#!/bin/bash # kernel-audit.sh — Verify kernel config has all required features for KubeSolo # Usage: ./kernel-audit.sh [/path/to/kernel/.config] # If no path given, attempts to read from /proc/config.gz or boot config set -euo pipefail RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' NC='\033[0m' SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" # --- Locate kernel config --- find_kernel_config() { if [[ -n "${1:-}" ]] && [[ -f "$1" ]]; then echo "$1" return 0 fi # Try /proc/config.gz (if CONFIG_IKCONFIG_PROC=y) if [[ -f /proc/config.gz ]]; then local tmp tmp=$(mktemp) zcat /proc/config.gz > "$tmp" echo "$tmp" return 0 fi # Try /boot/config-$(uname -r) local boot_config="/boot/config-$(uname -r)" if [[ -f "$boot_config" ]]; then echo "$boot_config" return 0 fi echo "" return 1 } CONFIG_FILE=$(find_kernel_config "${1:-}") || { echo -e "${RED}ERROR: Cannot find kernel config.${NC}" echo "Provide path as argument, or ensure /proc/config.gz or /boot/config-\$(uname -r) exists." exit 1 } echo "==> Auditing kernel config: $CONFIG_FILE" echo "" PASS=0 FAIL=0 WARN=0 check_config() { local option="$1" local required="$2" # "mandatory" or "recommended" local description="$3" local value value=$(grep -E "^${option}=" "$CONFIG_FILE" 2>/dev/null || true) if [[ -n "$value" ]]; then local setting="${value#*=}" echo -e " ${GREEN}✓${NC} ${option}=${setting} — ${description}" ((PASS++)) elif grep -qE "^# ${option} is not set" "$CONFIG_FILE" 2>/dev/null; then if [[ "$required" == "mandatory" ]]; then echo -e " ${RED}✗${NC} ${option} is NOT SET — ${description} [REQUIRED]" ((FAIL++)) else echo -e " ${YELLOW}△${NC} ${option} is NOT SET — ${description} [recommended]" ((WARN++)) fi else if [[ "$required" == "mandatory" ]]; then echo -e " ${RED}?${NC} ${option} not found in config — ${description} [REQUIRED]" ((FAIL++)) else echo -e " ${YELLOW}?${NC} ${option} not found in config — ${description} [recommended]" ((WARN++)) fi fi } # --- cgroup v2 --- echo "cgroup v2:" check_config CONFIG_CGROUPS mandatory "Control groups support" check_config CONFIG_CGROUP_CPUACCT mandatory "CPU accounting" check_config CONFIG_CGROUP_DEVICE mandatory "Device controller" check_config CONFIG_CGROUP_FREEZER mandatory "Freezer controller" check_config CONFIG_CGROUP_SCHED mandatory "CPU scheduler controller" check_config CONFIG_CGROUP_PIDS mandatory "PIDs controller" check_config CONFIG_MEMCG mandatory "Memory controller" check_config CONFIG_CGROUP_BPF recommended "BPF controller" echo "" # --- Namespaces --- echo "Namespaces:" check_config CONFIG_NAMESPACES mandatory "Namespace support" check_config CONFIG_NET_NS mandatory "Network namespaces" check_config CONFIG_PID_NS mandatory "PID namespaces" check_config CONFIG_USER_NS mandatory "User namespaces" check_config CONFIG_UTS_NS mandatory "UTS namespaces" check_config CONFIG_IPC_NS mandatory "IPC namespaces" echo "" # --- Filesystem --- echo "Filesystem:" check_config CONFIG_OVERLAY_FS mandatory "OverlayFS (containerd)" check_config CONFIG_SQUASHFS mandatory "SquashFS (Tiny Core root)" check_config CONFIG_BLK_DEV_LOOP mandatory "Loop device (SquashFS mount)" check_config CONFIG_EXT4_FS mandatory "ext4 (persistent partition)" echo "" # --- Networking --- echo "Networking:" check_config CONFIG_BRIDGE mandatory "Bridge (K8s pod networking)" check_config CONFIG_NETFILTER mandatory "Netfilter framework" check_config CONFIG_NF_NAT mandatory "NAT support" check_config CONFIG_NF_CONNTRACK mandatory "Connection tracking" check_config CONFIG_IP_NF_IPTABLES mandatory "iptables" check_config CONFIG_IP_NF_NAT mandatory "iptables NAT" check_config CONFIG_IP_NF_FILTER mandatory "iptables filter" check_config CONFIG_VETH mandatory "Virtual ethernet pairs" check_config CONFIG_VXLAN mandatory "VXLAN (overlay networking)" check_config CONFIG_NET_SCH_HTB recommended "HTB qdisc (bandwidth limiting)" echo "" # --- Security --- echo "Security:" check_config CONFIG_SECCOMP recommended "Seccomp (container security)" check_config CONFIG_SECCOMP_FILTER recommended "Seccomp BPF filter" check_config CONFIG_BPF_SYSCALL recommended "BPF syscall" check_config CONFIG_AUDIT mandatory "Audit framework" check_config CONFIG_AUDITSYSCALL mandatory "Audit system call events" check_config CONFIG_SECURITY mandatory "Security framework" check_config CONFIG_SECURITYFS mandatory "Security filesystem" check_config CONFIG_SECURITY_APPARMOR mandatory "AppArmor LSM" check_config CONFIG_SECURITY_NETWORK recommended "Network security hooks" echo "" # --- Crypto --- echo "Crypto:" check_config CONFIG_CRYPTO_SHA256 recommended "SHA-256 (image verification)" echo "" # --- IPVS (optional, for kube-proxy IPVS mode) --- echo "IPVS (optional, kube-proxy IPVS mode):" check_config CONFIG_IP_VS recommended "IPVS core" check_config CONFIG_IP_VS_RR recommended "IPVS round-robin" check_config CONFIG_IP_VS_WRR recommended "IPVS weighted round-robin" check_config CONFIG_IP_VS_SH recommended "IPVS source hashing" echo "" # --- Summary --- echo "========================================" echo -e " ${GREEN}Passed:${NC} $PASS" echo -e " ${RED}Failed:${NC} $FAIL" echo -e " ${YELLOW}Warnings:${NC} $WARN" echo "========================================" if [[ $FAIL -gt 0 ]]; then echo "" echo -e "${RED}FAIL: $FAIL mandatory kernel config(s) missing.${NC}" echo "Options:" echo " 1. Check if missing features are available as loadable modules (=m)" echo " 2. Recompile the kernel with missing options enabled" echo " 3. Use a different kernel (e.g., Alpine Linux kernel)" exit 1 else echo "" echo -e "${GREEN}PASS: All mandatory kernel configs present.${NC}" if [[ $WARN -gt 0 ]]; then echo -e "${YELLOW}Note: $WARN recommended configs missing (non-blocking).${NC}" fi exit 0 fi