本章節(jié)介紹下在使用kubesphere時(shí)至朗，我們對(duì)環(huán)境的要求及部署流程。

環(huán)境初始化

我們采用虛擬機(jī)作為集群節(jié)點(diǎn)析恋，對(duì)于虛機(jī)模板要求如下：

系統(tǒng)要求

1. 版本要求

• CentOS-7-x86_64-DVD-2009.iso

安裝方式: 最小化安裝

2. 分區(qū)要求

• /boot分區(qū)1Gi
• /boot/efi分區(qū)200Mi
• /根分區(qū)98Gi
• 無(wú)/swap分區(qū)
• 無(wú)/home分區(qū)
• 無(wú)/var分區(qū)
• 無(wú)/usr分區(qū)

3. 數(shù)據(jù)盤要求

• 容量: 100Gi
• 掛載點(diǎn): /data
• 分區(qū): 一個(gè)主分區(qū)

并設(shè)置開(kāi)機(jī)自啟動(dòng)

系統(tǒng)配置

1. 時(shí)鐘服務(wù)器配置

檢測(cè)是否已經(jīng)配置

$ crontab -l

至少保證每分鐘同步一次(ntp-server替換為實(shí)際ntp地址良哲，由虛擬化廠商提供)

*/1 * * * * ntpdate ntp-server

2. 時(shí)區(qū)配置

配置為上海時(shí)區(qū)

ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

3. 關(guān)閉防火墻

systemctl disable firewalld --now

4. 關(guān)閉selinux

setenforce 0
sed -i "s#SELINUX=enforcing#SELINUX=disabled#g" /etc/selinux/config

5. 調(diào)整文件描述符等

cat >> /etc/pam.d/login <<EOF
session    required     /lib64/security/pam_limits.so
session    required     pam_limits.so
EOF

cp /etc/security/limits.conf /etc/security/limits.conf.bak

cat >> /etc/security/limits.conf <<EOF
*   soft   nofile   65536
*   hard   nofile   65536
*   soft   nproc    16384
*   hard   nproc    16384
*   soft   stack    10240
*   hard   stack    32768
EOF

scp /etc/security/limits.d/20-nproc.conf /etc/security/limits.d/20-nproc.conf.bak
cat >> /etc/security/limits.d/20-nproc.conf<<EOF
*          soft    nproc    unlimited
*          hard    nproc    unlimited
EOF

echo 8061540 > /proc/sys/fs/file-max

6. 配置yum本地源

7. 初始化sudo用戶

8. 配置互信

配置root用戶

ssh-keygen -t rsa -b 2048 -N '' -f ~/.ssh/id_rsa
cat .ssh/id_rsa.pub > ~/.ssh/authorized_keys
chmod -R 600 ~/.ssh

安全加固

1. 禁ping

echo "net.ipv4.icmp_echo_ignore_all=1"  >> /etc/sysctl.conf
sysctl -p

2. 關(guān)閉ICMP_TIMESTAMP應(yīng)答

iptables -I INPUT -p ICMP --icmp-type timestamp-request -m comment --comment "deny ICMP timestamp" -j DROP
iptables -I INPUT -p ICMP --icmp-type timestamp-reply -m comment --comment "deny ICMP timestamp" -j DROP

3. 限制root用戶直接登錄

sed -i "s#PermitRootLogin yes#PermitRootLogin no#g" /etc/ssh/sshd_config
systemctl restart sshd

4. 修改允許密碼錯(cuò)誤次數(shù)

sed -i "/MaxAuthTries/d" /etc/ssh/sshd_config
echo "MaxAuthTries 3" >> /etc/ssh/sshd_config
systemctl restart sshd

5. 關(guān)閉AgentForwarding和TcpForwarding

sed -i "/AgentForwarding/d" /etc/ssh/sshd_config
sed -i "/TcpForwarding/d" /etc/ssh/sshd_config
echo "AllowAgentForwarding no" >> /etc/ssh/sshd_config
echo "AllowTcpForwarding no" >> /etc/ssh/sshd_config
systemctl restart sshd

6. 關(guān)閉UseDNS

sed -i "/UseDNS/d" /etc/ssh/sshd_config
echo "UseDNS no" >> /etc/ssh/sshd_config
systemctl restart sshd

