Merge pull request #981 from kubernetes-incubator/revert-911-DROP_CAPS

Revert "Drop linux capabilities and rework users/groups"
This commit is contained in:
Matthew Mosesohn 2017-02-06 17:52:58 +03:00 committed by GitHub
commit be1e1b41bd
48 changed files with 81 additions and 413 deletions

View file

@ -1,31 +0,0 @@
Users and groups
================
There are following users and groups defined by the addusers role:
* Kube user, group from the ``kubelet_user`` and ``kubelet_group`` vars.
* Etcd user, group from the ``etcd_user`` and ``etcd_group`` vars.
* Network plugin user, group from the ``netplug_user`` and ``netplug_group`` vars.
There are additional certificate access groups for kube and etcd users defined.
For example, kubelet and network plugins require read access to the
etcd certs and keys. This is defined via the corresponding ``etcd_cert_group``
var. Members of that group (defaults to `kube` and `netplug` users) will read
etcd secret keys and certs. Same applies to the ``kube_cert_group``
(defaults to `kube` user) members. You may want to share kube certs via that
group with bastion proxies or the like.
Linux capabilites
=================
Kargo allows to control dropped Linux capabilities for unprivileged docker
containers it configures for deployments. For examle, etcd or some networking
related systemd units or k8s workloads, like kubedns, dnsmasq or netchecker apps.
Dropped capabilites are represented by the ``apps_drop_cap``, ``dnsmasq_drop_cap``,
``etcd_drop_cap``, ``calico_drop_cap`` vars.
Be carefull changing defaults - different kube components and k8s apps might
expect specific capabilities to be present and can only run as root! Also note
that kublet, kube-proxy and network plugins require privileged mode and ignore
dropped capabilities.

View file

@ -36,19 +36,10 @@ retry_stagger: 5
# Directory where python binary is installed # Directory where python binary is installed
# ansible_python_interpreter: "/opt/bin/python" # ansible_python_interpreter: "/opt/bin/python"
# This is the users/groups to own files and groups that the cert creation # This is the group that the cert creation scripts chgrp the
# scripts chgrp the cert files to # cert files to. Not really changable...
kubelet_user: kube
kubelet_group: kube
kube_cert_group: kube-cert kube_cert_group: kube-cert
netplug_user: netplug
netplug_group: netplug
etcd_user: etcd
etcd_group: etcd
etcd_cert_group: etcd-cert
# Cluster Loglevel configuration # Cluster Loglevel configuration
kube_log_level: 2 kube_log_level: 2

View file

@ -1,40 +1,24 @@
--- ---
addusers: addusers:
etcd: etcd:
name: "{{ etcd_user }}" name: etcd
comment: "Etcd user" comment: "Etcd user"
createhome: >- createhome: yes
{% if ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] %}no{% else %}yes{% endif %}
home: "/var/lib/etcd" home: "/var/lib/etcd"
system: yes system: yes
shell: /usr/sbin/nologin shell: /bin/nologin
group: "{{ etcd_group }}"
groups: "{{ etcd_cert_group }}"
type: >-
{% if ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] %}cloud-init{% endif %}
kube: kube:
name: "{{ kubelet_user }}" name: kube
comment: "Kubernetes user" comment: "Kubernetes user"
shell: /usr/sbin/nologin shell: /sbin/nologin
system: yes system: yes
group: "{{ kubelet_group }}" group: "{{ kube_cert_group }}"
groups: "{{ etcd_cert_group }},{{ kube_cert_group }}"
createhome: no createhome: no
netplug:
name: "{{ netplug_user }}"
comment: "Network plugin user"
createhome: no
system: yes
shell: /usr/sbin/nologin
group: "{{ netplug_group }}"
groups: "{{ etcd_cert_group }}"
adduser: adduser:
name: "{{ user.name }}" name: "{{ user.name }}"
group: "{{ user.name|default(None) }}" group: "{{ user.name|default(None) }}"
groups: "{{ user.groups|default(None) }}"
comment: "{{ user.comment|default(None) }}" comment: "{{ user.comment|default(None) }}"
shell: "{{ user.shell|default(None) }}" shell: "{{ user.shell|default(None) }}"
system: "{{ user.system|default(None) }}" system: "{{ user.system|default(None) }}"
createhome: "{{ user.createhome|default(None) }}" createhome: "{{ user.createhome|default(None) }}"
type: "{{ user.type|default(None) }}"

View file

@ -1,4 +0,0 @@
---
- name: User | update users for cloud-init
command: /usr/bin/coreos-cloudinit --from-file /etc/{{ user.name }}_user_cloud_init_conf
when: ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]

