Skip to content

Commit

Permalink
Merge pull request #13 from ansible-lockdown/devel
Browse files Browse the repository at this point in the history 
Test to main
  • Loading branch information
@georgenalen
georgenalen authored Feb 15, 2023
2 parents 374ad1a + 605aa0a commit c85ab78
Show file tree
Hide file tree
Showing 8 changed files with 300 additions and 250 deletions.
2 changes: 1 addition & 1 deletion .gitattributes
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@
*.yml linguist-detectable=true
*.ps1 linguist-detectable=true
*.j2 linguist-detectable=true
*.md linguist-documentation
*.md linguist-documentation
11 changes: 11 additions & 0 deletions .github/pull_request_template.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
**Overall Review of Changes:**
A general description of the changes made that are being requested for merge

**Issue Fixes:**
Please list (using linking) any open issues this PR addresses

**Enhancements:**
Please list any enhancements/features that are not open issue tickets

**How has this been tested?:**
Please give an overview of how these changes were tested. If they were not please use N/A
36 changes: 18 additions & 18 deletions .yamllint
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,21 +9,21 @@ ignore: |
extends: default

rules:
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
indentation:
indent-sequences: consistent
level: error
line-length: disable
key-duplicates: enable
new-line-at-end-of-file: enable
new-lines:
type: unix
trailing-spaces: enable
truthy:
allowed-values: ['true', 'false']
check-keys: true
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
indentation:
indent-sequences: consistent
level: error
line-length: disable
key-duplicates: enable
new-line-at-end-of-file: enable
new-lines:
type: unix
trailing-spaces: enable
truthy:
allowed-values: ['true', 'false']
check-keys: true
13 changes: 12 additions & 1 deletion defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ cntrk8stig_cat3_patch: true
# however the time you run this role might not be the best time to reboot, so we allow flexability
cntrk8stig_skip_reboot: true

kubernetes_master: true
cntrk8stig_control_plane: true

# These variables correspond with the STIG IDs defined in the STIG and allows you to enable/disable specific rules.
# PLEASE NOTE: These work in coordination with the cat1, cat2, cat3 group variables. You must enable an entire group
Expand Down Expand Up @@ -79,6 +79,8 @@ cntr_k8_001520: true
cntr_k8_001530: true
cntr_k8_001540: true
cntr_k8_001550: true
cntr_k8_002001: true
cntr_k8_002011: true
cntr_k8_002600: true
cntr_k8_002700: true
cntr_k8_002720: true
Expand Down Expand Up @@ -219,6 +221,15 @@ cntrk8stig_tls_cert_file: "/etc/kubernetes/pki/apiserver.crt"
# to conform to STIG standards please point to an approved organizational certificate
cntrk8stig_tls_privkey_file: "/etc/kubernetes/pki/apiserver.key"

# CNTR-K8-002011
# cntrk8stig_admission_cntrl_cnfg_file is the path and file name to the admission control config file in the api server config
# To conform to STIG standards please point this to a valid site approved file
cntrk8stig_admission_cntrl_cnfg_file: "/etc/kubernetes/admission-control.yaml"
# cntrk8stig_admission_cntrl_confg_create is the toggle to allow this remediation role create the admission control config file
# The file will be created from the admission_control_config_file.yaml.j2 template file in the templates folder
# The final path and filename will be the value in the cntrk8stig_admission_cntrl_cnfg_file variable
# If this value is set to true please manage the file via the template template file.
cntrk8stig_admission_cntrl_confg_create: true

# CNTR-K8-003280
# cntrk8stig_kubeapi_audit_policy_file is the path to the audit policy config file
Expand Down
52 changes: 27 additions & 25 deletions tasks/fix-cat1.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,13 @@
insertafter: '^\s+- kube-controller-manager$'
when:
- cntr_k8_000220
- kubernetes_master
- cntrk8stig_control_plane
tags:
- CNTR-K8-000220
- CAT1
- CCI-000015
- SRG-APP-000023-CTR-000055
- SV-242381r799981_rule
- SV-242381r863957_rule
- V-242381
- master
- kube_control_manager
Expand Down Expand Up @@ -42,13 +42,13 @@
insertafter: '^\s+- kube-apiserver'
when:
- cntr_k8_000320
- kubernetes_master
- cntrk8stig_control_plane
tags:
- CNTR-K8-000320
- CAT1
- CCI-000213
- SRG-APP-000033-CTR-000095
- SV-242386r808574_rule
- SV-242386r863962_rule
- V-242386
- master
- api_server
Expand Down Expand Up @@ -91,13 +91,13 @@
when: cntr_k8_000330_updated_kubelet_cfg is defined
when:
- cntr_k8_000330
- kubernetes_master
- cntrk8stig_control_plane
tags:
- CNTR-K8-000330
- CAT1
- CCI-000213
- SRG-APP-000033-CTR-000095
- SV-242387r717013_rule
- SV-242387r863963_rule
- V-242387
- master
- kubelet
Expand All @@ -109,13 +109,13 @@
state: absent
when:
- cntr_k8_000340
- kubernetes_master
- cntrk8stig_control_plane
tags:
- CNTR-K8-000340
- CAT1
- CCI-000213
- SRG-APP-000033-CTR-000095
- SV-242388r712520_rule
- SV-242388r863964_rule
- V-242388
- master
- api_server
Expand All @@ -128,13 +128,13 @@
insertafter: '^\s+- kube-apiserver$'
when:
- cntr_k8_000360
- kubernetes_master
- cntrk8stig_control_plane
tags:
- CNTR-K8-000360
- CAT1
- CCI-000213
- SRG-APP-000033-CTR-000100
- SV-242390r712526_rule
- SV-242390r863966_rule
- V-242390
- master
- api_server
Expand All @@ -148,13 +148,13 @@
notify: kubelet restart
when:
- cntr_k8_000370
- kubernetes_master
- cntrk8stig_control_plane
tags:
- CNTR-K8-000370
- CAT1
- CCI-000213
- SRG-APP-000033-CTR-000090
- SV-242391r712529_rule
- SV-242391r863967_rule
- V-242391
- master
- kubelet
Expand Down Expand Up @@ -199,12 +199,13 @@
when: cntr_k8_000380_updated_kubelet_cfg is defined
when:
- cntr_k8_000380
- cntrk8stig_control_plane
tags:
- CNTR-K8-000380
- CAT1
- CCI-000213
- SRG-APP-000033-CTR-000095
- SV-242392r712532_rule
- SV-242392r863968_rule
- V-242392
- kubelet

Expand All @@ -221,7 +222,7 @@
- CAT1
- CCI-000213
- SRG-APP-000033-CTR-000090
- SV-242397r712547_rule
- SV-242397r863973_rule
- V-242397
- kubelet

Expand All @@ -247,12 +248,13 @@
when: cntr_k8_001160_secret_env_vars | length >= 1
when:
- cntr_k8_001160
- cntrk8stig_control_plane
tags:
- CNTR-K8-001160
- CAT1
- CCI-000196
- SRG-APP-000171-CTR-000435
- SV-242415r712601_rule
- SV-242415r863991_rule
- V-242415
- secrets

Expand Down Expand Up @@ -293,13 +295,13 @@
when: cntr_k8_01620_updated_kubelet_cfg is defined
when:
- cntr_k8_001620
- kubernetes_master
- cntrk8stig_control_plane
tags:
- CNTR-K8-001620
- CAT1
- CCI-001084
- SRG-APP-000233-CTR-000585
- SV-242434r825894_rule
- SV-242434r864009_rule
- V-242434
- kubelet
- kernel
Expand All @@ -312,15 +314,15 @@
insertafter: '^\s+- kube-apiserver$'
when:
- cntr_k8_001990
- kubernetes_master
- cntrk8stig_control_plane
tags:
- CNTR-K8-001990
- CAT1
- CCI-000213
- CCI-001812
- CCI-002235
- SRG-APP-000340-CTR-000770
- SV-242435r712661_rule
- SV-242435r864010_rule
- V-24243
- api_server

Expand All @@ -332,13 +334,13 @@
insertafter: '^\s+- kube-apiserver$'
when:
- cntr_k8_002000
- kubernetes_master
- cntrk8stig_control_plane
tags:
- CNTR-K8-002000
- CAT1
- CCI-002233
- SRG-APP-000342-CTR-000775
- SV-242436r712664_rule
- SV-242436r864011_rule
- V-242436
- kubelet

Expand All @@ -355,13 +357,13 @@
failed_when: false
when:
- cntr_k8_002010
- kubernetes_master
- cntrk8stig_control_plane
tags:
- CNTR-K8-002010
- CAT1
- CCI-002233
- SRG-APP-000342-CTR-000775
- SV-242437r821610_rule
- SV-242437r864012_rule
- V-242437
- pod
- security_policy
Expand All @@ -373,11 +375,11 @@
state: absent
when:
- cntr_k8_002620
- kubernetes_master
- cntrk8stig_control_plane
tags:
- CNTR-K8-002620
- CAT1
- CCI-002418
- SRG-APP-000439-CTR-001080
- SV-245542r754891_rule
- SV-245542r864033_rule
- V-245542
Loading

0 comments on commit c85ab78

Please sign in to comment.