7. 升級(jí)sudo版本

CVE-2021-3156等

• sudo-1.9.7-3.el7.x86_64.rpm

rpm -Uvh sudo-1.9.7-3.el7.x86_64.rpm

驗(yàn)證

sudo -V

8. 設(shè)置會(huì)話超時(shí)（5分鐘）

echo "export TMOUT=300" >>/etc/profile
. /etc/profile

9. 隱藏系統(tǒng)版本信息

mv /etc/issue /etc/issue.bak 
mv /etc/issue.net /etc/issue.net.bak

10. 禁止Control-Alt-Delete 鍵盤重啟系統(tǒng)命令

rm -rf /usr/lib/systemd/system/ctrl-alt-del.target

11. 密碼加固

PASS_MAX_DAYS=`grep -e ^PASS_MAX_DAYS /etc/login.defs |awk '{print $2}'`
if [ $PASS_MAX_DAYS -gt 90 ];then
    echo "密碼最長(zhǎng)保留期限為：$PASS_MAX_DAYS, 更改為90天"
    sed -i "/^PASS_MAX_DAYS/d" /etc/login.defs
    echo "PASS_MAX_DAYS   90" >> /etc/login.defs
fi

PASS_MIN_DAYS=`grep -e ^PASS_MIN_DAYS /etc/login.defs |awk '{print $2}'`
if [ $PASS_MIN_DAYS -ne 0 ];then
    echo "密碼最段保留期限為：$PASS_MIN_DAYS, 更改為0天"
    sed -i "/^PASS_MIN_DAYS/d" /etc/login.defs
    echo "PASS_MIN_DAYS   0" >> /etc/login.defs
fi

PASS_MIN_LEN=`grep -e ^PASS_MIN_LEN /etc/login.defs |awk '{print $2}'`
if [ $PASS_MIN_LEN -lt 8 ];then
    echo "密碼最少字符為：$PASS_MIN_LEN, 更改為8"
    sed -i "/^PASS_MIN_LEN/d" /etc/login.defs
    echo "PASS_MIN_LEN   8" >> /etc/login.defs
fi
 
PASS_WARN_AGE=`grep -e ^PASS_WARN_AGE /etc/login.defs |awk '{print $2}'`
if [ $PASS_WARN_AGE -ne 7 ];then
  echo "密碼到期前$PASS_MIN_LEN天提醒, 更改為7"
  sed -i "/^PASS_WARN_AGE/d" /etc/login.defs
  echo "PASS_WARN_AGE   7" >> /etc/login.defs
fi

12. 配置系統(tǒng)日志

touch /var/log/secure
chown root:root /var/log/secure
chmod 600 /var/log/secure

13. 刪除其他用戶定時(shí)任務(wù)

rm -f /etc/cron.deny

14. 修改開(kāi)機(jī)自啟動(dòng)

chmod 700 -R /etc/rc.d/init.d/*

15. 查找并刪除刪除自動(dòng)登錄腳本

find / -name .netrc
find / -name .rhosts

16. 查詢?nèi)趺艽a用戶

awk -F: '($2 == ""){print $1}' /etc/shadow

17. 刪除以下用戶

執(zhí)行兩遍

users=(adm lp sync shutdown halt mail news uucp operator games gopher ftp)
for i in ${users[@]};
do
  userdel $i &>/dev/null || true
done

for i in ${users[@]};
do
  userdel $i &>/dev/null || true
done

18. 關(guān)鍵文件加鎖

chattr +i /etc/services
chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab

19. 關(guān)鍵文件修改授權(quán)

chown root:root /etc/{passwd,shadow,group}
chmod 644 /etc/{passwd,group}
chmod 400 /etc/shadow

部署流程

部署流程主要分為以下幾個(gè)部分：

1. 部署私有鏡像庫(kù)harbor并導(dǎo)入鏡像
2. 部署keepalive+haproxy
3. 部署kubernetes集群
4. 部署ceph存儲(chǔ)集群（rook方式）
5. 部署kubepshere平臺(tái)
6. 部署應(yīng)用系統(tǒng)
7. 部署插件（velero、porter等）