fix: merge kubelet params (#109)

Signed-off-by: chenk <[email protected]>
aquasecurity · Apr 17, 2024 · a1e428c · a1e428c
1 parent faa6501
commit a1e428c
Show file tree

Hide file tree

Showing 3 changed files with 79 additions and 28 deletions.
diff --git a/pkg/collector/collect.go b/pkg/collector/collect.go
@@ -19,10 +19,14 @@ var configMapper = map[string]string{
  "kubeletClientCaFileArgumentSet": "authentication.x509.clientCAFile",
  "kubeletReadOnlyPortArgumentSet": "readOnlyPort",
  "kubeletStreamingConnectionIdleTimeoutArgumentSet": "streamingConnectionIdleTimeout",
- "kubeletProtectKernelDefaultsArgumentSet": "kernelMemcgNotification",
+ "kubeletProtectKernelDefaultsArgumentSet": "protectKernelDefaults",
  "kubeletMakeIptablesUtilChainsArgumentSet": "makeIPTablesUtilChains",
  "kubeletEventQpsArgumentSet": "eventRecordQPS",
  "kubeletRotateKubeletServerCertificateArgumentSet": "featureGates.RotateKubeletServerCertificate",
+ "kubeletRotateCertificatesArgumentSet": "rotateCertificates",
+ "kubeletTlsCertFileTlsArgumentSet": "tlsCertFile",
+ "kubeletTlsPrivateKeyFileArgumentSet": "tlsPrivateKeyFile",
+ "kubeletOnlyUseStrongCryptographic": "tlsCipherSuites",
 }
 
 type SpecVersion struct {
@@ -69,7 +73,7 @@ func CollectData(cmd *cobra.Command, target string) error {
  specVersion := cmd.Flag("version").Value.String()
  sv := SpecVersion{Name: specName, Version: specVersion}
  if len(sv.Name) == 0 || len(sv.Version) == 0 {
- sv = specByPlatfromVersion(p.Name, p.Version)
+ sv = specByPlatfromVersion(p.Name)
  }
  for _, infoCollector := range infoCollectorMap {
  nodeInfo := make(map[string]*Info)
@@ -126,7 +130,7 @@ func loadNodeConfig(ctx context.Context, cluster Cluster, nodeName string) (map[
  return nodeConfig, nil
 }
 
-func specByPlatfromVersion(platfrom string, version string) SpecVersion {
+func specByPlatfromVersion(platfrom string) SpecVersion {
  return platfromSpec[fmt.Sprintf("%s-%s", platfrom, platfrom)]
 }
 
@@ -150,6 +154,8 @@ func getValuesFromkubeletConfig(nodeConfig map[string]interface{}) (map[string]*
  switch r := p.(type) {
  case bool:
  overrideConfig[k] = &Info{Values: []interface{}{strconv.FormatBool(r)}}
+ case []interface{}:
+ overrideConfig[k] = &Info{Values: r}
  default:
  overrideConfig[k] = &Info{Values: []interface{}{r}}
  }

diff --git a/pkg/collector/collect_test.go b/pkg/collector/collect_test.go
@@ -25,17 +25,27 @@ func TestParseNodeConfig(t *testing.T) {
  Values: []interface{}{"Webhook"},
  },
  "kubeletClientCaFileArgumentSet": {
- Values: []interface{}{"/etc/kubernetes/pki/ca.crt"},
+ Values: []interface{}{"/etc/kubernetes/certs/ca.crt"},
  },
  "kubeletEventQpsArgumentSet": {
- Values: []interface{}{5.0},
+ Values: []interface{}{0.0},
  },
  "kubeletMakeIptablesUtilChainsArgumentSet": {
  Values: []interface{}{"true"},
  },
  "kubeletStreamingConnectionIdleTimeoutArgumentSet": {
  Values: []interface{}{"4h0m0s"},
  },
+ "kubeletOnlyUseStrongCryptographic": {
+ Values: []interface{}{"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+ "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+ "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+ "TLS_RSA_WITH_AES_256_GCM_SHA384",
+ "TLS_RSA_WITH_AES_128_GCM_SHA256"},
+ },
  }},
  }
 
@@ -49,7 +59,9 @@ func TestParseNodeConfig(t *testing.T) {
  m, err := getValuesFromkubeletConfig(nodeConfig)
  assert.NoError(t, err)
  for k, v := range m {
- assert.Equal(t, v, tt.expextedNodeConfigFile[k])
+ if _, ok := tt.expextedNodeConfigFile[k]; ok {
+ assert.Equal(t, v, tt.expextedNodeConfigFile[k])
+ }
  }
  })
  }

diff --git a/pkg/collector/testdata/fixture/node_config.json b/pkg/collector/testdata/fixture/node_config.json
@@ -7,12 +7,22 @@
  "httpCheckFrequency": "20s",
  "address": "0.0.0.0",
  "port": 10250,
- "tlsCertFile": "/var/lib/kubelet/pki/kubelet.crt",
- "tlsPrivateKeyFile": "/var/lib/kubelet/pki/kubelet.key",
+ "tlsCertFile": "/etc/kubernetes/certs/kubeletserver.crt",
+ "tlsPrivateKeyFile": "/etc/kubernetes/certs/kubeletserver.key",
+ "tlsCipherSuites": [
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+ "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+ "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+ "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+ "TLS_RSA_WITH_AES_256_GCM_SHA384",
+ "TLS_RSA_WITH_AES_128_GCM_SHA256"
+ ],
  "rotateCertificates": true,
  "authentication": {
  "x509": {
- "clientCAFile": "/etc/kubernetes/pki/ca.crt"
+ "clientCAFile": "/etc/kubernetes/certs/ca.crt"
  },
  "webhook": {
  "enabled": true,
@@ -31,71 +41,94 @@
  },
  "registryPullQPS": 5,
  "registryBurst": 10,
- "eventRecordQPS": 5,
- "eventBurst": 10,
+ "eventRecordQPS": 0,
+ "eventBurst": 100,
  "enableDebuggingHandlers": true,
  "healthzPort": 10248,
  "healthzBindAddress": "127.0.0.1",
  "oomScoreAdj": -999,
  "clusterDomain": "cluster.local",
  "clusterDNS": [
- "10.96.0.10"
+ "10.0.0.10"
  ],
  "streamingConnectionIdleTimeout": "4h0m0s",
  "nodeStatusUpdateFrequency": "10s",
  "nodeStatusReportFrequency": "5m0s",
  "nodeLeaseDurationSeconds": 40,
  "imageMinimumGCAge": "2m0s",
- "imageGCHighThresholdPercent": 100,
+ "imageGCHighThresholdPercent": 85,
  "imageGCLowThresholdPercent": 80,
  "volumeStatsAggPeriod": "1m0s",
- "cgroupRoot": "/kubelet",
  "cgroupsPerQOS": true,
- "cgroupDriver": "cgroupfs",
+ "cgroupDriver": "systemd",
  "cpuManagerPolicy": "none",
  "cpuManagerReconcilePeriod": "10s",
  "memoryManagerPolicy": "None",
  "topologyManagerPolicy": "none",
  "topologyManagerScope": "container",
- "runtimeRequestTimeout": "2m0s",
+ "runtimeRequestTimeout": "15m0s",
  "hairpinMode": "promiscuous-bridge",
- "maxPods": 110,
+ "maxPods": 30,
  "podPidsLimit": -1,
  "resolvConf": "/etc/resolv.conf",
  "cpuCFSQuota": true,
  "cpuCFSQuotaPeriod": "100ms",
  "nodeStatusMaxImages": 50,
  "maxOpenFiles": 1000000,
  "contentType": "application/vnd.kubernetes.protobuf",
- "kubeAPIQPS": 5,
- "kubeAPIBurst": 10,
+ "kubeAPIQPS": 50,
+ "kubeAPIBurst": 100,
  "serializeImagePulls": true,
  "evictionHard": {
- "imagefs.available": "0%",
- "nodefs.available": "0%",
- "nodefs.inodesFree": "0%"
+ "memory.available": "750Mi",
+ "nodefs.available": "10%",
+ "nodefs.inodesFree": "5%",
+ "pid.available": "2000"
  },
  "evictionPressureTransitionPeriod": "5m0s",
  "enableControllerAttachDetach": true,
+ "protectKernelDefaults": true,
  "makeIPTablesUtilChains": true,
  "iptablesMasqueradeBit": 14,
  "iptablesDropBit": 15,
- "failSwapOn": false,
- "containerLogMaxSize": "10Mi",
+ "featureGates": {
+ "CSIMigrationAzureFile": true,
+ "DelegateFSGroupToCSIDriver": true
+ },
+ "failSwapOn": true,
+ "memorySwap": {},
+ "containerLogMaxSize": "50M",
  "containerLogMaxFiles": 5,
  "configMapAndSecretChangeDetectionStrategy": "Watch",
+ "kubeReserved": {
+ "cpu": "100m",
+ "memory": "1843Mi",
+ "pid": "1000"
+ },
  "enforceNodeAllocatable": [
  "pods"
  ],
- "volumePluginDir": "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/",
- "providerID": "kind://docker/kind/kind-control-plane",
+ "volumePluginDir": "/etc/kubernetes/volumeplugins",
  "logging": {
- "format": "text"
+ "format": "text",
+ "flushFrequency": 5000000000,
+ "verbosity": 2,
+ "options": {
+ "json": {
+ "infoBufferSize": "0"
+ }
+ }
  },
  "enableSystemLogHandler": true,
+ "enableSystemLogQuery": false,
  "shutdownGracePeriod": "0s",
  "shutdownGracePeriodCriticalPods": "0s",
  "enableProfilingHandler": true,
- "enableDebugFlagsHandler": true
+ "enableDebugFlagsHandler": true,
+ "seccompDefault": false,
+ "memoryThrottlingFactor": 0.9,
+ "registerNode": true,
+ "localStorageCapacityIsolation": true,
+ "containerRuntimeEndpoint": "unix:///run/containerd/containerd.sock"
  }
 }