View file

@ -1,35 +1,13 @@
--- ---
- name: User | Create Certificate Access Groups
group: name={{ item }} system=yes
with_items: "{{ user.groups.split(',') }}"
- name: User | Create User Group - name: User | Create User Group
group: name={{user.group|default(user.name)}} system={{user.system|default(omit)}} group: name={{user.group|default(user.name)}} system={{user.system|default(omit)}}
- name: User | Create cloud-init user
template:
dest: /etc/{{ user.name }}_user_cloud_init_conf
src: users.j2
owner: root
mode: 0640
notify: User | update users for cloud-init
when: "{{ user.type|default('standard') == 'cloud-init' }}"
- meta: flush_handlers
- name: User | Hack groups for existing cloud-init users CoreOS
command: /usr/sbin/usermod -aG {{ item }} {{ user.name }}
with_items: "{{ user.groups.split(',') }}"
when: "{{ ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] and user.type|default('standard') == 'cloud-init' }}"
- name: User | Create User - name: User | Create User
user: user:
comment: "{{user.comment|default(omit)}}" comment: "{{user.comment|default(omit)}}"
createhome: "{{user.createhome|default(omit)}}" createhome: "{{user.create_home|default(omit)}}"
group: "{{user.group|default(user.name)}}" group: "{{user.group|default(user.name)}}"
groups: "{{user.groups|default(omit)}}"
home: "{{user.home|default(omit)}}" home: "{{user.home|default(omit)}}"
shell: "{{user.shell|default(omit)}}" shell: "{{user.shell|default(omit)}}"
name: "{{user.name}}" name: "{{user.name}}"
system: "{{user.system|default(omit)}}" system: "{{user.system|default(omit)}}"
when: "{{ user.type|default('standard') != 'cloud-init' }}"

View file

@ -1,15 +0,0 @@
#cloud-config
users:
- name: {{ user.name }}
gecos: {{ user.comment }}
system: {{ user.system|bool }}
no-log-init: {{ user.system|bool }}
primary-group: {{ user.group }}
no-create-home: {{ not user.createhome|bool }}
homedir: {{ user.home }}
shell: {{ user.shell }}
groups: |
{% for g in user.groups.split(',') %}
- {{ g }}
{% endfor %}
#

View file

@ -0,0 +1,8 @@
---
addusers:
- name: kube
comment: "Kubernetes user"
shell: /sbin/nologin
system: yes
group: "{{ kube_cert_group }}"
createhome: no

View file

@ -0,0 +1,15 @@
---
addusers:
- name: etcd
comment: "Etcd user"
createhome: yes
home: "/var/lib/etcd"
system: yes
shell: /bin/nologin
- name: kube
comment: "Kubernetes user"
shell: /sbin/nologin
system: yes
group: "{{ kube_cert_group }}"
createhome: no

View file

@ -0,0 +1,15 @@
---
addusers:
- name: etcd
comment: "Etcd user"
createhome: yes
home: "/var/lib/etcd"
system: yes
shell: /bin/nologin
- name: kube
comment: "Kubernetes user"
shell: /sbin/nologin
system: yes
group: "{{ kube_cert_group }}"
createhome: no

View file

@ -26,16 +26,3 @@ dns_cpu_limit: 100m
dns_memory_limit: 170Mi dns_memory_limit: 170Mi
dns_cpu_requests: 70m dns_cpu_requests: 70m
dns_memory_requests: 70Mi dns_memory_requests: 70Mi
# Linux capabilities to be dropped for dnsmasq k8s app ran container engines
dnsmasq_drop_cap:
- chown
- dac_override
- fowner
- fsetid
- kill
- setpcap
- sys_chroot
- mknod
- audit_write
- setfcap

View file

@ -26,10 +26,6 @@ spec:
capabilities: capabilities:
add: add:
- NET_ADMIN - NET_ADMIN
drop:
{% for c in dnsmasq_drop_cap %}
- {{ c.upper() }}
{% endfor %}
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
resources: resources:
limits: limits:

View file

@ -3,26 +3,10 @@ etcd_bin_dir: "{{ local_release_dir }}/etcd/etcd-{{ etcd_version }}-linux-amd64/
etcd_config_dir: /etc/ssl/etcd etcd_config_dir: /etc/ssl/etcd
etcd_cert_dir: "{{ etcd_config_dir }}/ssl" etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
etcd_cert_group: root
etcd_script_dir: "{{ bin_dir }}/etcd-scripts" etcd_script_dir: "{{ bin_dir }}/etcd-scripts"
# Linux capabilities to be dropped for container engines
etcd_drop_cap:
- chown
- dac_override
- fowner
- fsetid
- kill
- setgid
- setuid
- setpcap
- net_bind_service
- net_raw
- sys_chroot
- mknod
- audit_write
- setfcap
# Limits # Limits
etcd_memory_limit: 512M etcd_memory_limit: 512M
etcd_cpu_limit: 300m etcd_cpu_limit: 300m

View file

@ -94,8 +94,5 @@ if [ -n "$HOSTS" ]; then
done done
fi fi
# Grant the group read access
chmod g+r *.pem
# Install certs # Install certs
mv *.pem ${SSLDIR}/ mv *.pem ${SSLDIR}/

