RFC: CIS and Kubernetes; Possible Approaches to python

13 views
Skip to first unread message

Jonathan Davila

unread,
Oct 8, 2018, 11:31:00 AM10/8/18
to Ansible Lockdown
Hello all!

Currently, I'm exploring adding a role to implement CIS benchmarks for Kubernetes (and later Docker) to Ansible lockdown. The biggest challenge is with python

Python: If we go with the assumption that most k8s environments will not have python readily available at the host level then we are faced with a problem
    1. Option A: We do not 'force' k8s users to install a python bin on their cluster. The negative here is that the role would be entirely driven by the raw module and we'd effectively have a bash script. Theoretically we could develop bash-based modules but I really rather not go down that path. For anyone on this list that uses k8s I'm curious to know if installing py2/3 on your cluster nodes would be acceptable if that means being able to leverage Ansible for hardening or if that would be a total deal breaker.
    2. Option B: We make python a required dependency on your cluster(s); problem solved. 
Both options aren't pretty and open to other suggestions. To me it seems a bit funky to say "here is something to harden your minimal cluster hosts but it requires you to install this otherwise unneeded binary (python)". 

Thoughts?

Bas Meijer

unread,
Oct 8, 2018, 12:03:53 PM10/8/18
to Jonathan Davila, Ansible Lockdown
If a k8s cluster is really minimal, and python is not an option, then I think Ansible lockdown should not target it. 

If on the other hand a cluster admin sees value in Ansible lockdown, as opposed to the remediation script (available to members only), or cutting pasting from the freely available PDF, then requiring python should not be a big deal. There are other options, so do as you please
--
You received this message because you are subscribed to the Google Groups "Ansible Lockdown" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-lockdo...@googlegroups.com.
To post to this group, send email to ansible-...@googlegroups.com.
Visit this group at https://groups.google.com/group/ansible-lockdown.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-lockdown/5f925c23-a77f-485c-ba58-b4bb9cc95f27%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages