c12s-kubespray/docs/security.md

Users and groups
================

There are following users and groups defined by the addusers role:

* Kube user, group from the ``kubelet_user`` and ``kubelet_group`` vars.
* Etcd user, group from the ``etcd_user`` and ``etcd_group`` vars.
* Network plugin user, group from the ``netplug_user`` and ``netplug_group`` vars.

There are additional certificate access groups for kube and etcd users defined.
For example, kubelet and network plugins require read access to the
etcd certs and keys. This is defined via the corresponding ``etcd_cert_group``
var. Members of that group (defaults to `kube` and `netplug` users) will read
etcd secret keys and certs. Same applies to the ``kube_cert_group``
(defaults to `kube` user) members. You may want to share kube certs via that
group with bastion proxies or the like.

Linux capabilites
=================

Kargo allows to control dropped Linux capabilities for unprivileged docker
containers it configures for deployments. For examle, etcd or some networking
related systemd units or k8s workloads, like kubedns, dnsmasq or netchecker apps.

Dropped capabilites are represented by the ``apps_drop_cap``, ``dnsmasq_drop_cap``,
``etcd_drop_cap``, ``calico_drop_cap``  vars.

Be carefull changing defaults - different kube components and k8s apps might
expect specific capabilities to be present and can only run as root! Also note
that kublet, kube-proxy and network plugins require privileged mode and ignore
dropped capabilities.
Drop linux capabilities and rework users/groups * Drop linux capabilities for unprivileged containerized worlkoads Kargo configures for deployments. * Configure required securityContext/user/group/groups for kube components' static manifests, etcd, calico-rr and k8s apps, like dnsmasq daemonset. * Rework cloud-init (etcd) users creation for CoreOS. * Fix nologin paths, adjust defaults for addusers role and ensure supplementary groups membership added for users. * Add netplug user for network plugins (yet unused by privileged networking containers though). * Grant the kube and netplug users read access for etcd certs via the etcd certs group. * Grant group read access to kube certs via the kube cert group. * Remove priveleged mode for calico-rr and run it under its uid/gid and supplementary etcd_cert group. * Adjust docs. * Align cpu/memory limits and dropped caps with added rkt support for control plane. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> 2016-12-28 13:58:37 +00:00			`Users and groups`
			`================`

			`There are following users and groups defined by the addusers role:`

			* Kube user, group from the ``kubelet_user`` and ``kubelet_group`` vars.
			* Etcd user, group from the ``etcd_user`` and ``etcd_group`` vars.
			* Network plugin user, group from the ``netplug_user`` and ``netplug_group`` vars.

			`There are additional certificate access groups for kube and etcd users defined.`
			`For example, kubelet and network plugins require read access to the`
			etcd certs and keys. This is defined via the corresponding ``etcd_cert_group``
			var. Members of that group (defaults to `kube` and `netplug` users) will read
			etcd secret keys and certs. Same applies to the ``kube_cert_group``
			(defaults to `kube` user) members. You may want to share kube certs via that
			`group with bastion proxies or the like.`

			`Linux capabilites`
			`=================`

			`Kargo allows to control dropped Linux capabilities for unprivileged docker`
			`containers it configures for deployments. For examle, etcd or some networking`
			`related systemd units or k8s workloads, like kubedns, dnsmasq or netchecker apps.`

			Dropped capabilites are represented by the ``apps_drop_cap``, ``dnsmasq_drop_cap``,
			``etcd_drop_cap``, ``calico_drop_cap`` vars.

			`Be carefull changing defaults - different kube components and k8s apps might`
			`expect specific capabilities to be present and can only run as root! Also note`
			`that kublet, kube-proxy and network plugins require privileged mode and ignore`
			`dropped capabilities.`