[Release-1.31] - Bump hardened images #6786

vitorsavian · 2024-09-10T18:59:34Z

Backport fix for Bump hardened images

Bump hardened images #6774

aganesh-suse · 2024-09-20T00:25:07Z

Validated on release-1.31 branch with version v1.31.1-rc3+rke2r1

Environment Details

Infrastructure

Cloud
Hosted

Node(s) CPU architecture, OS, and Version:

$ cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="9.4 (Plow)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="9.4"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Red Hat Enterprise Linux 9.4 (Plow)"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_BUGZILLA_PRODUCT_VERSION=9.4
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.4"

$ uname -m
x86_64

Cluster Configuration:

HA : 3 server / 1 agent

or

1 server/ 1 agent

Config.yaml:

token: xxxx
write-kubeconfig-mode: "0644"
node-external-ip: 1.1.1.1
profile: "cis"

Testing Steps

Copy config.yaml

$ sudo mkdir -p /etc/rancher/rke2 && sudo cp config.yaml /etc/rancher/rke2

Install RKE2

curl -sfL https://get.rke2.io | sudo INSTALL_RKE2_VERSION='v1.31.1-rc3+rke2r1' INSTALL_RKE2_TYPE='server' INSTALL_RKE2_METHOD=tar sh -

Follow https://docs.rke2.io/security/hardening_guide

$ sudo useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U
$ sudo cp -f /usr/local/share/rke2/rke2-cis-sysctl.conf /etc/sysctl.d/60-rke2-cis.conf 
$ cat /etc/sysctl.d/60-rke2-cis.conf 
vm.panic_on_oom=0
vm.overcommit_memory=1
kernel.panic=10
kernel.panic_on_oops=1
$ sudo systemctl restart systemd-sysctl

Start the RKE2 service

$ sudo systemctl enable --now rke2-server
or 
$ sudo systemctl enable --now rke2-agent

Verify Cluster Status:

kubectl get nodes -o wide
kubectl get pods -A

Replication Results:

rke2 version used for replication:

$ rke2 -v
rke2 version v1.31.0+rke2r1 (4bf1156f41631dc0e81d66a6834a53d14b48aaef)
go version go1.22.5 X:boringcrypto

containerd:

$ find /var/lib/rancher/rke2/data/ -type f -name containerd -exec {} --version \;
containerd github.com/k3s-io/containerd v1.7.20-k3s1 8d2b528ea4559e4a96b8819500241cbcba7ccc15
$ kubectl get node -o yaml | grep containerd -A1
      containerRuntimeVersion: containerd://1.7.20-k3s1
      kernelVersion: 5.14.0-427.16.1.el9_4.x86_64

runc:

$ find /var/lib/rancher/rke2/data/ -type f -name runc -exec {} --version \;
runc version 1.1.13
commit: v1.1.13-0-g58aa9203
spec: 1.0.2-dev
go: go1.22.6 X:boringcrypto
libseccomp: 2.5.4

crictl:

$ sudo /var/lib/rancher/rke2/bin/crictl -v
crictl version v1.30.1

hardened-kubernetes:

$ sudo /var/lib/rancher/rke2/bin/crictl -r unix:///run/k3s/containerd/containerd.sock images | grep hardened
docker.io/rancher/hardened-kubernetes                                v1.31.0-rke2r1-build20240815   6e3e481a06c76       162MB

For windows agent node:

$ kubectl get nodes -o yaml | grep containerd -A1
      containerRuntimeVersion: containerd://1.7.20-k3s1
      kernelVersion: 10.0.17763.2061

Validation Results:

rke2 version used for validation:

$ rke2 -v
rke2 version v1.31.1-rc3+rke2r1 (909d20d6a28cd7656b7177190f06f69f57927613)
go version go1.22.6 X:boringcrypto

containerd:

$ find /var/lib/rancher/rke2/data/ -type f -name containerd -exec {} --version \;
containerd github.com/k3s-io/containerd v1.7.21-k3s2 a4798dbd5d829351e369ac1d7b5bc7820ca68d37
$ kubectl get node -o yaml | grep containerd -A1
      containerRuntimeVersion: containerd://1.7.21-k3s2
      kernelVersion: 5.14.0-427.20.1.el9_4.x86_64

runc:

 $ find /var/lib/rancher/rke2/data/ -type f -name runc -exec {} --version \;
runc version 1.1.14
commit: v1.1.14-0-g2c9f5602
spec: 1.0.2-dev
go: go1.22.7 X:boringcrypto
libseccomp: 2.5.4

crictl:

$ sudo /var/lib/rancher/rke2/bin/crictl -v
crictl version v1.30.1

hardened-kubernetes:

$ sudo /var/lib/rancher/rke2/bin/crictl -r unix:///run/k3s/containerd/containerd.sock images | grep hardened
docker.io/rancher/hardened-kubernetes                                v1.31.1-rke2r1-build20240912   1b44d478ec444       162MB

For windows agent node:

$ kubectl get node -o yaml | grep containerd -A1
      containerRuntimeVersion: containerd://1.7.21-k3s2
      kernelVersion: 10.0.17763.2061

vitorsavian added the kind/backport label Sep 10, 2024

vitorsavian mentioned this issue Sep 10, 2024

[Release-1.31] Bump hardened images #6775

Merged

vitorsavian self-assigned this Sep 11, 2024

fmoral2 assigned aganesh-suse Sep 11, 2024

aganesh-suse closed this as completed Sep 20, 2024

aganesh-suse mentioned this issue Sep 20, 2024

Bump Hardened Images #6785

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Release-1.31] - Bump hardened images #6786

[Release-1.31] - Bump hardened images #6786

vitorsavian commented Sep 10, 2024

aganesh-suse commented Sep 20, 2024

[Release-1.31] - Bump hardened images #6786

[Release-1.31] - Bump hardened images #6786

Comments

vitorsavian commented Sep 10, 2024

aganesh-suse commented Sep 20, 2024

Validated on release-1.31 branch with version v1.31.1-rc3+rke2r1

Environment Details

Testing Steps