View file

@ -2,7 +2,7 @@
dependencies: dependencies:
- role: adduser - role: adduser
user: "{{ addusers.etcd }}" user: "{{ addusers.etcd }}"
tags: bootstrap-os when: not ansible_os_family in ['CoreOS', 'Container Linux by CoreOS']
- role: download - role: download
file: "{{ downloads.etcd }}" file: "{{ downloads.etcd }}"
tags: download tags: download

View file

@ -4,15 +4,14 @@
path={{ etcd_cert_dir }} path={{ etcd_cert_dir }}
group={{ etcd_cert_group }} group={{ etcd_cert_group }}
state=directory state=directory
mode=0750 owner=root
owner={{ etcd_user }}
recurse=yes recurse=yes
- name: "Gen_certs | create etcd script dir (on {{groups['etcd'][0]}})" - name: "Gen_certs | create etcd script dir (on {{groups['etcd'][0]}})"
file: file:
path: "{{ etcd_script_dir }}" path: "{{ etcd_script_dir }}"
state: directory state: directory
owner: "{{ etcd_user }}" owner: root
run_once: yes run_once: yes
delegate_to: "{{groups['etcd'][0]}}" delegate_to: "{{groups['etcd'][0]}}"
@ -21,8 +20,7 @@
path={{ etcd_cert_dir }} path={{ etcd_cert_dir }}
group={{ etcd_cert_group }} group={{ etcd_cert_group }}
state=directory state=directory
mode=0750 owner=root
owner={{ etcd_user }}
recurse=yes recurse=yes
run_once: yes run_once: yes
delegate_to: "{{groups['etcd'][0]}}" delegate_to: "{{groups['etcd'][0]}}"
@ -126,12 +124,12 @@
path={{ etcd_cert_dir }} path={{ etcd_cert_dir }}
group={{ etcd_cert_group }} group={{ etcd_cert_group }}
state=directory state=directory
owner={{ etcd_user }} owner=kube
recurse=yes recurse=yes
tags: facts tags: facts
- name: Gen_certs | set shared group permissions on keys - name: Gen_certs | set permissions on keys
shell: chmod 0640 {{ etcd_cert_dir}}/*.pem shell: chmod 0600 {{ etcd_cert_dir}}/*key.pem
when: inventory_hostname in groups['etcd'] when: inventory_hostname in groups['etcd']
changed_when: false changed_when: false

View file

@ -1,8 +1,6 @@
--- ---
- include: pre_upgrade.yml - include: pre_upgrade.yml
tags: etcd-pre-upgrade tags: etcd-pre-upgrade
- include: set_facts.yml
tags: [bootstrap-os, facts]
- include: check_certs.yml - include: check_certs.yml
tags: [etcd-secrets, facts] tags: [etcd-secrets, facts]
- include: gen_certs.yml - include: gen_certs.yml

View file

@ -1,4 +1,3 @@
---
- name: "Pre-upgrade | check for etcd-proxy unit file" - name: "Pre-upgrade | check for etcd-proxy unit file"
stat: stat:
path: /etc/systemd/system/etcd-proxy.service path: /etc/systemd/system/etcd-proxy.service
@ -50,7 +49,3 @@
awk -F"[: =]" '{print "{{ bin_dir }}/etcdctl --peers={{ etcd_access_addresses | regex_replace('https','http') }} member update "$1" https:"$7":"$8}' | bash awk -F"[: =]" '{print "{{ bin_dir }}/etcdctl --peers={{ etcd_access_addresses | regex_replace('https','http') }} member update "$1" https:"$7":"$8}' | bash
run_once: true run_once: true
when: 'etcd_member_list.rc == 0 and "http://" in etcd_member_list.stdout' when: 'etcd_member_list.rc == 0 and "http://" in etcd_member_list.stdout'
- name: "Pre-upgrade | share access to etcd certs for its users"
shell: chmod g+r {{ etcd_cert_dir }}/*.pem
failed_when: false

View file

@ -1,17 +0,0 @@
---
- name: Etcd | get etcd user ID
shell: /usr/bin/id -u {{ etcd_user }} || echo 0
register: etcd_uid
- name: Etcd | get etcd group ID
shell: /usr/bin/getent group {{ etcd_group }} | cut -d':' -f3 || echo 0
register: etcd_gid
- name: Etcd | get etcd cert group ID
shell: /usr/bin/getent group {{ etcd_cert_group }} | cut -d':' -f3 || echo 0
register: etcd_cert_gid
- set_fact:
etcd_user_id: "{{ etcd_uid.stdout }}"
etcd_group_id: "{{ etcd_gid.stdout }}"
etcd_cert_group_id: "{{ etcd_cert_gid.stdout }}"

