增加[可选]OS安全加固脚本

zhxiaom5 · May 19, 2018 · 58ccd3b · 58ccd3b
1 parent a0d3ac6
commit 58ccd3b
Show file tree

Hide file tree

Showing 13 changed files with 32 additions and 80 deletions.
diff --git a/01.prepare.yml b/01.prepare.yml
@@ -1,3 +1,8 @@
+# [可选]操作系统安全加固 https://github.com/dev-sec/ansible-os-hardening
+- hosts: all
+  roles:
+  - { role: os-harden, when: "OS_HARDEN is defined and OS_HARDEN == 'yes'" }
+
 # 在deploy节点生成CA相关证书，以及kubedns.yaml配置文件
 - hosts: deploy
   roles:

diff --git a/11.harbor.yml b/11.harbor.yml
@@ -1,5 +1,6 @@
 - hosts: harbor
   roles:
+  - { role: os-harden, when: "OS_HARDEN is defined and OS_HARDEN == 'yes'" }
   - prepare
   - docker
   - harbor

diff --git a/20.addnode.yml b/20.addnode.yml
@@ -1,5 +1,6 @@
 - hosts: new-node
   roles:
+  - { role: os-harden, when: "OS_HARDEN is defined and OS_HARDEN == 'yes'" }
   - prepare
   - docker
   - kube-node

diff --git a/21.addmaster.yml b/21.addmaster.yml
@@ -8,6 +8,7 @@
 
 - hosts: new-master 
   roles:
+  - { role: os-harden, when: "OS_HARDEN is defined and OS_HARDEN == 'yes'" }
   - prepare
   - docker
   - kube-master

diff --git a/90.setup.yml b/90.setup.yml
@@ -1,3 +1,8 @@
+# [可选]操作系统安全加固 https://github.com/dev-sec/ansible-os-hardening
+- hosts: all
+  roles:
+  - { role: os-harden, when: "OS_HARDEN is defined and OS_HARDEN == 'yes'" }
+
 # 在deploy节点生成CA相关证书，以供整个集群使用
 # 以及初始化kubedns.yaml配置文件
 - hosts: deploy

diff --git a/example/hosts.allinone.example b/example/hosts.allinone.example
@@ -75,6 +75,9 @@ BASIC_AUTH_USER="admin"
 BASIC_AUTH_PASS="test1234"
 
 # ---------附加参数--------------------
+#是否对操作系统进行安全加固 "yes"/"no"
+OS_HARDEN="no"
+
 #默认二进制文件目录
 bin_dir="/opt/kube/bin"
 

diff --git a/example/hosts.m-masters.example b/example/hosts.m-masters.example
@@ -92,6 +92,9 @@ BASIC_AUTH_USER="admin"
 BASIC_AUTH_PASS="test1234"
 
 # ---------附加参数--------------------
+#是否对操作系统进行安全加固 "yes"/"no"
+OS_HARDEN="no"
+
 #默认二进制文件目录
 bin_dir="/opt/kube/bin"
 

diff --git a/example/hosts.s-master.example b/example/hosts.s-master.example
@@ -79,6 +79,9 @@ BASIC_AUTH_USER="admin"
 BASIC_AUTH_PASS="test1234"
 
 # ---------附加参数--------------------
+#是否对操作系统进行安全加固 "yes"/"no"
+OS_HARDEN="no"
+
 #默认二进制文件目录
 bin_dir="/opt/kube/bin"
 

diff --git a/os-harden.yml b/os-harden.yml
diff --git a/roles/kube-node/tasks/main.yml b/roles/kube-node/tasks/main.yml
@@ -53,19 +53,16 @@
   copy: src=/etc/kubernetes/kube-proxy.kubeconfig dest=/etc/kubernetes/kube-proxy.kubeconfig
 
 - name: 创建kube-proxy 服务文件
-  tags: reload-kube-proxy
+  tags: reload-kube-proxy, upgrade_k8s
   template: src=kube-proxy.service.j2 dest=/etc/systemd/system/kube-proxy.service
-  tags: upgrade_k8s 
 
 - name: 开机启用kube-proxy 服务
   shell: systemctl enable kube-proxy
   ignore_errors: true
 
 - name: 开启kube-proxy 服务
   shell: systemctl daemon-reload && systemctl restart kube-proxy
-  tags:
-  - reload-kube-proxy
-  - upgrade_k8s
+  tags: reload-kube-proxy, upgrade_k8s
 
 # 批准 node 节点，首先轮询等待kubelet启动完成
 - name: 轮询等待kubelet启动

diff --git a/roles/os-harden/default.yml b/roles/os-harden/default.yml
diff --git a/roles/os-harden/defaults/main.yml b/roles/os-harden/defaults/main.yml
@@ -53,7 +53,7 @@ ufw_ipt_modules: 'nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns'
 
 sysctl_config:
   # Disable IPv4 traffic forwarding. | sysctl-01
-  net.ipv4.ip_forward: 0
+  net.ipv4.ip_forward: 1
 
   # Disable IPv6 traffic forwarding. | sysctl-19
   net.ipv6.conf.all.forwarding: 0

diff --git a/roles/os-harden/tasks/main.yml b/roles/os-harden/tasks/main.yml
@@ -1,4 +1,11 @@
 ---
+- name: 缓存ansilbe setup信息
+  setup: gather_subset=all
+
+- name: apt更新缓存刷新
+  apt: update_cache=yes cache_valid_time=72000
+  when: ansible_os_family == 'Debian'
+
 - name: Set OS family dependent variables
   include_vars: '{{ ansible_os_family }}.yml'
   tags: always
-Original file line number
+Diff line change
@@ Expand Up / @@ -8,6 +8,7 @@ @@
     - hosts: new-master
       roles:
+      - { role: os-harden, when: "OS_HARDEN is defined and OS_HARDEN == 'yes'" }
       - prepare
       - docker
       - kube-master
@@ Expand Down @@