Configure optional cluster settings¶
Note
Consider this section as part of the Bootstrap v2 CLI procedure.
During creation of a management cluster using Bootstrap v2, you can configure
optional cluster settings using the Container Cloud API by modifying
cluster.yaml.template.
To configure optional cluster settings:
Technology Preview. Enable custom host names for cluster machines. When enabled, any machine host name in a particular region matches the related
Machineobject name. For example, instead of the defaultkaas-node-<UID>, a machine host name will bemaster-0. The custom naming format is more convenient and easier to operate with.Configuration for custom host names on the management and its future managed clusters
In
cluster.yaml.template, find thespec.providerSpec.value.kaas.regional.helmReleases.name: baremetal-providersection.Under
values.config, addcustomHostnamesEnabled: true:regional: - helmReleases: - name: baremetal-provider values: config: allInOneAllowed: false customHostnamesEnabled: true internalLoadBalancers: false provider: baremetal-provider
In
cluster.yaml.template, find thespec.providerSpec.value.kaas.regionalsection of the required region.In this section, find
baremetal-providerunderhelmReleases.Under
values.config, addcustomHostnamesEnabled: true. For example, inregion-one:regional: - helmReleases: - name: baremetal-provider values: config: allInOneAllowed: false customHostnamesEnabled: true internalLoadBalancers: false provider: baremetal-provider
Technology Preview. Enable the Linux Audit daemon auditd to monitor activity of cluster processes and prevent potential malicious activity.
Configuration for auditd
In
cluster.yaml.template, add the auditd parameters:spec: providerSpec: value: audit: auditd: enabled: <bool> enabledAtBoot: <bool> backlogLimit: <int> maxLogFile: <int> maxLogFileAction: <string> maxLogFileKeep: <int> mayHaltSystem: <bool> presetRules: <string> customRules: <string> customRulesX32: <text> customRulesX64: <text>
Configuration parameters for auditd:
enabledBoolean, default -
false. Enables theauditdrole to install the auditd packages and configure rules. CIS rules: 4.1.1.1, 4.1.1.2.enabledAtBootBoolean, default -
false. Configures grub to audit processes that can be audited even if they start up prior to auditd startup. CIS rule: 4.1.1.3.backlogLimitInteger, default - none. Configures the backlog to hold records. If during boot
audit=1is configured, the backlog holds 64 records. If more than 64 records are created during boot, auditd records will be lost with a potential malicious activity being undetected. CIS rule: 4.1.1.4.maxLogFileInteger, default - none. Configures the maximum size of the audit log file. Once the log reaches the maximum size, it is rotated and a new log file is created. CIS rule: 4.1.2.1.
maxLogFileActionString, default - none. Defines handling of the audit log file reaching the maximum file size. Allowed values:
keep_logs- rotate logs but never delete themrotate- add a cron job to compress rotated log files and keep maximum 5 compressed files.compress- compress log files and keep them under the/var/log/auditd/directory. Requiresauditd_max_log_file_keepto be enabled.
CIS rule: 4.1.2.2.
maxLogFileKeepInteger, default -
5. Defines the number of compressed log files to keep under the/var/log/auditd/directory. Requiresauditd_max_log_file_action=compress. CIS rules - none.mayHaltSystemBoolean, default -
false. Halts the system when the audit logs are full. Applies the following configuration:space_left_action = emailaction_mail_acct = rootadmin_space_left_action = halt
CIS rule: 4.1.2.3.
customRulesString, default - none. Base64-encoded content of the
60-custom.rulesfile for any architecture. CIS rules - none.customRulesX32String, default - none. Base64-encoded content of the
60-custom.rulesfile for thei386architecture. CIS rules - none.customRulesX64String, default - none. Base64-encoded content of the
60-custom.rulesfile for thex86_64architecture. CIS rules - none.presetRulesString, default - none. Comma-separated list of the following built-in preset rules:
accessactionsdeletedocker
identityimmutableloginsmac-policy
modulesmountsperm-modprivileged
scopesessionsystem-localetime-change
Since Container Cloud 2.28.0 (Cluster releases 17.3.0 and 16.3.0) in the Technology Preview scope, you can collect some of the preset rules indicated above as groups and use them in
presetRules:ubuntu-cis-rules- this group contains rules to comply with the Ubuntu CIS Benchmark recommendations, including the following CIS Ubuntu 20.04 v2.0.1 rules:scope- 5.2.3.1actions- same as 5.2.3.2time-change- 5.2.3.4system-locale- 5.2.3.5privileged- 5.2.3.6access- 5.2.3.7identity- 5.2.3.8
perm-mod- 5.2.3.9mounts- 5.2.3.10session- 5.2.3.11logins- 5.2.3.12delete- 5.2.3.13mac-policy- 5.2.3.14modules- 5.2.3.19
docker-cis-rules- this group contains rules to comply with Docker CIS Benchmark recommendations, including thedockerDocker CIS v1.6.0 rules 1.1.3 - 1.1.18.
You can also use two additional keywords inside
presetRules:none- select no built-in rules.all- select all built-in rules. When using this keyword, you can add the!prefix to a rule name to exclude some rules. You can use the!prefix for rules only if you add theallkeyword as the first rule. Place a rule with the!prefix only after theallkeyword.
Example configurations:
presetRules: none- disable all preset rulespresetRules: docker- enable only thedockerrulespresetRules: access,actions,logins- enable only theaccess,actions, andloginsrulespresetRules: ubuntu-cis-rules- enable all rules from theubuntu-cis-rulesgrouppresetRules: docker-cis-rules,actions- enable all rules from thedocker-cis-rulesgroup and theactionsrulepresetRules: all- enable all preset rulespresetRules: all,!immutable,!sessions- enable all preset rules exceptimmutableandsessions
CIS controls
4.1.3 (time-change)4.1.4 (identity)4.1.5 (system-locale)4.1.6 (mac-policy)4.1.7 (logins)4.1.8 (session)4.1.9 (perm-mod)4.1.10 (access)4.1.11 (privileged)4.1.12 (mounts)4.1.13 (delete)4.1.14 (scope)4.1.15 (actions)4.1.16 (modules)4.1.17 (immutable)Docker CIS controls
1.1.41.1.81.1.101.1.121.1.131.1.151.1.161.1.171.1.181.2.31.2.41.2.51.2.61.2.71.2.101.2.11
Configure OIDC integration:
LDAP configuration
Example configuration:
spec: providerSpec: value: kaas: management: helmReleases: - name: iam values: keycloak: userFederation: providers: - displayName: "<LDAP_NAME>" providerName: "ldap" priority: 1 fullSyncPeriod: -1 changedSyncPeriod: -1 config: pagination: "true" debug: "false" searchScope: "1" connectionPooling: "true" usersDn: "<DN>" # "ou=People, o=<ORGANIZATION>, dc=<DOMAIN_COMPONENT>" userObjectClasses: "inetOrgPerson,organizationalPerson" usernameLDAPAttribute: "uid" rdnLDAPAttribute: "uid" vendor: "ad" editMode: "READ_ONLY" uuidLDAPAttribute: "uid" connectionUrl: "ldap://<LDAP_DNS>" syncRegistrations: "false" authType: "simple" bindCredential: "" bindDn: "" mappers: - name: "username" federationMapperType: "user-attribute-ldap-mapper" federationProviderDisplayName: "<LDAP_NAME>" config: ldap.attribute: "uid" user.model.attribute: "username" is.mandatory.in.ldap: "true" read.only: "true" always.read.value.from.ldap: "false" - name: "full name" federationMapperType: "full-name-ldap-mapper" federationProviderDisplayName: "<LDAP_NAME>" config: ldap.full.name.attribute: "cn" read.only: "true" write.only: "false" - name: "last name" federationMapperType: "user-attribute-ldap-mapper" federationProviderDisplayName: "<LDAP_NAME>" config: ldap.attribute: "sn" user.model.attribute: "lastName" is.mandatory.in.ldap: "true" read.only: "true" always.read.value.from.ldap: "true" - name: "email" federationMapperType: "user-attribute-ldap-mapper" federationProviderDisplayName: "<LDAP_NAME>" config: ldap.attribute: "mail" user.model.attribute: "email" is.mandatory.in.ldap: "false" read.only: "true" always.read.value.from.ldap: "true"
Note
Verify that the
userFederationsection is located on the same level as theinitUserssection.Verify that all attributes set in the
mapperssection are defined for users in the specified LDAP system. Missing attributes may cause authorization issues.
For details, see Configure LDAP for IAM.
Google OAuth configuration
Example configuration:
keycloak: externalIdP: google: enabled: true config: clientId: <Google_OAuth_client_ID> clientSecret: <Google_OAuth_client_secret>
For details, see Configure Google OAuth IdP for IAM.
Disable NTP that is enabled by default. This option disables the management of
chronyconfiguration by Container Cloud to use your own system forchronymanagement. Otherwise, configure the regional NTP server parameters as described below.NTP configuration
Configure the regional NTP server parameters to be applied to all machines of managed clusters.
In
cluster.yaml.template, add thentp:serverssection with the list of required server names:spec: ... providerSpec: value: kaas: ... ntpEnabled: true regional: - helmReleases: - name: <providerName>-provider values: config: lcm: ... ntp: servers: - 0.pool.ntp.org ... provider: <providerName> ...
To disable NTP:
spec: ... providerSpec: value: ... ntpEnabled: false ...
Applies since Container Cloud 2.26.0 (Cluster release 16.1.0). If you plan to deploy large managed clusters, enable dynamic IP allocation to increase the amount of baremetal hosts to be provisioned in parallel. For details, see Enable dynamic IP allocation.
Now, proceed with completing the bootstrap process using the Container Cloud Bootstrap API as described in Deploy a management cluster using the Container Cloud API.