View file

@ -14,12 +14,8 @@ ExecStart={{ docker_bin_dir }}/docker run --restart=on-failure:5 \
-v /etc/ssl/certs:/etc/ssl/certs:ro \ -v /etc/ssl/certs:/etc/ssl/certs:ro \
-v {{ etcd_cert_dir }}:{{ etcd_cert_dir }}:ro \ -v {{ etcd_cert_dir }}:{{ etcd_cert_dir }}:ro \
-v /var/lib/etcd:/var/lib/etcd:rw \ -v /var/lib/etcd:/var/lib/etcd:rw \
{% for c in etcd_drop_cap %}
--cap-drop={{ c }} \
{% endfor %}
--memory={{ etcd_memory_limit|regex_replace('Mi', 'M') }} --cpu-shares={{ etcd_cpu_limit|regex_replace('m', '') }} \ --memory={{ etcd_memory_limit|regex_replace('Mi', 'M') }} --cpu-shares={{ etcd_cpu_limit|regex_replace('m', '') }} \
--name={{ etcd_member_name | default("etcd") }} \ --name={{ etcd_member_name | default("etcd") }} \
-u {{ etcd_user_id }}:{{ etcd_group_id }} --group-add {{ etcd_cert_group_id }} \
{{ etcd_image_repo }}:{{ etcd_image_tag }} \ {{ etcd_image_repo }}:{{ etcd_image_tag }} \
{% if etcd_after_v3 %} {% if etcd_after_v3 %}
{{ etcd_container_bin_dir }}etcd {{ etcd_container_bin_dir }}etcd

View file

@ -8,9 +8,6 @@ Restart=on-failure
RestartSec=10s RestartSec=10s
TimeoutStartSec=0 TimeoutStartSec=0
LimitNOFILE=40000 LimitNOFILE=40000
User=root
Group={{ etcd_group_id }}
SupplementaryGroups={{ etcd_cert_group_id }}
ExecStart=/usr/bin/rkt run \ ExecStart=/usr/bin/rkt run \
--uuid-file-save=/var/run/etcd.uuid \ --uuid-file-save=/var/run/etcd.uuid \
@ -23,11 +20,6 @@ ExecStart=/usr/bin/rkt run \
--set-env-file=/etc/etcd.env \ --set-env-file=/etc/etcd.env \
--stage1-from-dir=stage1-fly.aci \ --stage1-from-dir=stage1-fly.aci \
{{ etcd_image_repo }}:{{ etcd_image_tag }} \ {{ etcd_image_repo }}:{{ etcd_image_tag }} \
{% for c in etcd_drop_cap %}
--caps-remove=CAP_{{ c.upper() }} \
{% endfor %}
--memory={{ etcd_memory_limit }} --cpu={{ etcd_cpu_limit }} \
--user={{ etcd_user_id }} --group={{ etcd_group_id }} \
--name={{ etcd_member_name | default("etcd") }} --name={{ etcd_member_name | default("etcd") }}
ExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/run/etcd.uuid ExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/run/etcd.uuid

View file

@ -51,18 +51,3 @@ netchecker_kubectl_memory_requests: 64M
etcd_cert_dir: "/etc/ssl/etcd/ssl" etcd_cert_dir: "/etc/ssl/etcd/ssl"
calico_cert_dir: "/etc/calico/certs" calico_cert_dir: "/etc/calico/certs"
canal_cert_dir: "/etc/canal/certs" canal_cert_dir: "/etc/canal/certs"
# Linux capabilities to be dropped for k8s apps ran by container engines
apps_drop_cap:
- chown
- dac_override
- fowner
- fsetid
- kill
- setgid
- setuid
- setpcap
- sys_chroot
- mknod
- audit_write
- setfcap

View file

@ -25,12 +25,6 @@ spec:
- name: calico-policy-controller - name: calico-policy-controller
image: {{ calico_policy_image_repo }}:{{ calico_policy_image_tag }} image: {{ calico_policy_image_repo }}:{{ calico_policy_image_tag }}
imagePullPolicy: {{ k8s_image_pull_policy }} imagePullPolicy: {{ k8s_image_pull_policy }}
securityContext:
capabilities:
drop:
{% for c in apps_drop_cap %}
- {{ c.upper() }}
{% endfor %}
resources: resources:
limits: limits:
cpu: {{ calico_policy_controller_cpu_limit }} cpu: {{ calico_policy_controller_cpu_limit }}

View file

@ -23,12 +23,6 @@ spec:
- name: REPORT_INTERVAL - name: REPORT_INTERVAL
value: '{{ agent_report_interval }}' value: '{{ agent_report_interval }}'
imagePullPolicy: {{ k8s_image_pull_policy }} imagePullPolicy: {{ k8s_image_pull_policy }}
securityContext:
capabilities:
drop:
{% for c in apps_drop_cap %}
- {{ c.upper() }}
{% endfor %}
resources: resources:
limits: limits:
cpu: {{ netchecker_agent_cpu_limit }} cpu: {{ netchecker_agent_cpu_limit }}

View file

@ -24,12 +24,6 @@ spec:
- name: REPORT_INTERVAL - name: REPORT_INTERVAL
value: '{{ agent_report_interval }}' value: '{{ agent_report_interval }}'
imagePullPolicy: {{ k8s_image_pull_policy }} imagePullPolicy: {{ k8s_image_pull_policy }}
securityContext:
capabilities:
drop:
{% for c in apps_drop_cap %}
- {{ c.upper() }}
{% endfor %}
resources: resources:
limits: limits:
cpu: {{ netchecker_agent_cpu_limit }} cpu: {{ netchecker_agent_cpu_limit }}

View file

@ -33,9 +33,3 @@ spec:
memory: {{ netchecker_kubectl_memory_requests }} memory: {{ netchecker_kubectl_memory_requests }}
args: args:
- proxy - proxy
securityContext:
capabilities:
drop:
{% for c in apps_drop_cap %}
- {{ c.upper() }}
{% endfor %}

View file

@ -13,21 +13,6 @@ kube_apiserver_node_port_range: "30000-32767"
etcd_config_dir: /etc/ssl/etcd etcd_config_dir: /etc/ssl/etcd
etcd_cert_dir: "{{ etcd_config_dir }}/ssl" etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
# Linux capabilities to be dropped for k8s apps ran by container engines
apps_drop_cap:
- chown
- dac_override
- fowner
- fsetid
- kill
- setgid
- setuid
- setpcap
- sys_chroot
- mknod
- audit_write
- setfcap
# Limits for kube components # Limits for kube components
kube_controller_memory_limit: 512M kube_controller_memory_limit: 512M
kube_controller_cpu_limit: 250m kube_controller_cpu_limit: 250m

View file

@ -2,9 +2,6 @@
- include: pre-upgrade.yml - include: pre-upgrade.yml
tags: k8s-pre-upgrade tags: k8s-pre-upgrade
- include: set_facts.yml
tags: facts
- name: Copy kubectl from hyperkube container - name: Copy kubectl from hyperkube container
command: "{{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/systembindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /bin/cp /hyperkube /systembindir/kubectl" command: "{{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/systembindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /bin/cp /hyperkube /systembindir/kubectl"
register: kube_task_result register: kube_task_result

View file

@ -1,22 +0,0 @@
---
- name: Master | get kube user ID
shell: /usr/bin/id -u {{ kubelet_user }} || echo 0
register: kube_uid
- name: Master | get kube group ID
shell: /usr/bin/getent group {{ kubelet_group }} | cut -d':' -f3 || echo 0
register: kube_gid
- name: Master | get kube cert group ID
shell: /usr/bin/getent group {{ kube_cert_group }} | cut -d':' -f3 || echo 0
register: kube_cert_gid
- name: Master | get etcd cert group ID
shell: /usr/bin/getent group {{ etcd_cert_group }} | cut -d':' -f3 || echo 0
register: etcd_cert_gid
- set_fact:
kubelet_user_id: "{{ kube_uid.stdout }}"
kubelet_group_id: "{{ kube_gid.stdout }}"
kube_cert_group_id: "{{ kube_cert_gid.stdout }}"
etcd_cert_group_id: "{{ etcd_cert_gid.stdout }}"

View file

@ -12,14 +12,6 @@ spec:
- name: kube-apiserver - name: kube-apiserver
image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
imagePullPolicy: {{ k8s_image_pull_policy }} imagePullPolicy: {{ k8s_image_pull_policy }}
securityContext:
capabilities:
drop:
{% for c in apps_drop_cap %}
- {{ c.upper() }}
{% endfor %}
add:
- DAC_OVERRIDE
resources: resources:
limits: limits:
cpu: {{ kube_apiserver_cpu_limit }} cpu: {{ kube_apiserver_cpu_limit }}

View file

@ -11,17 +11,6 @@ spec:
- name: kube-controller-manager - name: kube-controller-manager
image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
imagePullPolicy: {{ k8s_image_pull_policy }} imagePullPolicy: {{ k8s_image_pull_policy }}
securityContext:
runAsUser: {{ kubelet_user_id }}
fsGroup: {{ kubelet_group_id }}
supplementalGroups:
- {{ kube_cert_group_id }}
- {{ etcd_cert_group_id }}
capabilities:
drop:
{% for c in apps_drop_cap %}
- {{ c.upper() }}
{% endfor %}
resources: resources:
limits: limits:
cpu: {{ kube_controller_cpu_limit }} cpu: {{ kube_controller_cpu_limit }}

View file

@ -11,17 +11,6 @@ spec:
- name: kube-scheduler - name: kube-scheduler
image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
imagePullPolicy: {{ k8s_image_pull_policy }} imagePullPolicy: {{ k8s_image_pull_policy }}
securityContext:
runAsUser: {{ kubelet_user_id }}
fsGroup: {{ kubelet_group_id }}
supplementalGroups:
- {{ kube_cert_group_id }}
- {{ etcd_cert_group_id }}
capabilities:
drop:
{% for c in apps_drop_cap %}
- {{ c.upper() }}
{% endfor %}
resources: resources:
limits: limits:
cpu: {{ kube_scheduler_cpu_limit }} cpu: {{ kube_scheduler_cpu_limit }}

