#!/bin/bash

# This script configures all we need to enable a k3s hardened cluster
# Instructions from https://docs.k3s.io/security/hardening-guide

set -e -x

# Variables
K3S_SERVER_DIR="/var/lib/rancher/k3s/server"
MANIFESTS_DIR="${K3S_SERVER_DIR}/manifests/"
SYSCTL_DIR="/etc/sysctl.d"
HARDENED_DIR="../assets/hardened_cluster"
SYSCTL_CONF="${HARDENED_DIR}/90-kubelet.conf"
PSA_YAML="${HARDENED_DIR}/psa.yaml"
NETWORK_POLICY_YAML="${HARDENED_DIR}/networkpolicy.yaml"
AUDIT_YAML="${HARDENED_DIR}/audit.yaml"

# Apply mandatory sysctl config
cp ${SYSCTL_CONF} ${SYSCTL_DIR}
sysctl -p ${SYSCTL_DIR}/90-kubelet.conf

# Create K3S directories to preload manifests
mkdir -p -m 700 ${MANIFESTS_DIR}
mkdir ${K3S_SERVER_DIR}/logs

# Copy policies to manifests directory
cp ${NETWORK_POLICY_YAML} ${MANIFESTS_DIR}

# Enable auditing
cp ${PSA_YAML} ${AUDIT_YAML} ${K3S_SERVER_DIR}
