diff --git a/README.md b/README.md index 8e6d177..419d625 100644 --- a/README.md +++ b/README.md @@ -6,56 +6,14 @@ ## 🔧 Возможности -* 📦 Полная автоматизация развертывания K3s-кластера -* 🔐 Реализация лучших практик безопасности (SSH, firewall, user hardening и пр.) -* 📜 IaC (Infrastructure as Code) с использованием Ansible, Terraform и Bash +* Полная автоматизация развертывания K3s-кластера +* Реализация лучших практик безопасности (SSH, firewall, user hardening и пр.) +* IaC (Infrastructure as Code) с использованием Ansible, Terraform и Bash -## 📁 Структура проекта +## Структура проекта ``` ├── ansible/ # Ansible playbooks для настройки VM и K3s ├── terraform/ # Terraform модули для создания VM в Proxmox └── README.md -``` - -## ⚙️ Требования - -* Proxmox VE 7.x+ -* Terraform 1.0+ -* Ansible 2.10+ -* Bash (Linux/macOS) -* Доступ к Proxmox через API -* SSH-ключ для доступа к виртуальным машинам - -## 🚀 Установка - -1. **Склонируйте репозиторий:** - -```bash -git clone https://git.vadzik-iot.ru/vadzik/sac_project.git -cd k3s-proxmox-sec -``` - -2. **Настройте переменные окружения и secrets (Terraform/Ansible):** - - -3. **Создайте виртуальные машины через Terraform:** - -```bash -cd terraform -terraform init -terraform apply -``` - -4. **Запустите Ansible-плейбук для настройки K3s и обеспечения безопасности:** - -```bash -cd ../ansible -ansible-playbook site.yml -i inventory.ini -``` - -## 🔐 Безопасность - -* Минимизация прав пользователей -* Только доступ по SSH-ключу (пароли отключены) -* Проверка хэшей и сертификатов при установке +``` \ No newline at end of file diff --git a/SECURITY_README.md b/SECURITY_README.md deleted file mode 100644 index f8df4b9..0000000 --- a/SECURITY_README.md +++ /dev/null @@ -1,98 +0,0 @@ -# Security as Code Infrastructure on Proxmox - -This repository contains the Infrastructure as Code (IaC) for deploying a secure Kubernetes cluster on Proxmox using Terraform and Ansible with security policies embedded as code. - -## Security Features - -### Terraform Security - -- **Secure VM Configuration**: Virtual machines are created with security best practices: - - Non-root SSH users - - Memory limits to prevent resource exhaustion - - Only approved template images are used - - Disk encryption available (currently commented) - - All VMs properly tagged for inventory management - - EFI disks with secure boot capability - -- **Policy as Code**: Security policies are enforced through: - - **OPA/Conftest**: Rego policies that enforce security rules during Terraform plan/apply - - **Trivy**: Comprehensive security scanner for Infrastructure as Code, container images, and dependencies - - **checkov**: Plan analysis that detects security issues in the final configuration - -### Ansible Security - -- **SSH Hardening**: - - Disables password authentication - - Disables root login - - Configures secure ciphers and key exchange algorithms - - Limits user access - -- **System Hardening**: - - Configures audit rules for comprehensive logging (auditd) - - Implements fail2ban for brute force protection - - Configures UFW firewall with restrictive rules - - Sets up unattended security updates (excluding Kubernetes components) - - Persistent journald logging - - Secure sysctl parameters - -- **Kubernetes Security**: - - RBAC for access control - - Network Policies for cluster network security - - Pod Security Standards/Admission for container security - -## CI/CD Security Pipeline - -The `.gitlab-ci.yml` file defines a complete security pipeline: - -1. **Validation Stage**: - - Terraform validation and formatting check - - Trivy security scanning for IaC misconfigurations and secrets - - checkov security scanning - - Conftest OPA policy validation - -2. **Lint Stage**: - - Ansible-lint for playbook security issues - - Conftest checks for Ansible - -3. **Plan/Apply Stage**: - - Terraform plan reviewed before application - - Ansible playbook syntax checking - -4. **Test Stage**: - - Verifies that all nodes are properly configured - -## Usage - -1. Update Terraform variables in `terraform/terraform.tfvars` -2. Run security checks: - ``` - cd terraform - terraform init - terraform plan -out=tfplan - terraform show -json tfplan > tfplan.json - conftest test tfplan.json -p policies/ - ``` -3. Deploy infrastructure: - ``` - terraform apply tfplan - ``` -4. Configure nodes with Ansible: - ``` - cd ../ansible - ansible-playbook -i inventory/hosts.ini site.yml - ``` - -## Policy Enforcement - -- All infrastructure changes must pass the security pipeline -- Policy violations halt the deployment process -- Security configuration is maintained by Ansible on a regular schedule - -## Monitoring and Maintenance - -- Centralized logging configuration -- Audit logs setup for security events -- Automatic security updates -- Network security monitoring - -For more details, see the [README.md](README.md) file for general infrastructure information. \ No newline at end of file diff --git a/ansible/inventory/k3s-cluster/hosts.ini b/ansible/inventory/k3s-cluster/hosts.ini deleted file mode 100755 index 9c0c0c4..0000000 --- a/ansible/inventory/k3s-cluster/hosts.ini +++ /dev/null @@ -1,10 +0,0 @@ -[master] -192.168.30.81 ansible_ssh_private_key_file=~/.ssh/iac_proxmox - -[node] -192.168.30.91 ansible_ssh_private_key_file=~/.ssh/iac_proxmox -192.168.30.92 ansible_ssh_private_key_file=~/.ssh/iac_proxmox - -[k3s_cluster:children] -master -node \ No newline at end of file