View file

@ -29,18 +29,3 @@ nginx_image_repo: nginx
nginx_image_tag: 1.11.4-alpine nginx_image_tag: 1.11.4-alpine
etcd_config_dir: /etc/ssl/etcd etcd_config_dir: /etc/ssl/etcd
# Linux capabilities to be dropped for container engines
apps_drop_cap:
- chown
- dac_override
- fowner
- fsetid
- kill
- setgid
- setuid
- setpcap
- sys_chroot
- mknod
- audit_write
- setfcap

View file

@ -26,6 +26,6 @@
notify: restart kubelet notify: restart kubelet
- name: install | Install kubelet launch script - name: install | Install kubelet launch script
template: src=kubelet-container.j2 dest="{{ bin_dir }}/kubelet" owner={{ kubelet_user }} mode=0755 backup=yes template: src=kubelet-container.j2 dest="{{ bin_dir }}/kubelet" owner=kube mode=0755 backup=yes
notify: restart kubelet notify: restart kubelet
when: kubelet_deployment_type == "docker" when: kubelet_deployment_type == "docker"

View file

@ -4,9 +4,6 @@
{%- if inventory_hostname in groups['kube-master'] and inventory_hostname not in groups['kube-node'] -%}true{%- else -%}false{%- endif -%} {%- if inventory_hostname in groups['kube-master'] and inventory_hostname not in groups['kube-node'] -%}true{%- else -%}false{%- endif -%}
tags: facts tags: facts
- include: pre-upgrade.yml
tags: k8s-pre-upgrade
- include: install.yml - include: install.yml
tags: kubelet tags: kubelet

View file

@ -1,4 +0,0 @@
---
- name: "Pre-upgrade | share access to kube certs for its users"
shell: chmod g+r {{ kube_cert_dir }}/*.pem
failed_when: false

View file

@ -44,7 +44,6 @@ ExecStart=/usr/bin/rkt run \
--mount volume=var-log,target=/var/log \ --mount volume=var-log,target=/var/log \
--stage1-from-dir=stage1-fly.aci \ --stage1-from-dir=stage1-fly.aci \
{{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} \ {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} \
--memory={{ kubelet_memory_limit }} --cpu={{ kubelet_cpu_limit }} \
--uuid-file-save=/var/run/kubelet.uuid \ --uuid-file-save=/var/run/kubelet.uuid \
--debug --exec=/kubelet -- \ --debug --exec=/kubelet -- \
$KUBE_LOGTOSTDERR \ $KUBE_LOGTOSTDERR \

View file

@ -2,7 +2,4 @@
dependencies: dependencies:
- role: adduser - role: adduser
user: "{{ addusers.kube }}" user: "{{ addusers.kube }}"
tags: [bootstrap-os, kubelet] tags: kubelet
- role: adduser
user: "{{ addusers.netplug }}"
tags: [bootstrap-os, network]

View file

@ -23,12 +23,6 @@
- include: set_facts.yml - include: set_facts.yml
tags: facts tags: facts
- include: set_resolv_facts.yml
tags: [bootstrap-os, resolvconf, facts]
- include: set_uid_facts.yml
tags: [bootstrap-os, facts]
- name: gather os specific variables - name: gather os specific variables
include_vars: "{{ item }}" include_vars: "{{ item }}"
with_first_found: with_first_found:
@ -48,7 +42,7 @@
file: file:
path: "{{ kube_config_dir }}" path: "{{ kube_config_dir }}"
state: directory state: directory
owner: "{{ kubelet_user }}" owner: kube
when: "{{ inventory_hostname in groups['k8s-cluster'] }}" when: "{{ inventory_hostname in groups['k8s-cluster'] }}"
tags: [kubelet, k8s-secrets, kube-controller-manager, kube-apiserver, bootstrap-os, apps, network, master, node] tags: [kubelet, k8s-secrets, kube-controller-manager, kube-apiserver, bootstrap-os, apps, network, master, node]
@ -56,7 +50,7 @@
file: file:
path: "{{ kube_script_dir }}" path: "{{ kube_script_dir }}"
state: directory state: directory
owner: "{{ kubelet_user }}" owner: kube
when: "{{ inventory_hostname in groups['k8s-cluster'] }}" when: "{{ inventory_hostname in groups['k8s-cluster'] }}"
tags: [k8s-secrets, bootstrap-os] tags: [k8s-secrets, bootstrap-os]
@ -64,7 +58,7 @@
file: file:
path: "{{ kube_manifest_dir }}" path: "{{ kube_manifest_dir }}"
state: directory state: directory
owner: "{{ kubelet_user }}" owner: kube
when: "{{ inventory_hostname in groups['k8s-cluster'] }}" when: "{{ inventory_hostname in groups['k8s-cluster'] }}"
tags: [kubelet, bootstrap-os, master, node] tags: [kubelet, bootstrap-os, master, node]
@ -86,7 +80,7 @@
file: file:
path: "{{ item }}" path: "{{ item }}"
state: directory state: directory
owner: "{{ kubelet_user }}" owner: kube
with_items: with_items:
- "/etc/cni/net.d" - "/etc/cni/net.d"
- "/opt/cni/bin" - "/opt/cni/bin"

