
- tftp
- tftp-server
- xinetd
- ypserv
kernel_packages:
- kernel
- kernel-headers
- kernel-devel
And various tweaks on password aging, sessions timeout and so on.
This one will take care of setting up your cluster for K3s. Also here, adjust packages names accoring to your distribution of choiche:
k3s_dependencies:
- conntrack-tools
- curl
- ebtables
- epel-release
- ethtool
- gawk
- grep
- ipvsadm
- iscsi-initiator-utils
- libseccomp
- socat
- util-linux
It is highly recommended to follow an internal/external network layout for your cluster, as showed in this little diagram
To enable this just give two different names to the internal and external interface, according to your distro of choiche naming scheme
external_interface: eth0
internal_interface: eth1
Also you can decide here what CIDR should your cluster use
cluster_cidr: 10.43.0.0/16
service_cidr: 10.44.0.0/16
Lots of customization here, you can configure your Kubernetes cluster version
k3s_version: v1.20.5+k3s1
You can configure your ingress hostnames, if not specified (default) it will use nip.io to resolve your IPs
ingress_hostname: your.dns.name.io
You can (really have to) configure your MetalLB ip ranges here
metallb_external_ip_range: 192.168.1.200-192.168.1.240
metallb_internal_ip_range: 10.10.90.100-10.10.90.240
Still referring to a dual-network layout. Just leave the internal one empty if not using a dual-layout one
You can then customize the keepalive VIP and interface
keepalived_interface: eth0
keepalived_addr_cidr: 192.168.122.100/24
keepalived_ip: 192.168.122.100
And then a plethora of configs possible for falco sidekick. Refer to their docs (https://github.com/falcosecurity/falcosidekick) to customize your integrations
falco_security_enabled: yes
falco_sidekick_slack: ""
falco_sidekick_slack_priority: "warning"
falco_sidekick_alertmanager: "..."
falco_sidekick_alertmanager_priority: "..."
falco_sidekick_discord: "..."
falco_sidekick_discord_priority: "..."
falco_sidekick_googlechat: "..."
falco_sidekick_googlechat_priority: "..."
falco_sidekick_kubeless_function: "..."
falco_sidekick_kubeless_namespace: "..."
falco_sidekick_kubeless_priority: "..."
falco_sidekick_mattermost: "..."
falco_sidekick_mattermost_priority: "..."
falco_sidekick_rocketchat: "..."
falco_sidekick_rocketchat_priority: "..."
falco_sidekick_slack: "..."
falco_sidekick_slack_priority: "..."
falco_sidekick_teams: "..."
falco_sidekick_teams_priority: "..."
The playbook and inventory are ready to use, just start from the example inventory ./inventory-k3s.yml
and fill your secrets
and infrastructure IPs (metallb ranges, host IPs, interface naming etc...)
This is the cluster layout at the end of the provisioning. Bear in mind that this is customizable in both versions and components