rancher/rke
1
0
Fork 0
mirror of https://github.com/rancher/rke.git synced 2025-09-16 15:10:12 +00:00
Code Issues Releases Wiki Activity

Add support for k8s 1.18

Browse Source 
This commit changes default settings for k8s 1.18 to have encryption at rest by default: https://github.com/rancherlabs/rancher-security/issues/412
This commit is contained in:
Arvind Iyengar
2020-05-11 15:17:51 -07:00
parent b513e200ab
commit 763a896380
3 changed files with 36 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
cluster/defaults.go
View File

@@ -323,6 +323,17 @@ func (c *Cluster) setClusterServicesDefaults() {
}
}
enableEncryptionByDefault, err := checkVersionNeedsEncryptionDefault(c.Version)
if err != nil {
logrus.Warnf("Cannot determine if cluster version [%s] needs to have encryption enabled by default: %v", c.Version, err)
}
if enableEncryptionByDefault && c.Services.KubeAPI.SecretsEncryptionConfig == nil {
logrus.Debugf("Enabling encryption of secret data at rest by default for cluster version [%s]", c.Version)
c.Services.KubeAPI.SecretsEncryptionConfig = &v3.SecretsEncryptionConfig{
Enabled: true,
}
}
if c.Services.KubeAPI.AuditLog != nil &&
c.Services.KubeAPI.AuditLog.Enabled {
if c.Services.KubeAPI.AuditLog.Configuration == nil {
@@ -713,3 +724,22 @@ func checkVersionNeedsKubeAPIAuditLog(k8sVersion string) (bool, error) {
logrus.Debugf("Cluster version [%s] does not need to have kube-api audit log enabled", k8sVersion[1:])
return false, nil
}
func checkVersionNeedsEncryptionDefault(k8sVersion string) (bool, error) {
toMatch, err := semver.Make(k8sVersion[1:])
if err != nil {
return false, fmt.Errorf("Cluster version [%s] can not be parsed as semver", k8sVersion[1:])
}
logrus.Debugf("Checking if cluster version [%s] needs to have encryption enabled by default", k8sVersion[1:])
// encryption turned on by default in k8s 1.18.0 and up
clusterDefaultEncryptionRange, err := semver.ParseRange(">=1.18.0-rancher0")
if err != nil {
return false, errors.New("Failed to parse semver range while checking if encryption is enabled by default")
}
if clusterDefaultEncryptionRange(toMatch) {
logrus.Debugf("Cluster version [%s] needs to have encryption enabled by default", k8sVersion[1:])
return true, nil
}
logrus.Debugf("Cluster version [%s] does not need to have encryption enabled by default", k8sVersion[1:])
return false, nil
}