View file

@ -51,3 +51,6 @@
etcd_container_bin_dir: "{% if etcd_after_v3 %}/usr/local/bin/{% else %}/{% endif %}" etcd_container_bin_dir: "{% if etcd_after_v3 %}/usr/local/bin/{% else %}/{% endif %}"
- set_fact: - set_fact:
peer_with_calico_rr: "{{ 'calico-rr' in groups and groups['calico-rr']|length > 0 }}" peer_with_calico_rr: "{{ 'calico-rr' in groups and groups['calico-rr']|length > 0 }}"
- include: set_resolv_facts.yml
tags: [bootstrap-os, resolvconf, facts]

View file

@ -1,32 +0,0 @@
---
- name: Preinstall | get kube user ID
shell: /usr/bin/id -u {{ kubelet_user }} || echo 0
register: kube_uid
- name: Preinstall | get kube group ID
shell: /usr/bin/id -g {{ kubelet_group }} || echo 0
register: kube_gid
- name: Preinstall | get kube cert group ID
shell: /usr/bin/id -g {{ kube_cert_group }} || echo 0
register: kube_cert_gid
- name: Preinstall | get etcd cert group ID
shell: /usr/bin/id -g {{ etcd_cert_group }} || echo 0
register: etcd_cert_gid
- name: Preinstall | get netplug user ID
shell: /usr/bin/id -u {{ netplug_user }} || echo 0
register: netplug_uid
- name: Preinstall | get netplug group ID
shell: /usr/bin/getent group {{ netplug_group }} | cut -d':' -f3 || echo 0
register: netplug_gid
- set_fact:
kubelet_user_id: "{{ kube_uid.stdout }}"
kubelet_group_id: "{{ kube_gid.stdout }}"
kube_cert_group_id: "{{ kube_cert_gid.stdout }}"
etcd_cert_group_id: "{{ etcd_cert_gid.stdout }}"
netplug_user_id: "{{ netplug_uid.stdout }}"
netplug_group_id: "{{ netplug_gid.stdout }}"

View file

@ -101,8 +101,5 @@ if [ -n "$HOSTS" ]; then
done done
fi fi
# Grant the group read access
chmod g+r *.pem
# Install certs # Install certs
mv *.pem ${SSLDIR}/ mv *.pem ${SSLDIR}/

View file

@ -140,11 +140,11 @@
file: file:
path={{ kube_cert_dir }} path={{ kube_cert_dir }}
group={{ kube_cert_group }} group={{ kube_cert_group }}
owner={{ kubelet_user }} owner=kube
recurse=yes recurse=yes
- name: Gen_certs | set shared group permissions on keys - name: Gen_certs | set permissions on keys
shell: chmod 0640 {{ kube_cert_dir}}/*.pem shell: chmod 0600 {{ kube_cert_dir}}/*key.pem
when: inventory_hostname in groups['kube-master'] when: inventory_hostname in groups['kube-master']
changed_when: false changed_when: false

View file

@ -9,7 +9,6 @@
path={{ kube_cert_dir }} path={{ kube_cert_dir }}
state=directory state=directory
mode=o-rwx mode=o-rwx
owner={{ kubelet_user }}
group={{ kube_cert_group }} group={{ kube_cert_group }}
- name: Make sure the tokens directory exits - name: Make sure the tokens directory exits
@ -17,16 +16,14 @@
path={{ kube_token_dir }} path={{ kube_token_dir }}
state=directory state=directory
mode=o-rwx mode=o-rwx
owner={{ kubelet_user }} group={{ kube_cert_group }}
group={{ kubelet_group }}
- name: Make sure the users directory exits - name: Make sure the users directory exits
file: file:
path={{ kube_users_dir }} path={{ kube_users_dir }}
state=directory state=directory
mode=o-rwx mode=o-rwx
owner={{ kubelet_user }} group={{ kube_cert_group }}
group={{ kubelet_group }}
- name: Populate users for basic auth in API - name: Populate users for basic auth in API
lineinfile: lineinfile:

