From 58865417eb106516dd74a1ae9461f3896b70a482 Mon Sep 17 00:00:00 2001 From: Tanvir Tatla Date: Tue, 3 Oct 2023 12:21:28 -0700 Subject: [PATCH] fix tinkerbell audit config --- .../tinkerbell/config/template-cp.yaml | 24 +- ...s_bottlerocket_cert_bundles_config_cp.yaml | 5 +- ...results_bottlerocket_kernel_config_cp.yaml | 5 +- ...ed_results_bottlerocket_ntp_config_cp.yaml | 5 +- ...sults_bottlerocket_settings_config_cp.yaml | 5 +- ...rocket_upgrade_cert_bundles_config_cp.yaml | 655 ++++++++-------- ...rocket_upgrade_cert_bundles_config_md.yaml | 116 +-- ...ttlerocket_cp_minimal_registry_mirror.yaml | 5 +- ...lerocket_cp_registry_mirror_with_auth.yaml | 5 +- ...lerocket_cp_registry_mirror_with_cert.yaml | 5 +- ..._results_cluster_tinkerbell_cp_awsiam.yaml | 90 +-- ...s_cluster_tinkerbell_cp_external_etcd.yaml | 5 +- ...sults_cluster_tinkerbell_cp_full_oidc.yaml | 5 +- ...ts_cluster_tinkerbell_cp_minimal_oidc.yaml | 5 +- ...tinkerbell_cp_minimal_registry_mirror.yaml | 5 +- ...lts_cluster_tinkerbell_cp_node_labels.yaml | 5 +- ...lts_cluster_tinkerbell_cp_node_taints.yaml | 5 +- ...d_results_cluster_tinkerbell_cp_proxy.yaml | 5 +- ...nkerbell_cp_registry_mirror_with_auth.yaml | 5 +- ...nkerbell_cp_registry_mirror_with_cert.yaml | 5 +- ...lts_cluster_tinkerbell_cp_single_node.yaml | 5 +- ...ter_tinkerbell_cp_single_node_skip_lb.yaml | 5 +- ...ts_cluster_tinkerbell_cp_stacked_etcd.yaml | 5 +- ...s_cluster_tinkerbell_disable_kube_vip.yaml | 5 +- ...s_cluster_tinkerbell_missing_ssh_keys.yaml | 5 +- ...er_tinkerbell_upgrade_registry_mirror.yaml | 696 ++++++++---------- ...ted_results_tinkerbell_pod_iam_config.yaml | 90 +-- ...expected_results_ubuntu_ntp_config_cp.yaml | 5 +- 28 files changed, 804 insertions(+), 977 deletions(-) diff --git a/pkg/providers/tinkerbell/config/template-cp.yaml b/pkg/providers/tinkerbell/config/template-cp.yaml index d49cbde78520..15d38a7d8c9a 100644 --- a/pkg/providers/tinkerbell/config/template-cp.yaml +++ b/pkg/providers/tinkerbell/config/template-cp.yaml @@ -119,15 +119,14 @@ spec: pathType: DirectoryOrCreate readOnly: false {{- if .awsIamAuth}} - extraVolumes: - - hostPath: /var/lib/kubeadm/aws-iam-authenticator/ - mountPath: /etc/kubernetes/aws-iam-authenticator/ - name: authconfig - readOnly: false - - hostPath: /var/lib/kubeadm/aws-iam-authenticator/pki/ - mountPath: /var/aws-iam-authenticator/ - name: awsiamcert - readOnly: false + - hostPath: /var/lib/kubeadm/aws-iam-authenticator/ + mountPath: /etc/kubernetes/aws-iam-authenticator/ + name: authconfig + readOnly: false + - hostPath: /var/lib/kubeadm/aws-iam-authenticator/pki/ + mountPath: /var/aws-iam-authenticator/ + name: awsiamcert + readOnly: false {{- end}} {{- /* BottleRocket uses different host paths for kubeconfigs requiring host mount path overwrites for @@ -299,6 +298,10 @@ spec: owner: root:root path: /etc/kubernetes/manifests/kube-vip.yaml {{- end }} + - content: | +{{ .auditPolicy | indent 8 }} + owner: root:root + path: /etc/kubernetes/audit-policy.yaml {{- if .awsIamAuth}} - content: | # clusters refers to the remote service. @@ -336,9 +339,6 @@ spec: owner: root:root path: /var/lib/kubeadm/aws-iam-authenticator/pki/key.pem {{- end}} -{{ .auditPolicy | indent 8 }} - owner: root:root - path: /etc/kubernetes/audit-policy.yaml {{- if (ne .format "bottlerocket") }} {{- if .proxyConfig }} - content: | diff --git a/pkg/providers/tinkerbell/testdata/expected_results_bottlerocket_cert_bundles_config_cp.yaml b/pkg/providers/tinkerbell/testdata/expected_results_bottlerocket_cert_bundles_config_cp.yaml index f29838ed9a4b..8f15ae31ac93 100644 --- a/pkg/providers/tinkerbell/testdata/expected_results_bottlerocket_cert_bundles_config_cp.yaml +++ b/pkg/providers/tinkerbell/testdata/expected_results_bottlerocket_cert_bundles_config_cp.yaml @@ -216,6 +216,7 @@ spec: status: {} owner: root:root path: /etc/kubernetes/manifests/kube-vip.yaml + - content: | apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: @@ -371,8 +372,8 @@ spec: - level: Metadata omitStages: - "RequestReceived" - owner: root:root - path: /etc/kubernetes/audit-policy.yaml + owner: root:root + path: /etc/kubernetes/audit-policy.yaml users: - name: ec2-user sshAuthorizedKeys: diff --git a/pkg/providers/tinkerbell/testdata/expected_results_bottlerocket_kernel_config_cp.yaml b/pkg/providers/tinkerbell/testdata/expected_results_bottlerocket_kernel_config_cp.yaml index 23552371d57f..acd8fc750d73 100644 --- a/pkg/providers/tinkerbell/testdata/expected_results_bottlerocket_kernel_config_cp.yaml +++ b/pkg/providers/tinkerbell/testdata/expected_results_bottlerocket_kernel_config_cp.yaml @@ -182,6 +182,7 @@ spec: status: {} owner: root:root path: /etc/kubernetes/manifests/kube-vip.yaml + - content: | apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: @@ -337,8 +338,8 @@ spec: - level: Metadata omitStages: - "RequestReceived" - owner: root:root - path: /etc/kubernetes/audit-policy.yaml + owner: root:root + path: /etc/kubernetes/audit-policy.yaml users: - name: ec2-user sshAuthorizedKeys: diff --git a/pkg/providers/tinkerbell/testdata/expected_results_bottlerocket_ntp_config_cp.yaml b/pkg/providers/tinkerbell/testdata/expected_results_bottlerocket_ntp_config_cp.yaml index 07013a7ecfef..3dca6a1d3de6 100644 --- a/pkg/providers/tinkerbell/testdata/expected_results_bottlerocket_ntp_config_cp.yaml +++ b/pkg/providers/tinkerbell/testdata/expected_results_bottlerocket_ntp_config_cp.yaml @@ -156,6 +156,7 @@ spec: status: {} owner: root:root path: /etc/kubernetes/manifests/kube-vip.yaml + - content: | apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: @@ -311,8 +312,8 @@ spec: - level: Metadata omitStages: - "RequestReceived" - owner: root:root - path: /etc/kubernetes/audit-policy.yaml + owner: root:root + path: /etc/kubernetes/audit-policy.yaml ntp: enabled: true servers: diff --git a/pkg/providers/tinkerbell/testdata/expected_results_bottlerocket_settings_config_cp.yaml b/pkg/providers/tinkerbell/testdata/expected_results_bottlerocket_settings_config_cp.yaml index 8854f0aa9d2d..68fd8576e736 100644 --- a/pkg/providers/tinkerbell/testdata/expected_results_bottlerocket_settings_config_cp.yaml +++ b/pkg/providers/tinkerbell/testdata/expected_results_bottlerocket_settings_config_cp.yaml @@ -174,6 +174,7 @@ spec: status: {} owner: root:root path: /etc/kubernetes/manifests/kube-vip.yaml + - content: | apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: @@ -329,8 +330,8 @@ spec: - level: Metadata omitStages: - "RequestReceived" - owner: root:root - path: /etc/kubernetes/audit-policy.yaml + owner: root:root + path: /etc/kubernetes/audit-policy.yaml users: - name: ec2-user sshAuthorizedKeys: diff --git a/pkg/providers/tinkerbell/testdata/expected_results_bottlerocket_upgrade_cert_bundles_config_cp.yaml b/pkg/providers/tinkerbell/testdata/expected_results_bottlerocket_upgrade_cert_bundles_config_cp.yaml index f29838ed9a4b..db1ce784b9e0 100644 --- a/pkg/providers/tinkerbell/testdata/expected_results_bottlerocket_upgrade_cert_bundles_config_cp.yaml +++ b/pkg/providers/tinkerbell/testdata/expected_results_bottlerocket_upgrade_cert_bundles_config_cp.yaml @@ -8,9 +8,11 @@ metadata: spec: clusterNetwork: pods: - cidrBlocks: [192.168.0.0/16] + cidrBlocks: + - 192.168.0.0/16 services: - cidrBlocks: [10.96.0.0/12] + cidrBlocks: + - 10.96.0.0/12 controlPlaneEndpoint: host: 1.2.3.4 port: 6443 @@ -31,20 +33,25 @@ metadata: spec: kubeadmConfigSpec: clusterConfiguration: - imageRepository: public.ecr.aws/eks-distro/kubernetes - etcd: - local: - imageRepository: public.ecr.aws/eks-distro/etcd-io - imageTag: v3.4.16-eks-1-21-4 - dns: - imageRepository: public.ecr.aws/eks-distro/coredns - imageTag: v1.8.3-eks-1-21-4 - pause: - imageRepository: public.ecr.aws/eks-distro/kubernetes/pause - imageTag: v1.21.2-eks-1-21-4 - bottlerocketBootstrap: - imageRepository: public.ecr.aws/l0g8r8j6/bottlerocket-bootstrap - imageTag: v1-21-4-eks-a-v0.0.0-dev-build.158 + apiServer: + extraArgs: + audit-log-maxage: "30" + audit-log-maxbackup: "10" + audit-log-maxsize: "512" + audit-log-path: /var/log/kubernetes/api-audit.log + audit-policy-file: /etc/kubernetes/audit-policy.yaml + feature-gates: ServiceLoadBalancerClass=true + extraVolumes: + - hostPath: /var/lib/kubeadm/audit-policy.yaml + mountPath: /etc/kubernetes/audit-policy.yaml + name: audit-policy + pathType: File + readOnly: true + - hostPath: /var/log/kubernetes + mountPath: /var/log/kubernetes + name: audit-log-dir + pathType: DirectoryOrCreate + readOnly: false bottlerocket: kubernetes: allowedUnsafeSysctls: @@ -54,9 +61,11 @@ spec: - 1.2.3.4 - 4.3.2.1 maxPods: 50 + bottlerocketBootstrap: + imageRepository: public.ecr.aws/l0g8r8j6/bottlerocket-bootstrap + imageTag: v1-21-4-eks-a-v0.0.0-dev-build.158 certBundles: - - name: "bundle1" - data: | + - data: | -----BEGIN CERTIFICATE----- MIICxjCCAa6gAwIBAgIJAInAeEdpH2uNMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV BAMTCnRlc3QubG9jYWwwHhcNMjEwOTIzMjAxOTEyWhcNMzEwOTIxMjAxOTEyWjAV @@ -74,26 +83,8 @@ spec: zkYl4nSFENRLV5sL/wox2ohjMLff2lv6gyqkMFrLNSeHSQLGu8diat4UVDk8MMza 9n5t2E4AHPen+YrGeLY1qEn9WMv0XRGWrgJyLW9VSX8T3SlWO2w3okcw -----END CERTIFICATE----- - - apiServer: - extraArgs: - audit-policy-file: /etc/kubernetes/audit-policy.yaml - audit-log-path: /var/log/kubernetes/api-audit.log - audit-log-maxage: "30" - audit-log-maxbackup: "10" - audit-log-maxsize: "512" - feature-gates: ServiceLoadBalancerClass=true - extraVolumes: - - hostPath: /var/lib/kubeadm/audit-policy.yaml - mountPath: /etc/kubernetes/audit-policy.yaml - name: audit-policy - pathType: File - readOnly: true - - hostPath: /var/log/kubernetes - mountPath: /var/log/kubernetes - name: audit-log-dir - pathType: DirectoryOrCreate - readOnly: false + name: bundle1 + certificatesDir: /var/lib/kubeadm/pki controllerManager: extraVolumes: - hostPath: /var/lib/kubeadm/controller-manager.conf @@ -101,6 +92,17 @@ spec: name: kubeconfig pathType: File readOnly: true + dns: + imageRepository: public.ecr.aws/eks-distro/coredns + imageTag: v1.8.3-eks-1-21-4 + etcd: + local: + imageRepository: public.ecr.aws/eks-distro/etcd-io + imageTag: v3.4.16-eks-1-21-4 + imageRepository: public.ecr.aws/eks-distro/kubernetes + pause: + imageRepository: public.ecr.aws/eks-distro/kubernetes/pause + imageTag: v1.21.2-eks-1-21-4 scheduler: extraVolumes: - hostPath: /var/lib/kubeadm/scheduler.conf @@ -108,21 +110,267 @@ spec: name: kubeconfig pathType: File readOnly: true - certificatesDir: /var/lib/kubeadm/pki + files: + - content: | + apiVersion: v1 + kind: Pod + metadata: + creationTimestamp: null + name: kube-vip + namespace: kube-system + spec: + containers: + - args: + - manager + env: + - name: vip_arp + value: "true" + - name: port + value: "6443" + - name: vip_cidr + value: "32" + - name: cp_enable + value: "true" + - name: cp_namespace + value: kube-system + - name: vip_ddns + value: "false" + - name: vip_leaderelection + value: "true" + - name: vip_leaseduration + value: "15" + - name: vip_renewdeadline + value: "10" + - name: vip_retryperiod + value: "2" + - name: address + value: 1.2.3.4 + image: public.ecr.aws/l0g8r8j6/kube-vip/kube-vip:v0.3.7-eks-a-v0.0.0-dev-build.581 + imagePullPolicy: IfNotPresent + name: kube-vip + resources: {} + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + volumeMounts: + - mountPath: /etc/kubernetes/admin.conf + name: kubeconfig + hostNetwork: true + volumes: + - hostPath: + path: /etc/kubernetes/admin.conf + name: kubeconfig + status: {} + owner: root:root + path: /etc/kubernetes/manifests/kube-vip.yaml + - apiVersion: audit.k8s.io/v1beta1 + content: "" + kind: Policy + owner: root:root + path: /etc/kubernetes/audit-policy.yaml + rules: + - level: RequestResponse + namespaces: + - kube-system + omitStages: + - RequestReceived + resources: + - group: "" + resourceNames: + - aws-auth + resources: + - configmaps + verbs: + - update + - patch + - delete + - level: None + resources: + - group: "" + resources: + - endpoints + - services + - services/status + users: + - system:kube-proxy + verbs: + - watch + - level: None + resources: + - group: "" + resources: + - nodes + - nodes/status + users: + - kubelet + verbs: + - get + - level: None + resources: + - group: "" + resources: + - nodes + - nodes/status + userGroups: + - system:nodes + verbs: + - get + - level: None + namespaces: + - kube-system + resources: + - group: "" + resources: + - endpoints + users: + - system:kube-controller-manager + - system:kube-scheduler + - system:serviceaccount:kube-system:endpoint-controller + verbs: + - get + - update + - level: None + resources: + - group: "" + resources: + - namespaces + - namespaces/status + - namespaces/finalize + users: + - system:apiserver + verbs: + - get + - level: None + resources: + - group: metrics.k8s.io + users: + - system:kube-controller-manager + verbs: + - get + - list + - level: None + nonResourceURLs: + - /healthz* + - /version + - /swagger* + - level: None + resources: + - group: "" + resources: + - events + - level: Request + omitStages: + - RequestReceived + resources: + - group: "" + resources: + - nodes/status + - pods/status + users: + - kubelet + - system:node-problem-detector + - system:serviceaccount:kube-system:node-problem-detector + verbs: + - update + - patch + - level: Request + omitStages: + - RequestReceived + resources: + - group: "" + resources: + - nodes/status + - pods/status + userGroups: + - system:nodes + verbs: + - update + - patch + - level: Request + omitStages: + - RequestReceived + users: + - system:serviceaccount:kube-system:namespace-controller + verbs: + - deletecollection + - level: Metadata + omitStages: + - RequestReceived + resources: + - group: "" + resources: + - secrets + - configmaps + - group: authentication.k8s.io + resources: + - tokenreviews + - level: Request + resources: + - group: "" + resources: + - serviceaccounts/token + - level: Request + omitStages: + - RequestReceived + resources: + - group: "" + - group: admissionregistration.k8s.io + - group: apiextensions.k8s.io + - group: apiregistration.k8s.io + - group: apps + - group: authentication.k8s.io + - group: authorization.k8s.io + - group: autoscaling + - group: batch + - group: certificates.k8s.io + - group: extensions + - group: metrics.k8s.io + - group: networking.k8s.io + - group: policy + - group: rbac.authorization.k8s.io + - group: scheduling.k8s.io + - group: settings.k8s.io + - group: storage.k8s.io + verbs: + - get + - list + - watch + - level: RequestResponse + omitStages: + - RequestReceived + resources: + - group: "" + - group: admissionregistration.k8s.io + - group: apiextensions.k8s.io + - group: apiregistration.k8s.io + - group: apps + - group: authentication.k8s.io + - group: authorization.k8s.io + - group: autoscaling + - group: batch + - group: certificates.k8s.io + - group: extensions + - group: metrics.k8s.io + - group: networking.k8s.io + - group: policy + - group: rbac.authorization.k8s.io + - group: scheduling.k8s.io + - group: settings.k8s.io + - group: storage.k8s.io + - level: Metadata + omitStages: + - RequestReceived + format: bottlerocket initConfiguration: nodeRegistration: kubeletExtraArgs: + anonymous-auth: "false" provider-id: PROVIDER_ID read-only-port: "0" - anonymous-auth: "false" tls-cipher-suites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 joinConfiguration: - pause: - imageRepository: public.ecr.aws/eks-distro/kubernetes/pause - imageTag: v1.21.2-eks-1-21-4 - bottlerocketBootstrap: - imageRepository: public.ecr.aws/l0g8r8j6/bottlerocket-bootstrap - imageTag: v1-21-4-eks-a-v0.0.0-dev-build.158 bottlerocket: kubernetes: allowedUnsafeSysctls: @@ -132,9 +380,11 @@ spec: - 1.2.3.4 - 4.3.2.1 maxPods: 50 + bottlerocketBootstrap: + imageRepository: public.ecr.aws/l0g8r8j6/bottlerocket-bootstrap + imageTag: v1-21-4-eks-a-v0.0.0-dev-build.158 certBundles: - - name: "bundle1" - data: | + - data: | -----BEGIN CERTIFICATE----- MIICxjCCAa6gAwIBAgIJAInAeEdpH2uNMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV BAMTCnRlc3QubG9jYWwwHhcNMjEwOTIzMjAxOTEyWhcNMzEwOTIxMjAxOTEyWjAV @@ -152,233 +402,23 @@ spec: zkYl4nSFENRLV5sL/wox2ohjMLff2lv6gyqkMFrLNSeHSQLGu8diat4UVDk8MMza 9n5t2E4AHPen+YrGeLY1qEn9WMv0XRGWrgJyLW9VSX8T3SlWO2w3okcw -----END CERTIFICATE----- - + name: bundle1 nodeRegistration: ignorePreflightErrors: - DirAvailable--etc-kubernetes-manifests kubeletExtraArgs: + anonymous-auth: "false" provider-id: PROVIDER_ID read-only-port: "0" - anonymous-auth: "false" tls-cipher-suites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - files: - - content: | - apiVersion: v1 - kind: Pod - metadata: - creationTimestamp: null - name: kube-vip - namespace: kube-system - spec: - containers: - - args: - - manager - env: - - name: vip_arp - value: "true" - - name: port - value: "6443" - - name: vip_cidr - value: "32" - - name: cp_enable - value: "true" - - name: cp_namespace - value: kube-system - - name: vip_ddns - value: "false" - - name: vip_leaderelection - value: "true" - - name: vip_leaseduration - value: "15" - - name: vip_renewdeadline - value: "10" - - name: vip_retryperiod - value: "2" - - name: address - value: 1.2.3.4 - image: public.ecr.aws/l0g8r8j6/kube-vip/kube-vip:v0.3.7-eks-a-v0.0.0-dev-build.581 - imagePullPolicy: IfNotPresent - name: kube-vip - resources: {} - securityContext: - capabilities: - add: - - NET_ADMIN - - NET_RAW - volumeMounts: - - mountPath: /etc/kubernetes/admin.conf - name: kubeconfig - hostNetwork: true - volumes: - - hostPath: - path: /etc/kubernetes/admin.conf - name: kubeconfig - status: {} - owner: root:root - path: /etc/kubernetes/manifests/kube-vip.yaml - apiVersion: audit.k8s.io/v1beta1 - kind: Policy - rules: - # Log aws-auth configmap changes - - level: RequestResponse - namespaces: ["kube-system"] - verbs: ["update", "patch", "delete"] - resources: - - group: "" # core - resources: ["configmaps"] - resourceNames: ["aws-auth"] - omitStages: - - "RequestReceived" - # The following requests were manually identified as high-volume and low-risk, - # so drop them. - - level: None - users: ["system:kube-proxy"] - verbs: ["watch"] - resources: - - group: "" # core - resources: ["endpoints", "services", "services/status"] - - level: None - users: ["kubelet"] # legacy kubelet identity - verbs: ["get"] - resources: - - group: "" # core - resources: ["nodes", "nodes/status"] - - level: None - userGroups: ["system:nodes"] - verbs: ["get"] - resources: - - group: "" # core - resources: ["nodes", "nodes/status"] - - level: None - users: - - system:kube-controller-manager - - system:kube-scheduler - - system:serviceaccount:kube-system:endpoint-controller - verbs: ["get", "update"] - namespaces: ["kube-system"] - resources: - - group: "" # core - resources: ["endpoints"] - - level: None - users: ["system:apiserver"] - verbs: ["get"] - resources: - - group: "" # core - resources: ["namespaces", "namespaces/status", "namespaces/finalize"] - # Don't log HPA fetching metrics. - - level: None - users: - - system:kube-controller-manager - verbs: ["get", "list"] - resources: - - group: "metrics.k8s.io" - # Don't log these read-only URLs. - - level: None - nonResourceURLs: - - /healthz* - - /version - - /swagger* - # Don't log events requests. - - level: None - resources: - - group: "" # core - resources: ["events"] - # node and pod status calls from nodes are high-volume and can be large, don't log responses for expected updates from nodes - - level: Request - users: ["kubelet", "system:node-problem-detector", "system:serviceaccount:kube-system:node-problem-detector"] - verbs: ["update","patch"] - resources: - - group: "" # core - resources: ["nodes/status", "pods/status"] - omitStages: - - "RequestReceived" - - level: Request - userGroups: ["system:nodes"] - verbs: ["update","patch"] - resources: - - group: "" # core - resources: ["nodes/status", "pods/status"] - omitStages: - - "RequestReceived" - # deletecollection calls can be large, don't log responses for expected namespace deletions - - level: Request - users: ["system:serviceaccount:kube-system:namespace-controller"] - verbs: ["deletecollection"] - omitStages: - - "RequestReceived" - # Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data, - # so only log at the Metadata level. - - level: Metadata - resources: - - group: "" # core - resources: ["secrets", "configmaps"] - - group: authentication.k8s.io - resources: ["tokenreviews"] - omitStages: - - "RequestReceived" - - level: Request - resources: - - group: "" - resources: ["serviceaccounts/token"] - # Get repsonses can be large; skip them. - - level: Request - verbs: ["get", "list", "watch"] - resources: - - group: "" # core - - group: "admissionregistration.k8s.io" - - group: "apiextensions.k8s.io" - - group: "apiregistration.k8s.io" - - group: "apps" - - group: "authentication.k8s.io" - - group: "authorization.k8s.io" - - group: "autoscaling" - - group: "batch" - - group: "certificates.k8s.io" - - group: "extensions" - - group: "metrics.k8s.io" - - group: "networking.k8s.io" - - group: "policy" - - group: "rbac.authorization.k8s.io" - - group: "scheduling.k8s.io" - - group: "settings.k8s.io" - - group: "storage.k8s.io" - omitStages: - - "RequestReceived" - # Default level for known APIs - - level: RequestResponse - resources: - - group: "" # core - - group: "admissionregistration.k8s.io" - - group: "apiextensions.k8s.io" - - group: "apiregistration.k8s.io" - - group: "apps" - - group: "authentication.k8s.io" - - group: "authorization.k8s.io" - - group: "autoscaling" - - group: "batch" - - group: "certificates.k8s.io" - - group: "extensions" - - group: "metrics.k8s.io" - - group: "networking.k8s.io" - - group: "policy" - - group: "rbac.authorization.k8s.io" - - group: "scheduling.k8s.io" - - group: "settings.k8s.io" - - group: "storage.k8s.io" - omitStages: - - "RequestReceived" - # Default level for all other requests. - - level: Metadata - omitStages: - - "RequestReceived" - owner: root:root - path: /etc/kubernetes/audit-policy.yaml + pause: + imageRepository: public.ecr.aws/eks-distro/kubernetes/pause + imageTag: v1.21.2-eks-1-21-4 users: - name: ec2-user sshAuthorizedKeys: - - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1BK73XhIzjX+meUr7pIYh6RHbvI3tmHeQIXY5lv7aztN1UoX+bhPo3dwo2sfSQn5kuxgQdnxIZ/CTzy0p0GkEYVv3gwspCeurjmu0XmrdmaSGcGxCEWT/65NtvYrQtUE5ELxJ+N/aeZNlK2B7IWANnw/82913asXH4VksV1NYNduP0o1/G4XcwLLSyVFB078q/oEnmvdNIoS61j4/o36HVtENJgYr0idcBvwJdvcGxGnPaqOhx477t+kfJAa5n5dSA5wilIaoXH5i1Tf/HsTCM52L+iNCARvQzJYZhzbWI1MDQwzILtIBEQCJsl2XSqIupleY8CxqQ6jCXt2mhae+wPc3YmbO5rFvr2/EvC57kh3yDs1Nsuj8KOvD78KeeujbR8n8pScm3WDp62HFQ8lEKNdeRNj6kB8WnuaJvPnyZfvzOhwG65/9w13IBl7B1sWxbFnq2rMpm5uHVK7mAmjL0Tt8zoDhcE1YJEnp9xte3/pvmKPkST5Q/9ZtR9P5sI+02jY0fvPkPyC03j2gsPixG7rpOCwpOdbny4dcj0TDeeXJX8er+oVfJuLYz0pNWJcT2raDdFfcqvYA0B0IyNYlj5nWX4RuEcyT3qocLReWPnZojetvAG/H8XwOh7fEVGqHAKOVSnPXCSQJPl6s0H12jPJBDJMTydtYPEszl4/CeQ==' + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1BK73XhIzjX+meUr7pIYh6RHbvI3tmHeQIXY5lv7aztN1UoX+bhPo3dwo2sfSQn5kuxgQdnxIZ/CTzy0p0GkEYVv3gwspCeurjmu0XmrdmaSGcGxCEWT/65NtvYrQtUE5ELxJ+N/aeZNlK2B7IWANnw/82913asXH4VksV1NYNduP0o1/G4XcwLLSyVFB078q/oEnmvdNIoS61j4/o36HVtENJgYr0idcBvwJdvcGxGnPaqOhx477t+kfJAa5n5dSA5wilIaoXH5i1Tf/HsTCM52L+iNCARvQzJYZhzbWI1MDQwzILtIBEQCJsl2XSqIupleY8CxqQ6jCXt2mhae+wPc3YmbO5rFvr2/EvC57kh3yDs1Nsuj8KOvD78KeeujbR8n8pScm3WDp62HFQ8lEKNdeRNj6kB8WnuaJvPnyZfvzOhwG65/9w13IBl7B1sWxbFnq2rMpm5uHVK7mAmjL0Tt8zoDhcE1YJEnp9xte3/pvmKPkST5Q/9ZtR9P5sI+02jY0fvPkPyC03j2gsPixG7rpOCwpOdbny4dcj0TDeeXJX8er+oVfJuLYz0pNWJcT2raDdFfcqvYA0B0IyNYlj5nWX4RuEcyT3qocLReWPnZojetvAG/H8XwOh7fEVGqHAKOVSnPXCSQJPl6s0H12jPJBDJMTydtYPEszl4/CeQ== sudo: ALL=(ALL) NOPASSWD:ALL - format: bottlerocket machineTemplate: infrastructureRef: apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 @@ -391,91 +431,10 @@ spec: version: v1.21.2-eks-1-21-4 --- apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 -kind: TinkerbellMachineTemplate -metadata: - name: test-control-plane-template-1234567890000 - namespace: eksa-system -spec: - template: - spec: - hardwareAffinity: - required: - - labelSelector: - matchLabels: - type: cp - templateOverride: | - global_timeout: 6000 - id: "" - name: test - tasks: - - actions: - - environment: - COMPRESSED: "true" - DEST_DISK: '{{ index .Hardware.Disks 0 }}' - IMG_URL: https://bottlerocket.gz - image: "" - name: stream-image - timeout: 600 - - environment: - BOOTCONFIG_CONTENTS: kernel {} - DEST_DISK: '{{ formatPartition ( index .Hardware.Disks 0 ) 12 }}' - DEST_PATH: /bootconfig.data - DIRMODE: "0700" - FS_TYPE: ext4 - GID: "0" - MODE: "0644" - UID: "0" - image: "" - name: write-bootconfig - pid: host - timeout: 90 - - environment: - DEST_DISK: '{{ formatPartition ( index .Hardware.Disks 0 ) 12 }}' - DEST_PATH: /user-data.toml - DIRMODE: "0700" - FS_TYPE: ext4 - GID: "0" - HEGEL_URLS: http://5.6.7.8:50061,http://5.6.7.8:50061 - MODE: "0644" - UID: "0" - image: "" - name: write-user-data - pid: host - timeout: 90 - - environment: - DEST_DISK: '{{ formatPartition ( index .Hardware.Disks 0 ) 12 }}' - DEST_PATH: /net.toml - DIRMODE: "0755" - FS_TYPE: ext4 - GID: "0" - IFNAME: eno1 - MODE: "0644" - STATIC_BOTTLEROCKET: "true" - UID: "0" - image: "" - name: write-netplan - pid: host - timeout: 90 - - image: "" - name: reboot-image - pid: host - timeout: 90 - volumes: - - /worker:/worker - name: test - volumes: - - /dev:/dev - - /dev/console:/dev/console - - /lib/firmware:/lib/firmware:ro - worker: '{{.device_1}}' - version: "0.1" - ---- -apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 kind: TinkerbellCluster metadata: - name: test + name: test namespace: eksa-system spec: - imageLookupFormat: --kube-v1.21.2-eks-1-21-4.raw.gz - imageLookupBaseRegistry: / \ No newline at end of file + imageLookupBaseRegistry: / + imageLookupFormat: --kube-v1.21.2-eks-1-21-4.raw.gz \ No newline at end of file diff --git a/pkg/providers/tinkerbell/testdata/expected_results_bottlerocket_upgrade_cert_bundles_config_md.yaml b/pkg/providers/tinkerbell/testdata/expected_results_bottlerocket_upgrade_cert_bundles_config_md.yaml index f51cd13f294d..119f9599d9f3 100644 --- a/pkg/providers/tinkerbell/testdata/expected_results_bottlerocket_upgrade_cert_bundles_config_md.yaml +++ b/pkg/providers/tinkerbell/testdata/expected_results_bottlerocket_upgrade_cert_bundles_config_md.yaml @@ -11,6 +11,10 @@ spec: replicas: 1 selector: matchLabels: {} + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 template: metadata: labels: @@ -28,91 +32,6 @@ spec: kind: TinkerbellMachineTemplate name: test-md-0-1234567890000 version: v1.21.2-eks-1-21-4 - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 ---- -apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 -kind: TinkerbellMachineTemplate -metadata: - name: test-md-0-1234567890000 - namespace: eksa-system -spec: - template: - spec: - hardwareAffinity: - required: - - labelSelector: - matchLabels: - type: worker - templateOverride: | - global_timeout: 6000 - id: "" - name: test - tasks: - - actions: - - environment: - COMPRESSED: "true" - DEST_DISK: '{{ index .Hardware.Disks 0 }}' - IMG_URL: https://bottlerocket.gz - image: "" - name: stream-image - timeout: 600 - - environment: - BOOTCONFIG_CONTENTS: kernel {} - DEST_DISK: '{{ formatPartition ( index .Hardware.Disks 0 ) 12 }}' - DEST_PATH: /bootconfig.data - DIRMODE: "0700" - FS_TYPE: ext4 - GID: "0" - MODE: "0644" - UID: "0" - image: "" - name: write-bootconfig - pid: host - timeout: 90 - - environment: - DEST_DISK: '{{ formatPartition ( index .Hardware.Disks 0 ) 12 }}' - DEST_PATH: /user-data.toml - DIRMODE: "0700" - FS_TYPE: ext4 - GID: "0" - HEGEL_URLS: http://5.6.7.8:50061,http://5.6.7.8:50061 - MODE: "0644" - UID: "0" - image: "" - name: write-user-data - pid: host - timeout: 90 - - environment: - DEST_DISK: '{{ formatPartition ( index .Hardware.Disks 0 ) 12 }}' - DEST_PATH: /net.toml - DIRMODE: "0755" - FS_TYPE: ext4 - GID: "0" - IFNAME: eno1 - MODE: "0644" - STATIC_BOTTLEROCKET: "true" - UID: "0" - image: "" - name: write-netplan - pid: host - timeout: 90 - - image: "" - name: reboot-image - pid: host - timeout: 90 - volumes: - - /worker:/worker - name: test - volumes: - - /dev:/dev - - /dev/console:/dev/console - - /lib/firmware:/lib/firmware:ro - worker: '{{.device_1}}' - version: "0.1" - --- apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 kind: KubeadmConfigTemplate @@ -122,13 +41,8 @@ metadata: spec: template: spec: + format: bottlerocket joinConfiguration: - pause: - imageRepository: public.ecr.aws/eks-distro/kubernetes/pause - imageTag: v1.21.2-eks-1-21-4 - bottlerocketBootstrap: - imageRepository: public.ecr.aws/l0g8r8j6/bottlerocket-bootstrap - imageTag: v1-21-4-eks-a-v0.0.0-dev-build.158 bottlerocket: kubernetes: allowedUnsafeSysctls: @@ -138,9 +52,11 @@ spec: - 1.2.3.4 - 4.3.2.1 maxPods: 50 + bottlerocketBootstrap: + imageRepository: public.ecr.aws/l0g8r8j6/bottlerocket-bootstrap + imageTag: v1-21-4-eks-a-v0.0.0-dev-build.158 certBundles: - - name: "bundle1" - data: | + - data: | -----BEGIN CERTIFICATE----- MIICxjCCAa6gAwIBAgIJAInAeEdpH2uNMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV BAMTCnRlc3QubG9jYWwwHhcNMjEwOTIzMjAxOTEyWhcNMzEwOTIxMjAxOTEyWjAV @@ -158,18 +74,18 @@ spec: zkYl4nSFENRLV5sL/wox2ohjMLff2lv6gyqkMFrLNSeHSQLGu8diat4UVDk8MMza 9n5t2E4AHPen+YrGeLY1qEn9WMv0XRGWrgJyLW9VSX8T3SlWO2w3okcw -----END CERTIFICATE----- - + name: bundle1 nodeRegistration: kubeletExtraArgs: + anonymous-auth: "false" provider-id: PROVIDER_ID read-only-port: "0" - anonymous-auth: "false" tls-cipher-suites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + pause: + imageRepository: public.ecr.aws/eks-distro/kubernetes/pause + imageTag: v1.21.2-eks-1-21-4 users: - name: ec2-user sshAuthorizedKeys: - - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1BK73XhIzjX+meUr7pIYh6RHbvI3tmHeQIXY5lv7aztN1UoX+bhPo3dwo2sfSQn5kuxgQdnxIZ/CTzy0p0GkEYVv3gwspCeurjmu0XmrdmaSGcGxCEWT/65NtvYrQtUE5ELxJ+N/aeZNlK2B7IWANnw/82913asXH4VksV1NYNduP0o1/G4XcwLLSyVFB078q/oEnmvdNIoS61j4/o36HVtENJgYr0idcBvwJdvcGxGnPaqOhx477t+kfJAa5n5dSA5wilIaoXH5i1Tf/HsTCM52L+iNCARvQzJYZhzbWI1MDQwzILtIBEQCJsl2XSqIupleY8CxqQ6jCXt2mhae+wPc3YmbO5rFvr2/EvC57kh3yDs1Nsuj8KOvD78KeeujbR8n8pScm3WDp62HFQ8lEKNdeRNj6kB8WnuaJvPnyZfvzOhwG65/9w13IBl7B1sWxbFnq2rMpm5uHVK7mAmjL0Tt8zoDhcE1YJEnp9xte3/pvmKPkST5Q/9ZtR9P5sI+02jY0fvPkPyC03j2gsPixG7rpOCwpOdbny4dcj0TDeeXJX8er+oVfJuLYz0pNWJcT2raDdFfcqvYA0B0IyNYlj5nWX4RuEcyT3qocLReWPnZojetvAG/H8XwOh7fEVGqHAKOVSnPXCSQJPl6s0H12jPJBDJMTydtYPEszl4/CeQ==' - sudo: ALL=(ALL) NOPASSWD:ALL - format: bottlerocket - ---- + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1BK73XhIzjX+meUr7pIYh6RHbvI3tmHeQIXY5lv7aztN1UoX+bhPo3dwo2sfSQn5kuxgQdnxIZ/CTzy0p0GkEYVv3gwspCeurjmu0XmrdmaSGcGxCEWT/65NtvYrQtUE5ELxJ+N/aeZNlK2B7IWANnw/82913asXH4VksV1NYNduP0o1/G4XcwLLSyVFB078q/oEnmvdNIoS61j4/o36HVtENJgYr0idcBvwJdvcGxGnPaqOhx477t+kfJAa5n5dSA5wilIaoXH5i1Tf/HsTCM52L+iNCARvQzJYZhzbWI1MDQwzILtIBEQCJsl2XSqIupleY8CxqQ6jCXt2mhae+wPc3YmbO5rFvr2/EvC57kh3yDs1Nsuj8KOvD78KeeujbR8n8pScm3WDp62HFQ8lEKNdeRNj6kB8WnuaJvPnyZfvzOhwG65/9w13IBl7B1sWxbFnq2rMpm5uHVK7mAmjL0Tt8zoDhcE1YJEnp9xte3/pvmKPkST5Q/9ZtR9P5sI+02jY0fvPkPyC03j2gsPixG7rpOCwpOdbny4dcj0TDeeXJX8er+oVfJuLYz0pNWJcT2raDdFfcqvYA0B0IyNYlj5nWX4RuEcyT3qocLReWPnZojetvAG/H8XwOh7fEVGqHAKOVSnPXCSQJPl6s0H12jPJBDJMTydtYPEszl4/CeQ== + sudo: ALL=(ALL) NOPASSWD:ALL \ No newline at end of file diff --git a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_bottlerocket_cp_minimal_registry_mirror.yaml b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_bottlerocket_cp_minimal_registry_mirror.yaml index 195bc97b3a3b..e6bff99cff2c 100644 --- a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_bottlerocket_cp_minimal_registry_mirror.yaml +++ b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_bottlerocket_cp_minimal_registry_mirror.yaml @@ -160,6 +160,7 @@ spec: status: {} owner: root:root path: /etc/kubernetes/manifests/kube-vip.yaml + - content: | apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: @@ -315,8 +316,8 @@ spec: - level: Metadata omitStages: - "RequestReceived" - owner: root:root - path: /etc/kubernetes/audit-policy.yaml + owner: root:root + path: /etc/kubernetes/audit-policy.yaml users: - name: tink-user sshAuthorizedKeys: diff --git a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_bottlerocket_cp_registry_mirror_with_auth.yaml b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_bottlerocket_cp_registry_mirror_with_auth.yaml index ece8eaad6ea9..b175b73a6e20 100644 --- a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_bottlerocket_cp_registry_mirror_with_auth.yaml +++ b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_bottlerocket_cp_registry_mirror_with_auth.yaml @@ -196,6 +196,7 @@ spec: status: {} owner: root:root path: /etc/kubernetes/manifests/kube-vip.yaml + - content: | apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: @@ -351,8 +352,8 @@ spec: - level: Metadata omitStages: - "RequestReceived" - owner: root:root - path: /etc/kubernetes/audit-policy.yaml + owner: root:root + path: /etc/kubernetes/audit-policy.yaml users: - name: tink-user sshAuthorizedKeys: diff --git a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_bottlerocket_cp_registry_mirror_with_cert.yaml b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_bottlerocket_cp_registry_mirror_with_cert.yaml index b5a6506314a8..ae456fc8f9fa 100644 --- a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_bottlerocket_cp_registry_mirror_with_cert.yaml +++ b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_bottlerocket_cp_registry_mirror_with_cert.yaml @@ -196,6 +196,7 @@ spec: status: {} owner: root:root path: /etc/kubernetes/manifests/kube-vip.yaml + - content: | apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: @@ -351,8 +352,8 @@ spec: - level: Metadata omitStages: - "RequestReceived" - owner: root:root - path: /etc/kubernetes/audit-policy.yaml + owner: root:root + path: /etc/kubernetes/audit-policy.yaml users: - name: tink-user sshAuthorizedKeys: diff --git a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_awsiam.yaml b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_awsiam.yaml index 1d3b959951fc..907a41a9bbb0 100644 --- a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_awsiam.yaml +++ b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_awsiam.yaml @@ -59,15 +59,14 @@ spec: name: audit-log-dir pathType: DirectoryOrCreate readOnly: false - extraVolumes: - - hostPath: /var/lib/kubeadm/aws-iam-authenticator/ - mountPath: /etc/kubernetes/aws-iam-authenticator/ - name: authconfig - readOnly: false - - hostPath: /var/lib/kubeadm/aws-iam-authenticator/pki/ - mountPath: /var/aws-iam-authenticator/ - name: awsiamcert - readOnly: false + - hostPath: /var/lib/kubeadm/aws-iam-authenticator/ + mountPath: /etc/kubernetes/aws-iam-authenticator/ + name: authconfig + readOnly: false + - hostPath: /var/lib/kubeadm/aws-iam-authenticator/pki/ + mountPath: /var/aws-iam-authenticator/ + name: awsiamcert + readOnly: false initConfiguration: nodeRegistration: kubeletExtraArgs: @@ -140,40 +139,6 @@ spec: owner: root:root path: /etc/kubernetes/manifests/kube-vip.yaml - content: | - # clusters refers to the remote service. - clusters: - - name: aws-iam-authenticator - cluster: - certificate-authority: /var/aws-iam-authenticator/cert.pem - server: https://localhost:21362/authenticate - # users refers to the API Server's webhook configuration - # (we don't need to authenticate the API server). - users: - - name: apiserver - # kubeconfig files require a context. Provide one for the API Server. - current-context: webhook - contexts: - - name: webhook - context: - cluster: aws-iam-authenticator - user: apiserver - permissions: "0640" - owner: root:root - path: /var/lib/kubeadm/aws-iam-authenticator/kubeconfig.yaml - - contentFrom: - secret: - name: test-aws-iam-authenticator-ca - key: cert.pem - permissions: "0640" - owner: root:root - path: /var/lib/kubeadm/aws-iam-authenticator/pki/cert.pem - - contentFrom: - secret: - name: test-aws-iam-authenticator-ca - key: key.pem - permissions: "0640" - owner: root:root - path: /var/lib/kubeadm/aws-iam-authenticator/pki/key.pem apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: @@ -329,8 +294,43 @@ spec: - level: Metadata omitStages: - "RequestReceived" - owner: root:root - path: /etc/kubernetes/audit-policy.yaml + owner: root:root + path: /etc/kubernetes/audit-policy.yaml + - content: | + # clusters refers to the remote service. + clusters: + - name: aws-iam-authenticator + cluster: + certificate-authority: /var/aws-iam-authenticator/cert.pem + server: https://localhost:21362/authenticate + # users refers to the API Server's webhook configuration + # (we don't need to authenticate the API server). + users: + - name: apiserver + # kubeconfig files require a context. Provide one for the API Server. + current-context: webhook + contexts: + - name: webhook + context: + cluster: aws-iam-authenticator + user: apiserver + permissions: "0640" + owner: root:root + path: /var/lib/kubeadm/aws-iam-authenticator/kubeconfig.yaml + - contentFrom: + secret: + name: test-aws-iam-authenticator-ca + key: cert.pem + permissions: "0640" + owner: root:root + path: /var/lib/kubeadm/aws-iam-authenticator/pki/cert.pem + - contentFrom: + secret: + name: test-aws-iam-authenticator-ca + key: key.pem + permissions: "0640" + owner: root:root + path: /var/lib/kubeadm/aws-iam-authenticator/pki/key.pem users: - name: tink-user sshAuthorizedKeys: diff --git a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_external_etcd.yaml b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_external_etcd.yaml index be2ebb4a0833..3b1c0b2c6c73 100644 --- a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_external_etcd.yaml +++ b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_external_etcd.yaml @@ -129,6 +129,7 @@ spec: status: {} owner: root:root path: /etc/kubernetes/manifests/kube-vip.yaml + - content: | apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: @@ -284,8 +285,8 @@ spec: - level: Metadata omitStages: - "RequestReceived" - owner: root:root - path: /etc/kubernetes/audit-policy.yaml + owner: root:root + path: /etc/kubernetes/audit-policy.yaml users: - name: tink-user sshAuthorizedKeys: diff --git a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_full_oidc.yaml b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_full_oidc.yaml index 44e3bfdfed9e..8e1777353dd7 100644 --- a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_full_oidc.yaml +++ b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_full_oidc.yaml @@ -136,6 +136,7 @@ spec: status: {} owner: root:root path: /etc/kubernetes/manifests/kube-vip.yaml + - content: | apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: @@ -291,8 +292,8 @@ spec: - level: Metadata omitStages: - "RequestReceived" - owner: root:root - path: /etc/kubernetes/audit-policy.yaml + owner: root:root + path: /etc/kubernetes/audit-policy.yaml users: - name: tink-user sshAuthorizedKeys: diff --git a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_minimal_oidc.yaml b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_minimal_oidc.yaml index 4eaeaf3449c6..16b1fd546433 100644 --- a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_minimal_oidc.yaml +++ b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_minimal_oidc.yaml @@ -131,6 +131,7 @@ spec: status: {} owner: root:root path: /etc/kubernetes/manifests/kube-vip.yaml + - content: | apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: @@ -286,8 +287,8 @@ spec: - level: Metadata omitStages: - "RequestReceived" - owner: root:root - path: /etc/kubernetes/audit-policy.yaml + owner: root:root + path: /etc/kubernetes/audit-policy.yaml users: - name: tink-user sshAuthorizedKeys: diff --git a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_minimal_registry_mirror.yaml b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_minimal_registry_mirror.yaml index a09fbed51478..4580fb0c76f4 100644 --- a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_minimal_registry_mirror.yaml +++ b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_minimal_registry_mirror.yaml @@ -129,6 +129,7 @@ spec: status: {} owner: root:root path: /etc/kubernetes/manifests/kube-vip.yaml + - content: | apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: @@ -284,8 +285,8 @@ spec: - level: Metadata omitStages: - "RequestReceived" - owner: root:root - path: /etc/kubernetes/audit-policy.yaml + owner: root:root + path: /etc/kubernetes/audit-policy.yaml - content: | [plugins."io.containerd.grpc.v1.cri".registry.mirrors] [plugins."io.containerd.grpc.v1.cri".registry.mirrors."public.ecr.aws"] diff --git a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_node_labels.yaml b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_node_labels.yaml index 117cc4bb8240..b8c915ece1e0 100755 --- a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_node_labels.yaml +++ b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_node_labels.yaml @@ -131,6 +131,7 @@ spec: status: {} owner: root:root path: /etc/kubernetes/manifests/kube-vip.yaml + - content: | apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: @@ -286,8 +287,8 @@ spec: - level: Metadata omitStages: - "RequestReceived" - owner: root:root - path: /etc/kubernetes/audit-policy.yaml + owner: root:root + path: /etc/kubernetes/audit-policy.yaml users: - name: tink-user sshAuthorizedKeys: diff --git a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_node_taints.yaml b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_node_taints.yaml index c8f0503bfdec..488458be559d 100755 --- a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_node_taints.yaml +++ b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_node_taints.yaml @@ -149,6 +149,7 @@ spec: status: {} owner: root:root path: /etc/kubernetes/manifests/kube-vip.yaml + - content: | apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: @@ -304,8 +305,8 @@ spec: - level: Metadata omitStages: - "RequestReceived" - owner: root:root - path: /etc/kubernetes/audit-policy.yaml + owner: root:root + path: /etc/kubernetes/audit-policy.yaml users: - name: tink-user sshAuthorizedKeys: diff --git a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_proxy.yaml b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_proxy.yaml index b0c86d5b2389..53546051c78d 100644 --- a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_proxy.yaml +++ b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_proxy.yaml @@ -129,6 +129,7 @@ spec: status: {} owner: root:root path: /etc/kubernetes/manifests/kube-vip.yaml + - content: | apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: @@ -284,8 +285,8 @@ spec: - level: Metadata omitStages: - "RequestReceived" - owner: root:root - path: /etc/kubernetes/audit-policy.yaml + owner: root:root + path: /etc/kubernetes/audit-policy.yaml - content: | [Service] Environment="HTTP_PROXY=1.1.1.1:8080" diff --git a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_registry_mirror_with_auth.yaml b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_registry_mirror_with_auth.yaml index c07c6b4114b4..f017363d01ce 100644 --- a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_registry_mirror_with_auth.yaml +++ b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_registry_mirror_with_auth.yaml @@ -129,6 +129,7 @@ spec: status: {} owner: root:root path: /etc/kubernetes/manifests/kube-vip.yaml + - content: | apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: @@ -284,8 +285,8 @@ spec: - level: Metadata omitStages: - "RequestReceived" - owner: root:root - path: /etc/kubernetes/audit-policy.yaml + owner: root:root + path: /etc/kubernetes/audit-policy.yaml - content: | -----BEGIN CERTIFICATE----- MIICxjCCAa6gAwIBAgIJAInAeEdpH2uNMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV diff --git a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_registry_mirror_with_cert.yaml b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_registry_mirror_with_cert.yaml index 8cd5edba398d..c8c269d68735 100644 --- a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_registry_mirror_with_cert.yaml +++ b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_registry_mirror_with_cert.yaml @@ -129,6 +129,7 @@ spec: status: {} owner: root:root path: /etc/kubernetes/manifests/kube-vip.yaml + - content: | apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: @@ -284,8 +285,8 @@ spec: - level: Metadata omitStages: - "RequestReceived" - owner: root:root - path: /etc/kubernetes/audit-policy.yaml + owner: root:root + path: /etc/kubernetes/audit-policy.yaml - content: | -----BEGIN CERTIFICATE----- MIICxjCCAa6gAwIBAgIJAInAeEdpH2uNMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV diff --git a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_single_node.yaml b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_single_node.yaml index 6326fd684e10..c998b0e50e76 100644 --- a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_single_node.yaml +++ b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_single_node.yaml @@ -137,6 +137,7 @@ spec: status: {} owner: root:root path: /etc/kubernetes/manifests/kube-vip.yaml + - content: | apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: @@ -292,8 +293,8 @@ spec: - level: Metadata omitStages: - "RequestReceived" - owner: root:root - path: /etc/kubernetes/audit-policy.yaml + owner: root:root + path: /etc/kubernetes/audit-policy.yaml users: - name: tink-user sshAuthorizedKeys: diff --git a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_single_node_skip_lb.yaml b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_single_node_skip_lb.yaml index 4065da0f40ce..df9167b3021c 100644 --- a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_single_node_skip_lb.yaml +++ b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_single_node_skip_lb.yaml @@ -131,6 +131,7 @@ spec: status: {} owner: root:root path: /etc/kubernetes/manifests/kube-vip.yaml + - content: | apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: @@ -286,8 +287,8 @@ spec: - level: Metadata omitStages: - "RequestReceived" - owner: root:root - path: /etc/kubernetes/audit-policy.yaml + owner: root:root + path: /etc/kubernetes/audit-policy.yaml users: - name: tink-user sshAuthorizedKeys: diff --git a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_stacked_etcd.yaml b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_stacked_etcd.yaml index be2ebb4a0833..3b1c0b2c6c73 100644 --- a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_stacked_etcd.yaml +++ b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_cp_stacked_etcd.yaml @@ -129,6 +129,7 @@ spec: status: {} owner: root:root path: /etc/kubernetes/manifests/kube-vip.yaml + - content: | apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: @@ -284,8 +285,8 @@ spec: - level: Metadata omitStages: - "RequestReceived" - owner: root:root - path: /etc/kubernetes/audit-policy.yaml + owner: root:root + path: /etc/kubernetes/audit-policy.yaml users: - name: tink-user sshAuthorizedKeys: diff --git a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_disable_kube_vip.yaml b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_disable_kube_vip.yaml index d4e44a1c900c..d8ce916a0231 100644 --- a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_disable_kube_vip.yaml +++ b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_disable_kube_vip.yaml @@ -77,6 +77,7 @@ spec: tls-cipher-suites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 taints: [] files: + - content: | apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: @@ -232,8 +233,8 @@ spec: - level: Metadata omitStages: - "RequestReceived" - owner: root:root - path: /etc/kubernetes/audit-policy.yaml + owner: root:root + path: /etc/kubernetes/audit-policy.yaml users: - name: tink-user sshAuthorizedKeys: diff --git a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_missing_ssh_keys.yaml b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_missing_ssh_keys.yaml index be2ebb4a0833..3b1c0b2c6c73 100644 --- a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_missing_ssh_keys.yaml +++ b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_missing_ssh_keys.yaml @@ -129,6 +129,7 @@ spec: status: {} owner: root:root path: /etc/kubernetes/manifests/kube-vip.yaml + - content: | apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: @@ -284,8 +285,8 @@ spec: - level: Metadata omitStages: - "RequestReceived" - owner: root:root - path: /etc/kubernetes/audit-policy.yaml + owner: root:root + path: /etc/kubernetes/audit-policy.yaml users: - name: tink-user sshAuthorizedKeys: diff --git a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_upgrade_registry_mirror.yaml b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_upgrade_registry_mirror.yaml index 739bb4de88ea..985e4a07b467 100644 --- a/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_upgrade_registry_mirror.yaml +++ b/pkg/providers/tinkerbell/testdata/expected_results_cluster_tinkerbell_upgrade_registry_mirror.yaml @@ -8,9 +8,11 @@ metadata: spec: clusterNetwork: pods: - cidrBlocks: [192.168.0.0/16] + cidrBlocks: + - 192.168.0.0/16 services: - cidrBlocks: [10.96.0.0/12] + cidrBlocks: + - 10.96.0.0/12 controlPlaneEndpoint: host: 1.2.3.4 port: 6443 @@ -31,21 +33,13 @@ metadata: spec: kubeadmConfigSpec: clusterConfiguration: - imageRepository: public.ecr.aws/eks-distro/kubernetes - etcd: - local: - imageRepository: public.ecr.aws/eks-distro/etcd-io - imageTag: v3.4.16-eks-1-21-4 - dns: - imageRepository: public.ecr.aws/eks-distro/coredns - imageTag: v1.8.3-eks-1-21-4 apiServer: extraArgs: - audit-policy-file: /etc/kubernetes/audit-policy.yaml - audit-log-path: /var/log/kubernetes/api-audit.log audit-log-maxage: "30" audit-log-maxbackup: "10" audit-log-maxsize: "512" + audit-log-path: /var/log/kubernetes/api-audit.log + audit-policy-file: /etc/kubernetes/audit-policy.yaml feature-gates: ServiceLoadBalancerClass=true extraVolumes: - hostPath: /etc/kubernetes/audit-policy.yaml @@ -58,276 +52,325 @@ spec: name: audit-log-dir pathType: DirectoryOrCreate readOnly: false - initConfiguration: - nodeRegistration: - kubeletExtraArgs: - provider-id: PROVIDER_ID - read-only-port: "0" - anonymous-auth: "false" - tls-cipher-suites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - joinConfiguration: - nodeRegistration: - ignorePreflightErrors: - - DirAvailable--etc-kubernetes-manifests - kubeletExtraArgs: - provider-id: PROVIDER_ID - read-only-port: "0" - anonymous-auth: "false" - tls-cipher-suites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + dns: + imageRepository: public.ecr.aws/eks-distro/coredns + imageTag: v1.8.3-eks-1-21-4 + etcd: + local: + imageRepository: public.ecr.aws/eks-distro/etcd-io + imageTag: v3.4.16-eks-1-21-4 + imageRepository: public.ecr.aws/eks-distro/kubernetes files: - - content: | - apiVersion: v1 - kind: Pod - metadata: - creationTimestamp: null + - content: | + apiVersion: v1 + kind: Pod + metadata: + creationTimestamp: null + name: kube-vip + namespace: kube-system + spec: + containers: + - args: + - manager + env: + - name: vip_arp + value: "true" + - name: port + value: "6443" + - name: vip_cidr + value: "32" + - name: cp_enable + value: "true" + - name: cp_namespace + value: kube-system + - name: vip_ddns + value: "false" + - name: vip_leaderelection + value: "true" + - name: vip_leaseduration + value: "15" + - name: vip_renewdeadline + value: "10" + - name: vip_retryperiod + value: "2" + - name: address + value: 1.2.3.4 + image: public.ecr.aws/l0g8r8j6/kube-vip/kube-vip:v0.3.7-eks-a-v0.0.0-dev-build.581 + imagePullPolicy: IfNotPresent name: kube-vip - namespace: kube-system - spec: - containers: - - args: - - manager - env: - - name: vip_arp - value: "true" - - name: port - value: "6443" - - name: vip_cidr - value: "32" - - name: cp_enable - value: "true" - - name: cp_namespace - value: kube-system - - name: vip_ddns - value: "false" - - name: vip_leaderelection - value: "true" - - name: vip_leaseduration - value: "15" - - name: vip_renewdeadline - value: "10" - - name: vip_retryperiod - value: "2" - - name: address - value: 1.2.3.4 - image: public.ecr.aws/l0g8r8j6/kube-vip/kube-vip:v0.3.7-eks-a-v0.0.0-dev-build.581 - imagePullPolicy: IfNotPresent - name: kube-vip - resources: {} - securityContext: - capabilities: - add: - - NET_ADMIN - - NET_RAW - volumeMounts: - - mountPath: /etc/kubernetes/admin.conf - name: kubeconfig - hostNetwork: true - volumes: - - hostPath: - path: /etc/kubernetes/admin.conf + resources: {} + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + volumeMounts: + - mountPath: /etc/kubernetes/admin.conf name: kubeconfig - status: {} - owner: root:root - path: /etc/kubernetes/manifests/kube-vip.yaml - apiVersion: audit.k8s.io/v1beta1 - kind: Policy - rules: - # Log aws-auth configmap changes - - level: RequestResponse - namespaces: ["kube-system"] - verbs: ["update", "patch", "delete"] - resources: - - group: "" # core - resources: ["configmaps"] - resourceNames: ["aws-auth"] - omitStages: - - "RequestReceived" - # The following requests were manually identified as high-volume and low-risk, - # so drop them. - - level: None - users: ["system:kube-proxy"] - verbs: ["watch"] - resources: - - group: "" # core - resources: ["endpoints", "services", "services/status"] - - level: None - users: ["kubelet"] # legacy kubelet identity - verbs: ["get"] + hostNetwork: true + volumes: + - hostPath: + path: /etc/kubernetes/admin.conf + name: kubeconfig + status: {} + owner: root:root + path: /etc/kubernetes/manifests/kube-vip.yaml + - apiVersion: audit.k8s.io/v1beta1 + content: "" + kind: Policy + owner: root:root + path: /etc/kubernetes/audit-policy.yaml + rules: + - level: RequestResponse + namespaces: + - kube-system + omitStages: + - RequestReceived + resources: + - group: "" + resourceNames: + - aws-auth resources: - - group: "" # core - resources: ["nodes", "nodes/status"] - - level: None - userGroups: ["system:nodes"] - verbs: ["get"] + - configmaps + verbs: + - update + - patch + - delete + - level: None + resources: + - group: "" resources: - - group: "" # core - resources: ["nodes", "nodes/status"] - - level: None - users: - - system:kube-controller-manager - - system:kube-scheduler - - system:serviceaccount:kube-system:endpoint-controller - verbs: ["get", "update"] - namespaces: ["kube-system"] + - endpoints + - services + - services/status + users: + - system:kube-proxy + verbs: + - watch + - level: None + resources: + - group: "" resources: - - group: "" # core - resources: ["endpoints"] - - level: None - users: ["system:apiserver"] - verbs: ["get"] + - nodes + - nodes/status + users: + - kubelet + verbs: + - get + - level: None + resources: + - group: "" resources: - - group: "" # core - resources: ["namespaces", "namespaces/status", "namespaces/finalize"] - # Don't log HPA fetching metrics. - - level: None - users: - - system:kube-controller-manager - verbs: ["get", "list"] + - nodes + - nodes/status + userGroups: + - system:nodes + verbs: + - get + - level: None + namespaces: + - kube-system + resources: + - group: "" resources: - - group: "metrics.k8s.io" - # Don't log these read-only URLs. - - level: None - nonResourceURLs: - - /healthz* - - /version - - /swagger* - # Don't log events requests. - - level: None + - endpoints + users: + - system:kube-controller-manager + - system:kube-scheduler + - system:serviceaccount:kube-system:endpoint-controller + verbs: + - get + - update + - level: None + resources: + - group: "" resources: - - group: "" # core - resources: ["events"] - # node and pod status calls from nodes are high-volume and can be large, don't log responses for expected updates from nodes - - level: Request - users: ["kubelet", "system:node-problem-detector", "system:serviceaccount:kube-system:node-problem-detector"] - verbs: ["update","patch"] + - namespaces + - namespaces/status + - namespaces/finalize + users: + - system:apiserver + verbs: + - get + - level: None + resources: + - group: metrics.k8s.io + users: + - system:kube-controller-manager + verbs: + - get + - list + - level: None + nonResourceURLs: + - /healthz* + - /version + - /swagger* + - level: None + resources: + - group: "" resources: - - group: "" # core - resources: ["nodes/status", "pods/status"] - omitStages: - - "RequestReceived" - - level: Request - userGroups: ["system:nodes"] - verbs: ["update","patch"] + - events + - level: Request + omitStages: + - RequestReceived + resources: + - group: "" resources: - - group: "" # core - resources: ["nodes/status", "pods/status"] - omitStages: - - "RequestReceived" - # deletecollection calls can be large, don't log responses for expected namespace deletions - - level: Request - users: ["system:serviceaccount:kube-system:namespace-controller"] - verbs: ["deletecollection"] - omitStages: - - "RequestReceived" - # Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data, - # so only log at the Metadata level. - - level: Metadata + - nodes/status + - pods/status + users: + - kubelet + - system:node-problem-detector + - system:serviceaccount:kube-system:node-problem-detector + verbs: + - update + - patch + - level: Request + omitStages: + - RequestReceived + resources: + - group: "" resources: - - group: "" # core - resources: ["secrets", "configmaps"] - - group: authentication.k8s.io - resources: ["tokenreviews"] - omitStages: - - "RequestReceived" - - level: Request + - nodes/status + - pods/status + userGroups: + - system:nodes + verbs: + - update + - patch + - level: Request + omitStages: + - RequestReceived + users: + - system:serviceaccount:kube-system:namespace-controller + verbs: + - deletecollection + - level: Metadata + omitStages: + - RequestReceived + resources: + - group: "" resources: - - group: "" - resources: ["serviceaccounts/token"] - # Get repsonses can be large; skip them. - - level: Request - verbs: ["get", "list", "watch"] + - secrets + - configmaps + - group: authentication.k8s.io resources: - - group: "" # core - - group: "admissionregistration.k8s.io" - - group: "apiextensions.k8s.io" - - group: "apiregistration.k8s.io" - - group: "apps" - - group: "authentication.k8s.io" - - group: "authorization.k8s.io" - - group: "autoscaling" - - group: "batch" - - group: "certificates.k8s.io" - - group: "extensions" - - group: "metrics.k8s.io" - - group: "networking.k8s.io" - - group: "policy" - - group: "rbac.authorization.k8s.io" - - group: "scheduling.k8s.io" - - group: "settings.k8s.io" - - group: "storage.k8s.io" - omitStages: - - "RequestReceived" - # Default level for known APIs - - level: RequestResponse + - tokenreviews + - level: Request + resources: + - group: "" resources: - - group: "" # core - - group: "admissionregistration.k8s.io" - - group: "apiextensions.k8s.io" - - group: "apiregistration.k8s.io" - - group: "apps" - - group: "authentication.k8s.io" - - group: "authorization.k8s.io" - - group: "autoscaling" - - group: "batch" - - group: "certificates.k8s.io" - - group: "extensions" - - group: "metrics.k8s.io" - - group: "networking.k8s.io" - - group: "policy" - - group: "rbac.authorization.k8s.io" - - group: "scheduling.k8s.io" - - group: "settings.k8s.io" - - group: "storage.k8s.io" - omitStages: - - "RequestReceived" - # Default level for all other requests. - - level: Metadata - omitStages: - - "RequestReceived" + - serviceaccounts/token + - level: Request + omitStages: + - RequestReceived + resources: + - group: "" + - group: admissionregistration.k8s.io + - group: apiextensions.k8s.io + - group: apiregistration.k8s.io + - group: apps + - group: authentication.k8s.io + - group: authorization.k8s.io + - group: autoscaling + - group: batch + - group: certificates.k8s.io + - group: extensions + - group: metrics.k8s.io + - group: networking.k8s.io + - group: policy + - group: rbac.authorization.k8s.io + - group: scheduling.k8s.io + - group: settings.k8s.io + - group: storage.k8s.io + verbs: + - get + - list + - watch + - level: RequestResponse + omitStages: + - RequestReceived + resources: + - group: "" + - group: admissionregistration.k8s.io + - group: apiextensions.k8s.io + - group: apiregistration.k8s.io + - group: apps + - group: authentication.k8s.io + - group: authorization.k8s.io + - group: autoscaling + - group: batch + - group: certificates.k8s.io + - group: extensions + - group: metrics.k8s.io + - group: networking.k8s.io + - group: policy + - group: rbac.authorization.k8s.io + - group: scheduling.k8s.io + - group: settings.k8s.io + - group: storage.k8s.io + - level: Metadata + omitStages: + - RequestReceived + - content: | + -----BEGIN CERTIFICATE----- + MIIFazCCA1OgAwIBAgIUfl/C7qHZYuHYr3opbz3mPpIDN70wDQYJKoZIhvcNAQEN + BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM + GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMzAyMTAxODQ3MDBaFw0zMzAy + MDcxODQ3MDBaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw + HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggIiMA0GCSqGSIb3DQEB + AQUAA4ICDwAwggIKAoICAQCv2KnI1vaBrB/a5Bmj6iLzvQW/9/SYOg8bfbOcTZxv + CMqgdd3wV3aIQuH8oqnoBQyBqwzr+uK2ZIjRzcM86uj/laF3JvQKUpHOiWXYSoKt + jKdWwKdifRoZMlkgLB+2diOZV3yWoLZHL3+zc6GNex5GVguaItAJec/UoEfvt0+W + g/IhXiAYIWGJ9N7al3GSgk5BeAWI3x6fuknWCnR57I+DcS3/RO4sxKs9LkGADVIv + ooMe93QREbQHOggConVYAMMtfzFneFxUfWWWqI56KmK79B14T5vxLtbi991ekkAB + z+vKwyDb1LjbuLaPBGIoDJMlp9YI6JRSwwArOF6x3pD6LsuBFaaEUpJJkWvksiss + 0jR+5SGusSS6WS7s0nloUDYK7t+FctP3YptacqeqjzMVv4hvDp3dGHg24Zlbt8zu + 60u/qOQn11jMIzjgOYnW9JUv1JG/zZuEl9vEjs/HCKiR2uO04+lrukhc7db+EIwo + KXeVf2I+naamY3AnoFYhAZnMBWrypXcNzImDX86y/0TXpGNOZFItswCX521V8ieg + O9iMa0DyU4Yp9wwIeLC+0nSMoqeVU5Fn7EnfZHJanQXfGWr5uMC2P550KXRPgCQC + A3+odFvAFdKZoNHFYzgi7/BPFOGZw0GxxWF0YxXxNf1EiLEfiQ2C+YMCmOxs1PPz + 8wIDAQABo1MwUTAdBgNVHQ4EFgQUipekkfoVz0LjVDSIyOqu7r0uGvEwHwYDVR0j + BBgwFoAUipekkfoVz0LjVDSIyOqu7r0uGvEwDwYDVR0TAQH/BAUwAwEB/zANBgkq + hkiG9w0BAQ0FAAOCAgEAF91YWO96Lg5h5nQ0woaB8Uylm/e9fCdyMLVp6HK+3AFF + 4cSB1sGF9G9PGS07+mrcwnXIgWfuGU17zevvntJxdpdWUYPiB3EtiLH4wZnRYABi + feyCtijKSvWx1GmH6HZlgzDTVx4aqv2PCzXuus2KQbcfuL1pkVFfinnIYrGcZxLB + TZiCU4iSwisglnfqW6Essw8SHbFMFLHmut/AUrMb0Ahrr8kM4twd1wdbiKy4jpdJ + pdbZsyU/EbS7pDJkrGmPzCp3yxKLITxhfcWE1HzRq+BDj0cIcTf920Jlfj/l2ICp + 7soNTmY8kLd22DXtuZfZK4kZZOOV+QWRbmadoOVzH+trVyKYZAeIQSo+b37OZVbG + ZXlNX36vpxayQ73yCxruZRwlgwmSOiUb22jm+cikCDB7wmpv+NeoNpUIpg4fWQz8 + I0tKc6C7tH2uZOLlTAbkzYS3VhNPT1H8Urca975M6f+wJ0Fp9H6Pi9SIaqete30O + w5VG8UuvlEGJkaRTjQj0569ryI9/ZV6ZIOkKur+YnEe+WFlbz8Ug8HXUbJSRCCpd + alCTC496sz6aunLK2E9a2umPUET5JaUUUEYPGZxLstlhDa5HaKw2fZf0EwJMIDVt + Q+cf3YL9/F7OtkMO1sJjCRu8cNOF2S1NaNBIGGeqWR66MCs2dA4UvZtXIzssJaE= + -----END CERTIFICATE----- owner: root:root - path: /etc/kubernetes/audit-policy.yaml - - content: | - -----BEGIN CERTIFICATE----- - MIIFazCCA1OgAwIBAgIUfl/C7qHZYuHYr3opbz3mPpIDN70wDQYJKoZIhvcNAQEN - BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM - GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMzAyMTAxODQ3MDBaFw0zMzAy - MDcxODQ3MDBaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw - HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggIiMA0GCSqGSIb3DQEB - AQUAA4ICDwAwggIKAoICAQCv2KnI1vaBrB/a5Bmj6iLzvQW/9/SYOg8bfbOcTZxv - CMqgdd3wV3aIQuH8oqnoBQyBqwzr+uK2ZIjRzcM86uj/laF3JvQKUpHOiWXYSoKt - jKdWwKdifRoZMlkgLB+2diOZV3yWoLZHL3+zc6GNex5GVguaItAJec/UoEfvt0+W - g/IhXiAYIWGJ9N7al3GSgk5BeAWI3x6fuknWCnR57I+DcS3/RO4sxKs9LkGADVIv - ooMe93QREbQHOggConVYAMMtfzFneFxUfWWWqI56KmK79B14T5vxLtbi991ekkAB - z+vKwyDb1LjbuLaPBGIoDJMlp9YI6JRSwwArOF6x3pD6LsuBFaaEUpJJkWvksiss - 0jR+5SGusSS6WS7s0nloUDYK7t+FctP3YptacqeqjzMVv4hvDp3dGHg24Zlbt8zu - 60u/qOQn11jMIzjgOYnW9JUv1JG/zZuEl9vEjs/HCKiR2uO04+lrukhc7db+EIwo - KXeVf2I+naamY3AnoFYhAZnMBWrypXcNzImDX86y/0TXpGNOZFItswCX521V8ieg - O9iMa0DyU4Yp9wwIeLC+0nSMoqeVU5Fn7EnfZHJanQXfGWr5uMC2P550KXRPgCQC - A3+odFvAFdKZoNHFYzgi7/BPFOGZw0GxxWF0YxXxNf1EiLEfiQ2C+YMCmOxs1PPz - 8wIDAQABo1MwUTAdBgNVHQ4EFgQUipekkfoVz0LjVDSIyOqu7r0uGvEwHwYDVR0j - BBgwFoAUipekkfoVz0LjVDSIyOqu7r0uGvEwDwYDVR0TAQH/BAUwAwEB/zANBgkq - hkiG9w0BAQ0FAAOCAgEAF91YWO96Lg5h5nQ0woaB8Uylm/e9fCdyMLVp6HK+3AFF - 4cSB1sGF9G9PGS07+mrcwnXIgWfuGU17zevvntJxdpdWUYPiB3EtiLH4wZnRYABi - feyCtijKSvWx1GmH6HZlgzDTVx4aqv2PCzXuus2KQbcfuL1pkVFfinnIYrGcZxLB - TZiCU4iSwisglnfqW6Essw8SHbFMFLHmut/AUrMb0Ahrr8kM4twd1wdbiKy4jpdJ - pdbZsyU/EbS7pDJkrGmPzCp3yxKLITxhfcWE1HzRq+BDj0cIcTf920Jlfj/l2ICp - 7soNTmY8kLd22DXtuZfZK4kZZOOV+QWRbmadoOVzH+trVyKYZAeIQSo+b37OZVbG - ZXlNX36vpxayQ73yCxruZRwlgwmSOiUb22jm+cikCDB7wmpv+NeoNpUIpg4fWQz8 - I0tKc6C7tH2uZOLlTAbkzYS3VhNPT1H8Urca975M6f+wJ0Fp9H6Pi9SIaqete30O - w5VG8UuvlEGJkaRTjQj0569ryI9/ZV6ZIOkKur+YnEe+WFlbz8Ug8HXUbJSRCCpd - alCTC496sz6aunLK2E9a2umPUET5JaUUUEYPGZxLstlhDa5HaKw2fZf0EwJMIDVt - Q+cf3YL9/F7OtkMO1sJjCRu8cNOF2S1NaNBIGGeqWR66MCs2dA4UvZtXIzssJaE= - -----END CERTIFICATE----- - owner: root:root - path: "/etc/containerd/certs.d/10.10.10.10:443/ca.crt" - - content: | - [plugins."io.containerd.grpc.v1.cri".registry.mirrors] - [plugins."io.containerd.grpc.v1.cri".registry.mirrors."public.ecr.aws"] - endpoint = ["https://10.10.10.10:443"] - [plugins."io.containerd.grpc.v1.cri".registry.configs."10.10.10.10:443".tls] - ca_file = "/etc/containerd/certs.d/10.10.10.10:443/ca.crt" - owner: root:root - path: "/etc/containerd/config_append.toml" + path: /etc/containerd/certs.d/10.10.10.10:443/ca.crt + - content: | + [plugins."io.containerd.grpc.v1.cri".registry.mirrors] + [plugins."io.containerd.grpc.v1.cri".registry.mirrors."public.ecr.aws"] + endpoint = ["https://10.10.10.10:443"] + [plugins."io.containerd.grpc.v1.cri".registry.configs."10.10.10.10:443".tls] + ca_file = "/etc/containerd/certs.d/10.10.10.10:443/ca.crt" + owner: root:root + path: /etc/containerd/config_append.toml + format: cloud-config + initConfiguration: + nodeRegistration: + kubeletExtraArgs: + anonymous-auth: "false" + provider-id: PROVIDER_ID + read-only-port: "0" + tls-cipher-suites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + joinConfiguration: + nodeRegistration: + ignorePreflightErrors: + - DirAvailable--etc-kubernetes-manifests + kubeletExtraArgs: + anonymous-auth: "false" + provider-id: PROVIDER_ID + read-only-port: "0" + tls-cipher-suites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 preKubeadmCommands: - cat /etc/containerd/config_append.toml >> /etc/containerd/config.toml - sudo systemctl daemon-reload @@ -335,9 +378,8 @@ spec: users: - name: tink-user sshAuthorizedKeys: - - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1BK73XhIzjX+meUr7pIYh6RHbvI3tmHeQIXY5lv7aztN1UoX+bhPo3dwo2sfSQn5kuxgQdnxIZ/CTzy0p0GkEYVv3gwspCeurjmu0XmrdmaSGcGxCEWT/65NtvYrQtUE5ELxJ+N/aeZNlK2B7IWANnw/82913asXH4VksV1NYNduP0o1/G4XcwLLSyVFB078q/oEnmvdNIoS61j4/o36HVtENJgYr0idcBvwJdvcGxGnPaqOhx477t+kfJAa5n5dSA5wilIaoXH5i1Tf/HsTCM52L+iNCARvQzJYZhzbWI1MDQwzILtIBEQCJsl2XSqIupleY8CxqQ6jCXt2mhae+wPc3YmbO5rFvr2/EvC57kh3yDs1Nsuj8KOvD78KeeujbR8n8pScm3WDp62HFQ8lEKNdeRNj6kB8WnuaJvPnyZfvzOhwG65/9w13IBl7B1sWxbFnq2rMpm5uHVK7mAmjL0Tt8zoDhcE1YJEnp9xte3/pvmKPkST5Q/9ZtR9P5sI+02jY0fvPkPyC03j2gsPixG7rpOCwpOdbny4dcj0TDeeXJX8er+oVfJuLYz0pNWJcT2raDdFfcqvYA0B0IyNYlj5nWX4RuEcyT3qocLReWPnZojetvAG/H8XwOh7fEVGqHAKOVSnPXCSQJPl6s0H12jPJBDJMTydtYPEszl4/CeQ==' + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1BK73XhIzjX+meUr7pIYh6RHbvI3tmHeQIXY5lv7aztN1UoX+bhPo3dwo2sfSQn5kuxgQdnxIZ/CTzy0p0GkEYVv3gwspCeurjmu0XmrdmaSGcGxCEWT/65NtvYrQtUE5ELxJ+N/aeZNlK2B7IWANnw/82913asXH4VksV1NYNduP0o1/G4XcwLLSyVFB078q/oEnmvdNIoS61j4/o36HVtENJgYr0idcBvwJdvcGxGnPaqOhx477t+kfJAa5n5dSA5wilIaoXH5i1Tf/HsTCM52L+iNCARvQzJYZhzbWI1MDQwzILtIBEQCJsl2XSqIupleY8CxqQ6jCXt2mhae+wPc3YmbO5rFvr2/EvC57kh3yDs1Nsuj8KOvD78KeeujbR8n8pScm3WDp62HFQ8lEKNdeRNj6kB8WnuaJvPnyZfvzOhwG65/9w13IBl7B1sWxbFnq2rMpm5uHVK7mAmjL0Tt8zoDhcE1YJEnp9xte3/pvmKPkST5Q/9ZtR9P5sI+02jY0fvPkPyC03j2gsPixG7rpOCwpOdbny4dcj0TDeeXJX8er+oVfJuLYz0pNWJcT2raDdFfcqvYA0B0IyNYlj5nWX4RuEcyT3qocLReWPnZojetvAG/H8XwOh7fEVGqHAKOVSnPXCSQJPl6s0H12jPJBDJMTydtYPEszl4/CeQ== sudo: ALL=(ALL) NOPASSWD:ALL - format: cloud-config machineTemplate: infrastructureRef: apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 @@ -350,122 +392,10 @@ spec: version: v1.21.2-eks-1-21-4 --- apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 -kind: TinkerbellMachineTemplate -metadata: - name: test-control-plane-template-1234567890000 - namespace: eksa-system -spec: - template: - spec: - hardwareAffinity: - required: - - labelSelector: - matchLabels: - type: cp - templateOverride: | - global_timeout: 6000 - id: "" - name: tink-test - tasks: - - actions: - - environment: - COMPRESSED: "true" - DEST_DISK: /dev/sda - IMG_URL: "" - image: image2disk:v1.0.0 - name: stream-image - timeout: 360 - - environment: - BLOCK_DEVICE: /dev/sda2 - CHROOT: "y" - CMD_LINE: apt -y update && apt -y install openssl - DEFAULT_INTERPRETER: /bin/sh -c - FS_TYPE: ext4 - image: cexec:v1.0.0 - name: install-openssl - timeout: 90 - - environment: - CONTENTS: | - network: - version: 2 - renderer: networkd - ethernets: - eno1: - dhcp4: true - eno2: - dhcp4: true - eno3: - dhcp4: true - eno4: - dhcp4: true - DEST_DISK: /dev/sda2 - DEST_PATH: /etc/netplan/config.yaml - DIRMODE: "0755" - FS_TYPE: ext4 - GID: "0" - MODE: "0644" - UID: "0" - image: writefile:v1.0.0 - name: write-netplan - timeout: 90 - - environment: - CONTENTS: | - datasource: - Ec2: - metadata_urls: [] - strict_id: false - system_info: - default_user: - name: tink - groups: [wheel, adm] - sudo: ["ALL=(ALL) NOPASSWD:ALL"] - shell: /bin/bash - manage_etc_hosts: localhost - warnings: - dsid_missing_source: off - DEST_DISK: /dev/sda2 - DEST_PATH: /etc/cloud/cloud.cfg.d/10_tinkerbell.cfg - DIRMODE: "0700" - FS_TYPE: ext4 - GID: "0" - MODE: "0600" - image: writefile:v1.0.0 - name: add-tink-cloud-init-config - timeout: 90 - - environment: - CONTENTS: | - datasource: Ec2 - DEST_DISK: /dev/sda2 - DEST_PATH: /etc/cloud/ds-identify.cfg - DIRMODE: "0700" - FS_TYPE: ext4 - GID: "0" - MODE: "0600" - UID: "0" - image: writefile:v1.0.0 - name: add-tink-cloud-init-ds-config - timeout: 90 - - environment: - BLOCK_DEVICE: /dev/sda2 - FS_TYPE: ext4 - image: kexec:v1.0.0 - name: kexec-image - pid: host - timeout: 90 - name: tink-test - volumes: - - /dev:/dev - - /dev/console:/dev/console - - /lib/firmware:/lib/firmware:ro - worker: '{{.device_1}}' - version: "0.1" - ---- -apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 kind: TinkerbellCluster metadata: - name: test + name: test namespace: eksa-system spec: - imageLookupFormat: --kube-v1.21.2-eks-1-21-4.raw.gz - imageLookupBaseRegistry: / \ No newline at end of file + imageLookupBaseRegistry: / + imageLookupFormat: --kube-v1.21.2-eks-1-21-4.raw.gz \ No newline at end of file diff --git a/pkg/providers/tinkerbell/testdata/expected_results_tinkerbell_pod_iam_config.yaml b/pkg/providers/tinkerbell/testdata/expected_results_tinkerbell_pod_iam_config.yaml index ffed4280c2bb..9af4b558750d 100644 --- a/pkg/providers/tinkerbell/testdata/expected_results_tinkerbell_pod_iam_config.yaml +++ b/pkg/providers/tinkerbell/testdata/expected_results_tinkerbell_pod_iam_config.yaml @@ -60,15 +60,14 @@ spec: name: audit-log-dir pathType: DirectoryOrCreate readOnly: false - extraVolumes: - - hostPath: /var/lib/kubeadm/aws-iam-authenticator/ - mountPath: /etc/kubernetes/aws-iam-authenticator/ - name: authconfig - readOnly: false - - hostPath: /var/lib/kubeadm/aws-iam-authenticator/pki/ - mountPath: /var/aws-iam-authenticator/ - name: awsiamcert - readOnly: false + - hostPath: /var/lib/kubeadm/aws-iam-authenticator/ + mountPath: /etc/kubernetes/aws-iam-authenticator/ + name: authconfig + readOnly: false + - hostPath: /var/lib/kubeadm/aws-iam-authenticator/pki/ + mountPath: /var/aws-iam-authenticator/ + name: awsiamcert + readOnly: false initConfiguration: nodeRegistration: kubeletExtraArgs: @@ -141,40 +140,6 @@ spec: owner: root:root path: /etc/kubernetes/manifests/kube-vip.yaml - content: | - # clusters refers to the remote service. - clusters: - - name: aws-iam-authenticator - cluster: - certificate-authority: /var/aws-iam-authenticator/cert.pem - server: https://localhost:21362/authenticate - # users refers to the API Server's webhook configuration - # (we don't need to authenticate the API server). - users: - - name: apiserver - # kubeconfig files require a context. Provide one for the API Server. - current-context: webhook - contexts: - - name: webhook - context: - cluster: aws-iam-authenticator - user: apiserver - permissions: "0640" - owner: root:root - path: /var/lib/kubeadm/aws-iam-authenticator/kubeconfig.yaml - - contentFrom: - secret: - name: test-aws-iam-authenticator-ca - key: cert.pem - permissions: "0640" - owner: root:root - path: /var/lib/kubeadm/aws-iam-authenticator/pki/cert.pem - - contentFrom: - secret: - name: test-aws-iam-authenticator-ca - key: key.pem - permissions: "0640" - owner: root:root - path: /var/lib/kubeadm/aws-iam-authenticator/pki/key.pem apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: @@ -330,8 +295,43 @@ spec: - level: Metadata omitStages: - "RequestReceived" - owner: root:root - path: /etc/kubernetes/audit-policy.yaml + owner: root:root + path: /etc/kubernetes/audit-policy.yaml + - content: | + # clusters refers to the remote service. + clusters: + - name: aws-iam-authenticator + cluster: + certificate-authority: /var/aws-iam-authenticator/cert.pem + server: https://localhost:21362/authenticate + # users refers to the API Server's webhook configuration + # (we don't need to authenticate the API server). + users: + - name: apiserver + # kubeconfig files require a context. Provide one for the API Server. + current-context: webhook + contexts: + - name: webhook + context: + cluster: aws-iam-authenticator + user: apiserver + permissions: "0640" + owner: root:root + path: /var/lib/kubeadm/aws-iam-authenticator/kubeconfig.yaml + - contentFrom: + secret: + name: test-aws-iam-authenticator-ca + key: cert.pem + permissions: "0640" + owner: root:root + path: /var/lib/kubeadm/aws-iam-authenticator/pki/cert.pem + - contentFrom: + secret: + name: test-aws-iam-authenticator-ca + key: key.pem + permissions: "0640" + owner: root:root + path: /var/lib/kubeadm/aws-iam-authenticator/pki/key.pem users: - name: tink-user sshAuthorizedKeys: diff --git a/pkg/providers/tinkerbell/testdata/expected_results_ubuntu_ntp_config_cp.yaml b/pkg/providers/tinkerbell/testdata/expected_results_ubuntu_ntp_config_cp.yaml index d3d18d45c40a..719704a9135c 100644 --- a/pkg/providers/tinkerbell/testdata/expected_results_ubuntu_ntp_config_cp.yaml +++ b/pkg/providers/tinkerbell/testdata/expected_results_ubuntu_ntp_config_cp.yaml @@ -129,6 +129,7 @@ spec: status: {} owner: root:root path: /etc/kubernetes/manifests/kube-vip.yaml + - content: | apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: @@ -284,8 +285,8 @@ spec: - level: Metadata omitStages: - "RequestReceived" - owner: root:root - path: /etc/kubernetes/audit-policy.yaml + owner: root:root + path: /etc/kubernetes/audit-policy.yaml ntp: enabled: true servers: