├── images ├── owca-dashboard.png ├── chef-nodes-compliance.png └── chef-nodes-registration.png ├── .github └── PULL_REQUEST_TEMPLATE.md ├── CODE_OF_CONDUCT.md ├── kops-config ├── nodes.yaml ├── master-eu-west-1a.yaml └── chef.k8s.local.yaml ├── LICENSE ├── CONTRIBUTING.md └── README.adoc /images/owca-dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/opsworks-chef-automate-kubernetes/HEAD/images/owca-dashboard.png -------------------------------------------------------------------------------- /images/chef-nodes-compliance.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/opsworks-chef-automate-kubernetes/HEAD/images/chef-nodes-compliance.png -------------------------------------------------------------------------------- /images/chef-nodes-registration.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/opsworks-chef-automate-kubernetes/HEAD/images/chef-nodes-registration.png -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | *Issue #, if available:* 2 | 3 | *Description of changes:* 4 | 5 | 6 | By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice. 7 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /kops-config/nodes.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kops/v1alpha2 2 | kind: InstanceGroup 3 | metadata: 4 | creationTimestamp: 2018-05-04T11:44:39Z 5 | labels: 6 | kops.k8s.io/cluster: chef.k8s.local 7 | name: nodes 8 | spec: 9 | additionalUserData: 10 | - content: | 11 | INSERT-YOUR-USERDATA-HERE 12 | name: bootstrap.sh 13 | type: text/x-shellscript 14 | image: kope.io/k8s-1.8-debian-jessie-amd64-hvm-ebs-2018-02-08 15 | machineType: t2.medium 16 | maxSize: 2 17 | minSize: 2 18 | nodeLabels: 19 | kops.k8s.io/instancegroup: nodes 20 | role: Node 21 | subnets: 22 | - eu-west-1a 23 | - eu-west-1b 24 | - eu-west-1c 25 | -------------------------------------------------------------------------------- /kops-config/master-eu-west-1a.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kops/v1alpha2 2 | kind: InstanceGroup 3 | metadata: 4 | creationTimestamp: 2018-05-04T11:44:39Z 5 | labels: 6 | kops.k8s.io/cluster: chef.k8s.local 7 | name: master-eu-west-1a 8 | spec: 9 | additionalUserData: 10 | - content: | 11 | #!/bin/sh 12 | echo "Hello World. The time is now $(date -R)!" | tee /root/output.txt 13 | name: darko.sh 14 | type: text/x-shellscript 15 | image: kope.io/k8s-1.8-debian-jessie-amd64-hvm-ebs-2018-02-08 16 | machineType: m3.medium 17 | maxSize: 1 18 | minSize: 1 19 | nodeLabels: 20 | kops.k8s.io/instancegroup: master-eu-west-1a 21 | role: Master 22 | subnets: 23 | - eu-west-1a 24 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of this 4 | software and associated documentation files (the "Software"), to deal in the Software 5 | without restriction, including without limitation the rights to use, copy, modify, 6 | merge, publish, distribute, sublicense, and/or sell copies of the Software, and to 7 | permit persons to whom the Software is furnished to do so. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, 10 | INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 11 | PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT 12 | HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 13 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE 14 | SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 15 | -------------------------------------------------------------------------------- /kops-config/chef.k8s.local.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kops/v1alpha2 2 | kind: Cluster 3 | metadata: 4 | creationTimestamp: 2018-05-05T09:29:42Z 5 | name: chef.k8s.local 6 | spec: 7 | api: 8 | dns: {} 9 | authorization: 10 | rbac: {} 11 | channel: stable 12 | cloudProvider: aws 13 | configBase: s3://kubernetes-aws-io/chef.k8s.local 14 | etcdClusters: 15 | - etcdMembers: 16 | - instanceGroup: master-eu-west-1a 17 | name: a 18 | name: main 19 | - etcdMembers: 20 | - instanceGroup: master-eu-west-1a 21 | name: a 22 | name: events 23 | iam: 24 | allowContainerRegistry: true 25 | legacy: false 26 | additionalPolicies: 27 | node: | 28 | [ 29 | { 30 | "Effect": "Allow", 31 | "Action": ["opsworks-cm:*"], 32 | "Resource": ["*"] 33 | }, 34 | { 35 | "Effect": "Allow", 36 | "Action": ["cloudformation:*"], 37 | "Resource": ["*"] 38 | }, 39 | { 40 | "Effect": "Allow", 41 | "Resource": ["arn:aws:s3:::aws-opsworks-cm-*"], 42 | "Action": [ 43 | "s3:AbortMultipartUpload", 44 | "s3:DeleteObject", 45 | "s3:GetObject", 46 | "s3:ListAllMyBuckets", 47 | "s3:ListBucket", 48 | "s3:ListMultipartUploadParts", 49 | "s3:PutObject" 50 | ] 51 | } 52 | 53 | ] 54 | kubernetesApiAccess: 55 | - 0.0.0.0/0 56 | kubernetesVersion: 1.9.3 57 | masterPublicName: api.chef.k8s.local 58 | networkCIDR: 172.20.0.0/16 59 | networking: 60 | kubenet: {} 61 | nonMasqueradeCIDR: 100.64.0.0/10 62 | sshAccess: 63 | - 0.0.0.0/0 64 | subnets: 65 | - cidr: 172.20.32.0/19 66 | name: eu-west-1a 67 | type: Public 68 | zone: eu-west-1a 69 | - cidr: 172.20.64.0/19 70 | name: eu-west-1b 71 | type: Public 72 | zone: eu-west-1b 73 | - cidr: 172.20.96.0/19 74 | name: eu-west-1c 75 | type: Public 76 | zone: eu-west-1c 77 | topology: 78 | dns: 79 | type: Public 80 | masters: public 81 | nodes: public 82 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional 4 | documentation, we greatly value feedback and contributions from our community. 5 | 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary 7 | information to effectively respond to your bug report or contribution. 8 | 9 | 10 | ## Reporting Bugs/Feature Requests 11 | 12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features. 13 | 14 | When filing an issue, please check [existing open](https://github.com/aws-samples/opsworks-chef-automate-kubernetes/issues), or [recently closed](https://github.com/aws-samples/opsworks-chef-automate-kubernetes/issues?utf8=%E2%9C%93&q=is%3Aissue%20is%3Aclosed%20), issues to make sure somebody else hasn't already 15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: 16 | 17 | * A reproducible test case or series of steps 18 | * The version of our code being used 19 | * Any modifications you've made relevant to the bug 20 | * Anything unusual about your environment or deployment 21 | 22 | 23 | ## Contributing via Pull Requests 24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: 25 | 26 | 1. You are working against the latest source on the *master* branch. 27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. 29 | 30 | To send us a pull request, please: 31 | 32 | 1. Fork the repository. 33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. 34 | 3. Ensure local tests pass. 35 | 4. Commit to your fork using clear commit messages. 36 | 5. Send us a pull request, answering any default questions in the pull request interface. 37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. 38 | 39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and 40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). 41 | 42 | 43 | ## Finding contributions to work on 44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels ((enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any ['help wanted'](https://github.com/aws-samples/opsworks-chef-automate-kubernetes/labels/help%20wanted) issues is a great place to start. 45 | 46 | 47 | ## Code of Conduct 48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 50 | opensource-codeofconduct@amazon.com with any additional questions or comments. 51 | 52 | 53 | ## Security issue notifications 54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. 55 | 56 | 57 | ## Licensing 58 | 59 | See the [LICENSE](https://github.com/aws-samples/opsworks-chef-automate-kubernetes/blob/master/LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution. 60 | 61 | We may ask you to sign a [Contributor License Agreement (CLA)](http://en.wikipedia.org/wiki/Contributor_License_Agreement) for larger changes. 62 | -------------------------------------------------------------------------------- /README.adoc: -------------------------------------------------------------------------------- 1 | :toc: 2 | = Compliance of Nodes in a Kubernetes Cluster using AWS OpsWorks for Chef Automate 3 | 4 | This repo will explain how you can check for compliance of worker nodes in a Kubernetes cluster using https://aws.amazon.com/opsworks/[AWS OpsWorks for Chef Automate] (OWCA). 5 | 6 | == Launch AWS OpsWorks for Chef Automate Server 7 | 8 | . Launch a Chef server using OWCA: https://console.aws.amazon.com/opsworks/cm/home?owc=chefautomate®ion=us-east-1#/chef/. Specify a name and take rest as the default values. 9 | . Download Credentials and Starter Kit. 10 | .. Expand the Starter Kit bundle, this is your Chef repo. 11 | .. Credentials file is named `_credentials.csv`. 12 | . From the AWS Console, select the Chef server and login to the OWCA Dashboard. Use the credentials downloaded earlier. 13 | + 14 | image:images/owca-dashboard.png[] 15 | 16 | == Download and configure ChefDK 17 | 18 | . Download and Install ChefDK from https://downloads.chef.io/chefdk 19 | . Initialize a terminal: 20 | 21 | eval "$(chef shell-init bash)" 22 | 23 | . In the Starter Kit directory, get SSL certificate from the Chef server by giving the following command: 24 | 25 | knife ssl fetch 26 | 27 | . Verify install: 28 | 29 | $ knife client list 30 | default-validator 31 | 32 | == Upload Chef Cookbooks 33 | 34 | Upload Chef Client and Audit cookbook. Chef nodes, also the Kubernetes worker nodes, executes these cookbooks from the OWCA server based upon their checkin time. 35 | 36 | . Download all dependencies: 37 | 38 | berks install 39 | 40 | . Upload cookbooks and dependencies to the Chef server: 41 | 42 | berks upload 43 | 44 | . By default, Apache 2 is included in the recipe uploaded to the Chef server. This is not required to be installed on the worker nodes. Remove `apache2` recipe from `-repo/roles/opsworks-example-role.rb`. 45 | . Create role for the cookbooks execution: 46 | 47 | knife role from file roles/opsworks-example-role.rb 48 | 49 | . In Chef UI, `Compliance`, `Profile Store`, `Available`, search for `DevSec SSH Baseline` profile and click on `Get`. 50 | . In `-repo/site-cookbooks/opsworks-audit/attributes`, check this is the same profile that is defined. 51 | 52 | == Create Kubernetes Cluster 53 | 54 | . Install kops 55 | 56 | brew update && brew install kops 57 | 58 | . Create an S3 bucket and setup `KOPS_STATE_STORE`: 59 | 60 | export KOPS_STATE_STORE=s3://kubernetes-aws-io 61 | aws s3 mb kops-config/$KOPS_STATE_STORE 62 | 63 | . Create a k8s cluster: 64 | 65 | export NAME=chef.k8s.local 66 | kops create -f kops-config/$NAME.yaml 67 | 68 | . Create the master instance group: 69 | 70 | kops create -f kops-config/master-eu-west-1a.yaml 71 | 72 | . Update `kops-config/nodes.yaml` to replace `INSERT-YOUR-USERDATA-HERE` with the contents of `userdata.sh` from the Starter Kit. It allows the node to bootstrap with the OWCA server. 73 | . Create the nodes instance group: 74 | 75 | kops create -f kops-config/nodes.yaml 76 | 77 | . Create a secret pointing to the SSH key: 78 | 79 | kops create secret --name $NAME sshpublickey admin -i ~/.ssh/id_rsa.pub 80 | 81 | . Launch the cluster: 82 | 83 | kops update cluster $NAME --yes 84 | 85 | . Validate the cluster: 86 | 87 | kops validate cluster 88 | 89 | . Optionally, login to EC2 instances: 90 | 91 | ssh -i my-chef-automate-repo/.chef/private.pem admin@ 92 | 93 | == Show Kubernetes Nodes as Chef Nodes in OWCA Server 94 | 95 | . Open Chef Automate console 96 | . Check that the Kubernetes worker nodes are registered as Chef nodes: 97 | + 98 | image::images/chef-nodes-registration.png[] 99 | + 100 | . Check that the nodes are non-compliant: 101 | + 102 | image::images/chef-nodes-compliance.png[] 103 | 104 | == Fix the Compliance 105 | 106 | . Install the `ssh-hardening` cookbook with Berkshelf by editing the `Berksfile` in the root of the OpsWorks starter kit. Add the following line: 107 | 108 | cookbook 'ssh-hardening' 109 | 110 | . Add this cookbook to the nodes run list by adding the following line to the `roles/opsworks-example-role.rb` file, in the `run_list()` section: 111 | 112 | "recipe[ssh-hardening]" 113 | 114 | . Upload the changes back to the Chef Automate server: 115 | 116 | berks install 117 | berks upload 118 | knife upload roles/opsworks-example-role.rb 119 | 120 | . Wait for the nodes to check in again. 121 | 122 | == License Summary 123 | 124 | This sample code is made available under a modified MIT license. See the LICENSE file. 125 | --------------------------------------------------------------------------------