cleanup
This commit is contained in:
50
README.md
50
README.md
@@ -6,56 +6,14 @@
|
||||
|
||||
## 🔧 Возможности
|
||||
|
||||
* 📦 Полная автоматизация развертывания K3s-кластера
|
||||
* 🔐 Реализация лучших практик безопасности (SSH, firewall, user hardening и пр.)
|
||||
* 📜 IaC (Infrastructure as Code) с использованием Ansible, Terraform и Bash
|
||||
* Полная автоматизация развертывания K3s-кластера
|
||||
* Реализация лучших практик безопасности (SSH, firewall, user hardening и пр.)
|
||||
* IaC (Infrastructure as Code) с использованием Ansible, Terraform и Bash
|
||||
|
||||
## 📁 Структура проекта
|
||||
## Структура проекта
|
||||
|
||||
```
|
||||
├── ansible/ # Ansible playbooks для настройки VM и K3s
|
||||
├── terraform/ # Terraform модули для создания VM в Proxmox
|
||||
└── README.md
|
||||
```
|
||||
|
||||
## ⚙️ Требования
|
||||
|
||||
* Proxmox VE 7.x+
|
||||
* Terraform 1.0+
|
||||
* Ansible 2.10+
|
||||
* Bash (Linux/macOS)
|
||||
* Доступ к Proxmox через API
|
||||
* SSH-ключ для доступа к виртуальным машинам
|
||||
|
||||
## 🚀 Установка
|
||||
|
||||
1. **Склонируйте репозиторий:**
|
||||
|
||||
```bash
|
||||
git clone https://git.vadzik-iot.ru/vadzik/sac_project.git
|
||||
cd k3s-proxmox-sec
|
||||
```
|
||||
|
||||
2. **Настройте переменные окружения и secrets (Terraform/Ansible):**
|
||||
|
||||
|
||||
3. **Создайте виртуальные машины через Terraform:**
|
||||
|
||||
```bash
|
||||
cd terraform
|
||||
terraform init
|
||||
terraform apply
|
||||
```
|
||||
|
||||
4. **Запустите Ansible-плейбук для настройки K3s и обеспечения безопасности:**
|
||||
|
||||
```bash
|
||||
cd ../ansible
|
||||
ansible-playbook site.yml -i inventory.ini
|
||||
```
|
||||
|
||||
## 🔐 Безопасность
|
||||
|
||||
* Минимизация прав пользователей
|
||||
* Только доступ по SSH-ключу (пароли отключены)
|
||||
* Проверка хэшей и сертификатов при установке
|
||||
|
||||
@@ -1,98 +0,0 @@
|
||||
# Security as Code Infrastructure on Proxmox
|
||||
|
||||
This repository contains the Infrastructure as Code (IaC) for deploying a secure Kubernetes cluster on Proxmox using Terraform and Ansible with security policies embedded as code.
|
||||
|
||||
## Security Features
|
||||
|
||||
### Terraform Security
|
||||
|
||||
- **Secure VM Configuration**: Virtual machines are created with security best practices:
|
||||
- Non-root SSH users
|
||||
- Memory limits to prevent resource exhaustion
|
||||
- Only approved template images are used
|
||||
- Disk encryption available (currently commented)
|
||||
- All VMs properly tagged for inventory management
|
||||
- EFI disks with secure boot capability
|
||||
|
||||
- **Policy as Code**: Security policies are enforced through:
|
||||
- **OPA/Conftest**: Rego policies that enforce security rules during Terraform plan/apply
|
||||
- **Trivy**: Comprehensive security scanner for Infrastructure as Code, container images, and dependencies
|
||||
- **checkov**: Plan analysis that detects security issues in the final configuration
|
||||
|
||||
### Ansible Security
|
||||
|
||||
- **SSH Hardening**:
|
||||
- Disables password authentication
|
||||
- Disables root login
|
||||
- Configures secure ciphers and key exchange algorithms
|
||||
- Limits user access
|
||||
|
||||
- **System Hardening**:
|
||||
- Configures audit rules for comprehensive logging (auditd)
|
||||
- Implements fail2ban for brute force protection
|
||||
- Configures UFW firewall with restrictive rules
|
||||
- Sets up unattended security updates (excluding Kubernetes components)
|
||||
- Persistent journald logging
|
||||
- Secure sysctl parameters
|
||||
|
||||
- **Kubernetes Security**:
|
||||
- RBAC for access control
|
||||
- Network Policies for cluster network security
|
||||
- Pod Security Standards/Admission for container security
|
||||
|
||||
## CI/CD Security Pipeline
|
||||
|
||||
The `.gitlab-ci.yml` file defines a complete security pipeline:
|
||||
|
||||
1. **Validation Stage**:
|
||||
- Terraform validation and formatting check
|
||||
- Trivy security scanning for IaC misconfigurations and secrets
|
||||
- checkov security scanning
|
||||
- Conftest OPA policy validation
|
||||
|
||||
2. **Lint Stage**:
|
||||
- Ansible-lint for playbook security issues
|
||||
- Conftest checks for Ansible
|
||||
|
||||
3. **Plan/Apply Stage**:
|
||||
- Terraform plan reviewed before application
|
||||
- Ansible playbook syntax checking
|
||||
|
||||
4. **Test Stage**:
|
||||
- Verifies that all nodes are properly configured
|
||||
|
||||
## Usage
|
||||
|
||||
1. Update Terraform variables in `terraform/terraform.tfvars`
|
||||
2. Run security checks:
|
||||
```
|
||||
cd terraform
|
||||
terraform init
|
||||
terraform plan -out=tfplan
|
||||
terraform show -json tfplan > tfplan.json
|
||||
conftest test tfplan.json -p policies/
|
||||
```
|
||||
3. Deploy infrastructure:
|
||||
```
|
||||
terraform apply tfplan
|
||||
```
|
||||
4. Configure nodes with Ansible:
|
||||
```
|
||||
cd ../ansible
|
||||
ansible-playbook -i inventory/hosts.ini site.yml
|
||||
```
|
||||
|
||||
## Policy Enforcement
|
||||
|
||||
- All infrastructure changes must pass the security pipeline
|
||||
- Policy violations halt the deployment process
|
||||
- Security configuration is maintained by Ansible on a regular schedule
|
||||
|
||||
## Monitoring and Maintenance
|
||||
|
||||
- Centralized logging configuration
|
||||
- Audit logs setup for security events
|
||||
- Automatic security updates
|
||||
- Network security monitoring
|
||||
|
||||
For more details, see the [README.md](README.md) file for general infrastructure information.
|
||||
@@ -1,10 +0,0 @@
|
||||
[master]
|
||||
192.168.30.81 ansible_ssh_private_key_file=~/.ssh/iac_proxmox
|
||||
|
||||
[node]
|
||||
192.168.30.91 ansible_ssh_private_key_file=~/.ssh/iac_proxmox
|
||||
192.168.30.92 ansible_ssh_private_key_file=~/.ssh/iac_proxmox
|
||||
|
||||
[k3s_cluster:children]
|
||||
master
|
||||
node
|
||||
Reference in New Issue
Block a user