pych · samof76 · Jan 2, 2023 · Jan 2, 2023 · Jan 2, 2023 · Jan 2, 2023
diff --git a/Makefile b/Makefile
@@ -27,7 +27,7 @@ ifeq ($(call vercmp,$(kubernetes_version),gteq,1.25.0), true)
 endif
 
 AMI_VERSION ?= v$(shell date '+%Y%m%d')
-AMI_VARIANT ?= amazon-eks
+AMI_VARIANT ?= fw-eks
 ifneq (,$(findstring al2023, $(PACKER_TEMPLATE_FILE)))
 	AMI_VARIANT := $(AMI_VARIANT)-al2023
 endif

diff --git a/eks-worker-al2-variables.json b/eks-worker-al2-variables.json
@@ -6,7 +6,7 @@
     "ami_users": "",
     "associate_public_ip_address": "",
     "aws_access_key_id": "{{env `AWS_ACCESS_KEY_ID`}}",
-    "aws_region": "us-west-2",
+    "aws_region": "us-east-1",
     "aws_secret_access_key": "{{env `AWS_SECRET_ACCESS_KEY`}}",
     "aws_session_token": "{{env `AWS_SESSION_TOKEN`}}",
     "binary_bucket_name": "amazon-eks",
@@ -18,7 +18,7 @@
     "docker_version": "20.10.*",
     "enable_fips": "false",
     "encrypted": "false",
-    "kernel_version": "",
+    "kernel_version": "5.10",
     "kms_key_id": "",
     "launch_block_device_mappings_volume_size": "4",
     "pause_container_version": "3.5",
@@ -31,9 +31,9 @@
     "source_ami_owners": "137112412989",
     "ssh_interface": "",
     "ssh_username": "ec2-user",
-    "ssm_agent_version": "",
-    "subnet_id": "",
-    "temporary_security_group_source_cidrs": "",
-    "volume_type": "gp2",
+    "subnet_id": "subnet-061fd55369909b950",
+    "volume_type": "gp3",
+    "temporary_security_group_source_cidrs": "10.102.8.0/21",
+    "ssm_agent_version": "latest",
     "working_dir": "{{user `remote_folder`}}/worker"
 }
diff --git a/eks-worker-al2.json b/eks-worker-al2.json
@@ -88,6 +88,8 @@
       "ami_regions": "{{user `ami_regions`}}",
       "ssh_username": "{{user `ssh_username`}}",
       "ssh_interface": "{{user `ssh_interface`}}",
+      "ssh_keypair_name": "packer-key",
+      "ssh_private_key_file": "~/.ssh/id_rsa",
       "temporary_security_group_source_cidrs": "{{user `temporary_security_group_source_cidrs`}}",
       "security_group_id": "{{user `security_group_id`}}",
       "associate_public_ip_address": "{{user `associate_public_ip_address`}}",
@@ -134,6 +136,31 @@
         "ADDITIONAL_YUM_REPOS={{user `additional_yum_repos`}}"
       ]
     },
+    {
+      "type": "shell",
+      "remote_folder": "{{ user `remote_folder`}}",
+      "expect_disconnect": true,
+      "script": "{{template_dir}}/scripts/upgrade_kernel.sh",
+      "environment_vars": [
+        "KUBERNETES_VERSION={{user `kubernetes_version`}}",
+        "KERNEL_VERSION={{user `kernel_version`}}"
+      ]
+    },
+    {
+      "type": "shell",
+      "pause_before": "90s",
+      "remote_folder": "{{ user `remote_folder`}}",
+      "expect_disconnect": true,
+      "script": "{{template_dir}}/scripts/add_psi.sh"
+    },
+    {
+      "type": "shell",
+      "pause_before": "90s",
+      "remote_folder": "{{ user `remote_folder`}}",
+      "inline": [
+        "mkdir -p /tmp/worker/log-collector-script/"
+      ]
+    },
     {
       "type": "file",
       "source": "{{template_dir}}/files/",
@@ -220,6 +247,11 @@
         "KERNEL_VERSION={{user `kernel_version`}}"
       ]
     },
+    {
+      "type": "shell",
+      "remote_folder": "{{ user `remote_folder`}}",
+      "script": "{{template_dir}}/scripts/disable_auto_upgrade.sh"
+    },
     {
       "type": "shell",
       "remote_folder": "{{ user `remote_folder`}}",