View file

@ -20,23 +20,6 @@ global_as_num: "64512"
# defaults. The value should be a number, not a string. # defaults. The value should be a number, not a string.
# calico_mtu: 1500 # calico_mtu: 1500
# Linux capabilities to be dropped for container engines
calico_drop_cap:
- chown
- dac_override
- fowner
- fsetid
- kill
- setgid
- setuid
- setpcap
- net_bind_service
- net_raw
- sys_chroot
- mknod
- audit_write
- setfcap
# Limits for apps # Limits for apps
calico_node_memory_limit: 500M calico_node_memory_limit: 500M
calico_node_cpu_limit: 300m calico_node_cpu_limit: 300m

View file

@ -12,8 +12,8 @@
dest: "{{ calico_cert_dir }}" dest: "{{ calico_cert_dir }}"
state: directory state: directory
mode: 0750 mode: 0750
owner: "{{ netplug_user }}" owner: root
group: "{{ netplug_group }}" group: root
- name: Calico-rr | Link etcd certificates for calico-node - name: Calico-rr | Link etcd certificates for calico-node
file: file:
@ -31,8 +31,8 @@
path: /var/log/calico-rr path: /var/log/calico-rr
state: directory state: directory
mode: 0755 mode: 0755
owner: "{{ netplug_user }}" owner: root
group: "{{ netplug_group }}" group: root
- name: Calico-rr | Write calico-rr.env for systemd init file - name: Calico-rr | Write calico-rr.env for systemd init file
template: src=calico-rr.env.j2 dest=/etc/calico/calico-rr.env template: src=calico-rr.env.j2 dest=/etc/calico/calico-rr.env

View file

@ -6,7 +6,7 @@ Requires=docker.service
[Service] [Service]
EnvironmentFile=/etc/calico/calico-rr.env EnvironmentFile=/etc/calico/calico-rr.env
ExecStartPre=-{{ docker_bin_dir }}/docker rm -f calico-rr ExecStartPre=-{{ docker_bin_dir }}/docker rm -f calico-rr
ExecStart={{ docker_bin_dir }}/docker run --net=host \ ExecStart={{ docker_bin_dir }}/docker run --net=host --privileged \
--name=calico-rr \ --name=calico-rr \
-e IP=${IP} \ -e IP=${IP} \
-e IP6=${IP6} \ -e IP6=${IP6} \
@ -16,10 +16,6 @@ ExecStart={{ docker_bin_dir }}/docker run --net=host \
-e ETCD_KEY_FILE=${ETCD_KEY_FILE} \ -e ETCD_KEY_FILE=${ETCD_KEY_FILE} \
-v /var/log/calico-rr:/var/log/calico \ -v /var/log/calico-rr:/var/log/calico \
-v {{ calico_cert_dir }}:{{ calico_cert_dir }}:ro \ -v {{ calico_cert_dir }}:{{ calico_cert_dir }}:ro \
{% for c in calico_drop_cap %}
--cap-drop={{ c }} \
{% endfor %}
-u {{ netplug_user_id }}:{{ netplug_group_id }} --group-add {{ etcd_cert_group }} \
--memory={{ calico_rr_memory_limit|regex_replace('Mi', 'M') }} --cpu-shares={{ calico_rr_cpu_limit|regex_replace('m', '') }} \ --memory={{ calico_rr_memory_limit|regex_replace('Mi', 'M') }} --cpu-shares={{ calico_rr_cpu_limit|regex_replace('m', '') }} \
{{ calico_rr_image_repo }}:{{ calico_rr_image_tag }} {{ calico_rr_image_repo }}:{{ calico_rr_image_tag }}

View file

@ -9,16 +9,15 @@
template: template:
src: "cni-calico.conf.j2" src: "cni-calico.conf.j2"
dest: "/etc/cni/net.d/10-calico.conf" dest: "/etc/cni/net.d/10-calico.conf"
owner: "{{ kubelet_user }}" owner: kube
group: "{{ kubelet_group }}"
- name: Calico | Create calico certs directory - name: Calico | Create calico certs directory
file: file:
dest: "{{ calico_cert_dir }}" dest: "{{ calico_cert_dir }}"
state: directory state: directory
mode: 0750 mode: 0750
owner: "{{ netplug_user }}" owner: root
group: "{{ netplug_group }}" group: root
- name: Calico | Link etcd certificates for calico-node - name: Calico | Link etcd certificates for calico-node
file: file:

View file

@ -3,16 +3,15 @@
template: template:
src: "cni-canal.conf.j2" src: "cni-canal.conf.j2"
dest: "/etc/cni/net.d/10-canal.conf" dest: "/etc/cni/net.d/10-canal.conf"
owner: "{{ kubelet_user }}" owner: kube
group: "{{ kubelet_group }}"
- name: Canal | Create canal certs directory - name: Canal | Create canal certs directory
file: file:
dest: "{{ canal_cert_dir }}" dest: "{{ canal_cert_dir }}"
state: directory state: directory
mode: 0750 mode: 0750
owner: "{{ netplug_user }}" owner: root
group: "{{ netplug_group }}" group: root
- name: Canal | Link etcd certificates for canal-node - name: Canal | Link etcd certificates for canal-node
file: file: