Configure optional cluster settings¶
During creation of a management cluster using Bootstrap v2, you can configure
optional cluster settings using the Container Cloud API by modifying the
Cluster object or cluster.yaml.template of the required provider.
To configure optional cluster settings:
Select from the following options:
If you create a management cluster using the Container Cloud API, proceed to the next step and configure
cluster.yaml.templateof the required provider instead of theClusterobject while following the below procedure.If you create a management cluster using the Container Cloud Bootstrap web UI:
Log in to the seed node where the bootstrap cluster is located.
Navigate to the
kaas-bootstrapfolder.Export
KUBECONFIGto connect to the bootstrap cluster:export KUBECONFIG=<pathToKindKubeconfig>
Obtain the cluster name and open its
Clusterobject for editing:kubectl get clusters kubectl edit cluster <clusterName>
Technology Preview. Enable custom host names for cluster machines. When enabled, any machine host name in a particular region matches the related
Machineobject name. For example, instead of the defaultkaas-node-<UID>, a machine host name will bemaster-0. The custom naming format is more convenient and easier to operate with.To enable the feature on the management and its future managed clusters:
In the
Clusterobject, find thespec.providerSpec.value.kaas.regionalsection of the required region.In this section, find the required provider
nameunderhelmReleases.Under
values.config, addcustomHostnamesEnabled: true.For example, for the bare metal provider in
region-one:regional: - helmReleases: - name: baremetal-provider values: config: allInOneAllowed: false customHostnamesEnabled: true internalLoadBalancers: false provider: baremetal-provider
Add the following environment variable:
export CUSTOM_HOSTNAMES=true
Technology Preview. Enable the Linux Audit daemon auditd to monitor activity of cluster processes and prevent potential malicious activity.
Configuration for auditd
In the
Clusterobject, add the auditd parameters:spec: providerSpec: value: audit: auditd: enabled: <bool> enabledAtBoot: <bool> backlogLimit: <int> maxLogFile: <int> maxLogFileAction: <string> maxLogFileKeep: <int> mayHaltSystem: <bool> presetRules: <string> customRules: <string> customRulesX32: <text> customRulesX64: <text>
Configuration parameters for auditd:
enabledBoolean, default -
false. Enables theauditdrole to install the auditd packages and configure rules. CIS rules: 4.1.1.1, 4.1.1.2.enabledAtBootBoolean, default -
false. Configures grub to audit processes that can be audited even if they start up prior to auditd startup. CIS rule: 4.1.1.3.backlogLimitInteger, default - none. Configures the backlog to hold records. If during boot
audit=1is configured, the backlog holds 64 records. If more than 64 records are created during boot, auditd records will be lost with a potential malicious activity being undetected. CIS rule: 4.1.1.4.maxLogFileInteger, default - none. Configures the maximum size of the audit log file. Once the log reaches the maximum size, it is rotated and a new log file is created. CIS rule: 4.1.2.1.
maxLogFileActionString, default - none. Defines handling of the audit log file reaching the maximum file size. Allowed values:
keep_logs- rotate logs but never delete themrotate- add a cron job to compress rotated log files and keep maximum 5 compressed files.compress- compress log files and keep them under the/var/log/auditd/directory. Requiresauditd_max_log_file_keepto be enabled.
CIS rule: 4.1.2.2.
maxLogFileKeepInteger, default -
5. Defines the number of compressed log files to keep under the/var/log/auditd/directory. Requiresauditd_max_log_file_action=compress. CIS rules - none.mayHaltSystemBoolean, default -
false. Halts the system when the audit logs are full. Applies the following configuration:space_left_action = emailaction_mail_acct = rootadmin_space_left_action = halt
CIS rule: 4.1.2.3.
customRulesString, default - none. Base64-encoded content of the
60-custom.rulesfile for any architecture. CIS rules - none.customRulesX32String, default - none. Base64-encoded content of the
60-custom.rulesfile for thei386architecture. CIS rules - none.customRulesX64String, default - none. Base64-encoded content of the
60-custom.rulesfile for thex86_64architecture. CIS rules - none.presetRulesString, default - none. Comma-separated list of the following built-in preset rules:
accessactionsdeletedocker
identityimmutableloginsmac-policy
modulesmountsperm-modprivileged
scopesessionsystem-localetime-change
You can use two keywords for these rules:
none- disables all built-in rules.all- enables all built-in rules. With this key, you can add the!prefix to a rule name to exclude some rules. You can use the!prefix for rules only if you add theallkeyword as the first rule. Place a rule with the!prefix only after theallkeyword.
Example configurations:
presetRules: none- disable all preset rulespresetRules: docker- enable only thedockerrulespresetRules: access,actions,logins- enable only theaccess,actions, andloginsrulespresetRules: all- enable all preset rulespresetRules: all,!immutable,!sessions- enable all preset rules exceptimmutableandsessions
CIS controls
4.1.3 (time-change)4.1.4 (identity)4.1.5 (system-locale)4.1.6 (mac-policy)4.1.7 (logins)4.1.8 (session)4.1.9 (perm-mod)4.1.10 (access)4.1.11 (privileged)4.1.12 (mounts)4.1.13 (delete)4.1.14 (scope)4.1.15 (actions)4.1.16 (modules)4.1.17 (immutable)Docker CIS controls
1.1.41.1.81.1.101.1.121.1.131.1.151.1.161.1.171.1.181.2.31.2.41.2.51.2.61.2.71.2.101.2.11
Configure OIDC integration:
LDAP configuration
Example configuration:
spec: providerSpec: value: kaas: management: helmReleases: - name: iam values: keycloak: userFederation: providers: - displayName: "<LDAP_NAME>" providerName: "ldap" priority: 1 fullSyncPeriod: -1 changedSyncPeriod: -1 config: pagination: "true" debug: "false" searchScope: "1" connectionPooling: "true" usersDn: "<DN>" # "ou=People, o=<ORGANIZATION>, dc=<DOMAIN_COMPONENT>" userObjectClasses: "inetOrgPerson,organizationalPerson" usernameLDAPAttribute: "uid" rdnLDAPAttribute: "uid" vendor: "ad" editMode: "READ_ONLY" uuidLDAPAttribute: "uid" connectionUrl: "ldap://<LDAP_DNS>" syncRegistrations: "false" authType: "simple" bindCredential: "" bindDn: "" mappers: - name: "username" federationMapperType: "user-attribute-ldap-mapper" federationProviderDisplayName: "<LDAP_NAME>" config: ldap.attribute: "uid" user.model.attribute: "username" is.mandatory.in.ldap: "true" read.only: "true" always.read.value.from.ldap: "false" - name: "full name" federationMapperType: "full-name-ldap-mapper" federationProviderDisplayName: "<LDAP_NAME>" config: ldap.full.name.attribute: "cn" read.only: "true" write.only: "false" - name: "last name" federationMapperType: "user-attribute-ldap-mapper" federationProviderDisplayName: "<LDAP_NAME>" config: ldap.attribute: "sn" user.model.attribute: "lastName" is.mandatory.in.ldap: "true" read.only: "true" always.read.value.from.ldap: "true" - name: "email" federationMapperType: "user-attribute-ldap-mapper" federationProviderDisplayName: "<LDAP_NAME>" config: ldap.attribute: "mail" user.model.attribute: "email" is.mandatory.in.ldap: "false" read.only: "true" always.read.value.from.ldap: "true"
Note
Verify that the
userFederationsection is located on the same level as theinitUserssection.Verify that all attributes set in the
mapperssection are defined for users in the specified LDAP system. Missing attributes may cause authorization issues.
For details, see Configure LDAP for IAM.
Google OAuth configuration
Example configuration:
keycloak: externalIdP: google: enabled: true config: clientId: <Google_OAuth_client_ID> clientSecret: <Google_OAuth_client_secret>
For details, see Configure Google OAuth IdP for IAM.
Disable NTP that is enabled by default. This option disables the management of
chronyconfiguration by Container Cloud to use your own system forchronymanagement. Otherwise, configure the regional NTP server parameters as described below.NTP configuration
Configure the regional NTP server parameters to be applied to all machines of regional and managed clusters in the specified region.
In the
Clusterobject, add thentp:serverssection with the list of required server names:spec: ... providerSpec: value: kaas: ... ntpEnabled: true regional: - helmReleases: - name: <providerName>-provider values: config: lcm: ... ntp: servers: - 0.pool.ntp.org ... provider: <providerName> ...
To disable NTP:
spec: ... providerSpec: value: ... ntpEnabled: false ...
Applies to the OpenStack provider only. Configure periodic backups of MariaDB. For more details, see Configure periodic backups of MariaDB for the OpenStack provider.
Example configuration:
spec: providerSpec: value: kaas: management: helmReleases: ... - name: iam values: keycloak: mariadb: conf: phy_backup: enabled: true backup_timeout: 30000 allow_unsafe_backup: true backups_to_keep: 3 backup_pvc_name: mariadb-phy-backup-data full_backup_cycle: 70000 backup_required_space_ratio: 1.4 schedule_time: '30 2 * * *'
Applies to the vSphere provider only. Configure
squid-proxyas described in Configure squid-proxy.Example configuration:
spec: ... providerSpec: value: ... kaas: ... regional: - helmReleases: ... - name: squid-proxy values: config: domains: rhel: - .subscription.rhsm.redhat.com - .cdn.redhat.com - .centos.org - .satellite.server.org - .custom.centos.mirror.org - 172.16.10.10 provider: vsphere
Now, proceed with completing the bootstrap process using the Container Cloud Bootstrap web UI or API depending on the selected provider as described in Deploy Container Cloud using Boostrap v2 Recommended.