diff --git a/files/kubelet-config.json b/files/kubelet-config.json
@@ -32,5 +32,36 @@
   "protectKernelDefaults": true,
   "serializeImagePulls": false,
   "serverTLSBootstrap": true,
-  "tlsCipherSuites": ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256"]
+  "tlsCipherSuites": [
+    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+    "TLS_RSA_WITH_AES_256_GCM_SHA384",
+    "TLS_RSA_WITH_AES_128_GCM_SHA256"
+  ],
+  "kubeAPIBurst": 50,
+  "kubeAPIQPS": 50,
+  "eventRecordQPS": 50,
+  "eventBurst": 50,
+  "registryPullQPS": 100,
+  "registryBurst": 100,
+  "runtimeRequestTimeout": "15s",
+  "allowedUnsafeSysctls": [
+    "net.core.somaxconn",
+    "net.ipv4.tcp_keepalive_*",
+    "net.core.rmem_max",
+    "net.core.wmem_max",
+    "net.core.rmem_default",
+    "net.core.wmem_default",
+    "net.core.optmem_max",
+    "net.ipv4.tcp_rmem",
+    "net.ipv4.tcp_wmem"
+  ],
+  "imageGCHighThresholdPercent": 70,
+  "imageGCLowThresholdPercent": 50,
+  "shutdownGracePeriodCriticalPods": "360s",
+  "shutdownGracePeriod": "420s"
 }
diff --git a/scripts/add_psi.sh b/scripts/add_psi.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+set -o pipefail
+set -o nounset
+set -o errexit
+
+sudo grubby --args="psi=1" --update-kernel /boot/vmlinuz-$(uname -r)
+
+sudo reboot
diff --git a/scripts/disable_auto_upgrade.sh b/scripts/disable_auto_upgrade.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# This script is used to disable auto-upgrade on the Amazon Linux 2 AMI.
+# It is run as part of the AMI build process.
+
+sudo sed -i 's/^repo_upgrade: .*/repo_upgrade: none/' /etc/cloud/cloud.cfg
diff --git a/scripts/install-worker.sh b/scripts/install-worker.sh
@@ -557,6 +557,9 @@ EOF
 echo fs.inotify.max_user_watches=524288 | sudo tee -a /etc/sysctl.conf
 echo fs.inotify.max_user_instances=8192 | sudo tee -a /etc/sysctl.conf
 echo vm.max_map_count=524288 | sudo tee -a /etc/sysctl.conf
+echo net.netfilter.nf_conntrack_tcp_timeout_time_wait=65 | sudo tee -a /etc/sysctl.conf
+echo net.core.somaxconn=65535 | sudo tee -a /etc/sysctl.conf
+echo "@reboot /bin/bash -l -c '/sbin/modprobe nf_conntrack; /usr/sbin/sysctl -p'" | sudo crontab -
 echo 'kernel.pid_max=4194304' | sudo tee -a /etc/sysctl.conf
 
 ################################################################################

diff --git a/scripts/install_falco.sh b/scripts/install_falco.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+set -o pipefail
+set -o nounset
+set -o errexit
+
+sudo rpm --import https://falco.org/repo/falcosecurity-3672BA8F.asc
+sudo curl -s -o /etc/yum.repos.d/falcosecurity.repo https://falco.org/repo/falcosecurity-rpm.repo
+sudo yum install -y kernel-devel-$(uname -r)
+sudo yum install -y falco
+sudo systemctl disable falco
diff --git a/scripts/validate.sh b/scripts/validate.sh
@@ -41,6 +41,20 @@ else
   exit 1
 fi
 
+cmdline=$(cat /proc/cmdline)
+echo "Verifying if psi kernel cmdline arg is set"
+
+if [[ $cmdline =~ "psi=1" ]]; then
+  echo "psi is set"
+else
+  echo "psi is not set"
+  exit 1
+fi
+
+# echo "Verifying is falco driver is loaded"
+# sudo lsmod | grep -i falco
+echo "Verifying that the package versionlocks are correct..."
+
 function versionlock-entries() {
   # the format of this output is EPOCH:NAME-VERSION-RELEASE.ARCH
   # more info in yum-versionlock(1)