diff --git a/agents.tf b/agents.tf index c3516b49..6fe70835 100644 --- a/agents.tf +++ b/agents.tf @@ -65,6 +65,7 @@ resource "null_resource" "agents" { node-ip = module.agents[each.key].private_ipv4_address node-label = each.value.labels node-taint = each.value.taints + selinux = true }) destination = "/tmp/config.yaml" } @@ -97,7 +98,7 @@ resource "null_resource" "agents" { } resource "hcloud_volume" "longhorn_volume" { - for_each = { for k, v in local.agent_nodes : k => v if((lookup(v, "longhorn_volume_size", 0) >= 10) && (lookup(v, "longhorn_volume_size", 0) <= 10000) && var.enable_longhorn) } + for_each = { for k, v in local.agent_nodes : k => v if((v.longhorn_volume_size >= 10) && (v.longhorn_volume_size <= 10000) && var.enable_longhorn) } labels = { provisioner = "terraform" @@ -105,14 +106,14 @@ resource "hcloud_volume" "longhorn_volume" { scope = "longhorn" } name = "${var.cluster_name}-longhorn-${module.agents[each.key].name}" - size = lookup(local.agent_nodes[each.key], "longhorn_volume_size", 0) + size = local.agent_nodes[each.key].longhorn_volume_size server_id = module.agents[each.key].id automount = true format = var.longhorn_fstype } resource "null_resource" "configure_longhorn_volume" { - for_each = { for k, v in local.agent_nodes : k => v if((lookup(v, "longhorn_volume_size", 0) >= 10) && (lookup(v, "longhorn_volume_size", 0) <= 10000) && var.enable_longhorn) } + for_each = { for k, v in local.agent_nodes : k => v if((v.longhorn_volume_size >= 10) && (v.longhorn_volume_size <= 10000) && var.enable_longhorn) } triggers = { agent_id = module.agents[each.key].id diff --git a/autoscaler-agents.tf b/autoscaler-agents.tf index aaaa10c7..0e30ab01 100644 --- a/autoscaler-agents.tf +++ b/autoscaler-agents.tf @@ -78,6 +78,7 @@ data "cloudinit_config" "autoscaler-config" { flannel-iface = local.flannel_iface node-label = local.default_agent_labels node-taint = local.default_agent_taints + selinux = true }) install_k3s_agent_script = join("\n", concat(local.install_k3s_agent, ["systemctl start k3s-agent"])) cloudinit_write_files_common = local.cloudinit_write_files_common diff --git a/control_planes.tf b/control_planes.tf index 10c01039..e35e7174 100644 --- a/control_planes.tf +++ b/control_planes.tf @@ -112,6 +112,7 @@ resource "null_resource" "control_planes" { advertise-address = module.control_planes[each.key].private_ipv4_address node-label = each.value.labels node-taint = each.value.taints + selinux = true write-kubeconfig-mode = "0644" # needed for import into rancher }, lookup(local.cni_k3s_settings, var.cni_plugin, {}), diff --git a/init.tf b/init.tf index fc35a819..ff884416 100644 --- a/init.tf +++ b/init.tf @@ -24,6 +24,7 @@ resource "null_resource" "first_control_plane" { advertise-address = module.control_planes[keys(module.control_planes)[0]].private_ipv4_address node-taint = local.control_plane_nodes[keys(module.control_planes)[0]].taints node-label = local.control_plane_nodes[keys(module.control_planes)[0]].labels + selinux = true }, lookup(local.cni_k3s_settings, var.cni_plugin, {}), var.use_control_plane_lb ? { diff --git a/locals.tf b/locals.tf index 855edfde..46575220 100644 --- a/locals.tf +++ b/locals.tf @@ -76,12 +76,12 @@ locals { format("%s-%s-%s", pool_index, node_index, nodepool_obj.name) => { nodepool_name : nodepool_obj.name, server_type : nodepool_obj.server_type, - longhorn_volume_size : lookup(nodepool_obj, "longhorn_volume_size", 0), + longhorn_volume_size : coalesce(nodepool_obj.longhorn_volume_size, 0), floating_ip : lookup(nodepool_obj, "floating_ip", false), location : nodepool_obj.location, labels : concat(local.default_agent_labels, nodepool_obj.labels), taints : concat(local.default_agent_taints, nodepool_obj.taints), - backups : nodepool_obj.backups, + backups : lookup(nodepool_obj, "backups", false), index : node_index } } @@ -557,14 +557,23 @@ EOF module kube_hetzner_selinux 1.0; require { - type iscsid_t; - type iscsid_exec_t; - type var_run_t; - class file { execute execute_no_trans }; - class sock_file write; - class unix_stream_socket connectto; + type iscsid_t; + type iscsid_exec_t; + type var_run_t; + type init_t; + type unlabeled_t; + type systemd_logind_t; + type systemd_hostnamed_t; + type container_t; + type cert_t; + class file { open read execute execute_no_trans }; + class sock_file write; + class unix_stream_socket connectto; + class dir { search rmdir read add_name remove_name }; + class lnk_file { read create }; } + #============= iscsid_t ============== # Allow iscsid to execute in its own domain allow iscsid_t iscsid_exec_t:file execute; @@ -574,33 +583,34 @@ EOF # Allow iscsid to connect to unix_stream_socket allow iscsid_t var_run_t:unix_stream_socket connectto; - require { - type init_t; - type unlabeled_t; - class dir add_name; - } - #============= init_t ============== + # Allow init_t to add names to unlabeled directories allow init_t unlabeled_t:dir add_name; - require { - type unlabeled_t; - type init_t; - class dir remove_name; - } - - #============= init_t ============== + # Allow init_t to remove names from unlabeled directories allow init_t unlabeled_t:dir remove_name; - require { - type unlabeled_t; - type init_t; - class lnk_file create; - } - - #============= init_t ============== + # Allow init_t to create symbolic links in unlabeled directories allow init_t unlabeled_t:lnk_file create; + # Allow init_t to remove unlabeled directories + allow init_t unlabeled_t:dir rmdir; + + #============= systemd_logind_t ============== + # Allow search operation for systemd-logind + allow systemd_logind_t unlabeled_t:dir search; + + #============= systemd_hostnamed_t ============== + # Allow search operation for systemd-hostnamed + allow systemd_hostnamed_t unlabeled_t:dir search; + + #============= container_t ============== + # Allow read operation for cluster-autoscaler and system-upgrade containers + allow container_t cert_t:dir read; + allow container_t cert_t:lnk_file read; + allow container_t cert_t:file read; + allow container_t cert_t:file open; + # Create the k3s registries file if needed %{if var.k3s_registries != ""} # Create k3s registries file @@ -667,5 +677,8 @@ EOT - [systemctl, restart, NetworkManager] - [systemctl, status, NetworkManager] - [ip, route, add, default, via, '172.31.1.1', dev, 'eth0'] + +# Cleanup some logs +- [truncate, '-s', '0', '/var/log/audit/audit.log'] EOT } diff --git a/variables.tf b/variables.tf index d4b0456a..2a7d0d35 100644 --- a/variables.tf +++ b/variables.tf @@ -104,14 +104,15 @@ variable "control_plane_nodepools" { variable "agent_nodepools" { description = "Number of agent nodes." type = list(object({ - name = string - server_type = string - location = string - backups = optional(bool) - floating_ip = optional(bool) - labels = list(string) - taints = list(string) - count = number + name = string + server_type = string + location = string + backups = optional(bool) + floating_ip = optional(bool) + labels = list(string) + taints = list(string) + count = number + longhorn_volume_size = optional(number) })) default = [] }