Powered by Algolia
    DocsAPIBack to Spectro Cloud

    Kubernetes

    This pack defines the properties that will be used by Spectro Cloud to bring up the Kubernetes cluster. Most of the Kubernetes hardening standards recommended by the Center for Internet Security is enabled by default.

    Info: Only Kubernetes versions 1.19 and above is supported

    Supported Kubernetes versions

    Versions supported in the latest release are highlighted.

    • 1.19.16
    • 1.19.15
    • 1.19.14
    • 1.19.13
    • 1.19.12
    • 1.19.11
    • 1.19.10
    • 1.19.9
    • 1.19.8
    • 1.19.7
    • 1.19.6
    • 1.19.5
    • 1.19.4
    • 1.19.3

    Notable parameters

    NameSupported valuesDefault valueDescription
    pack.k8sHardeningTrue, FalseTrueFlag to decide if Kubernetes hardening should be applied.
    When set to True, additional flags configured in kubeadmconfig will be honored and will be set to the corresponding components.
    When set to True, additional flags configured in kubeadmconfig will be honored and will be set to the corresponding components.
    pack.podCIDR192.168.0.0/16CIDR range for the pod networking. This should match the networking layer property calicoNetworkCIDR.CIDR range for Pods in cluster
    pack.serviceClusterIpRange10.96.0.0/12CIDR range for the services. This should not overlap with any IP ranges assigned to nodes for pods.CIDR range for Services in the Cluster
    kubeadmconfig.apiServer.extraArgsList of additional apiServer flags to be set
    kubeadmconfig.apiServer.extraVolumesList of additional volumes to be mounted on apiServer
    kubeadmconfig.controllerManager.extraArgsList of additional ControllerManager flags to be set
    kubeadmconfig.scheduler.extraArgsList of additional Kube Scheduler flags to be set
    kubeadmconfig.filesList of additional files to be copied over to the nodes
    kubeadmconfig.preKubeadmCommandsList of additional commands to be executed before kubeadm commands are run
    kubeadmconfig.postKubeadmCommandsList of additional commands to be executed after kubeadm commands are run

    Example Kubeadm config

    kubeadmconfig:
      apiServer:
        extraArgs:
          anonymous-auth: "true"
          insecure-port: "0"
          profiling: "false"
        extraVolumes:
          - name: audit-policy
            hostPath: /etc/kubernetes/audit-policy.yaml
            mountPath: /etc/kubernetes/audit-policy.yaml
            readOnly: true
            pathType: File
      controllerManager:
        extraArgs:
          profiling: "false"
          terminated-pod-gc-threshold: "25"
          use-service-account-credentials: "true"
      scheduler:
        extraArgs:
          profiling: "false"
      kubeletExtraArgs:
        read-only-port : "0"
        event-qps: "0"
        protect-kernel-defaults: "true"
      files:
        - path: hardening/audit-policy.yaml
          targetPath: /etc/kubernetes/audit-policy.yaml
          targetOwner: "root:root"
          targetPermissions: "0600"
      preKubeadmCommands:
        - 'echo "Executing preKubeadmCmds"'
      postKubeadmCommands:
        - 'echo "Executing postKubeadmCmds"'
    Edit on GitHub