Drop linux capabilities and rework users/groups
* Drop linux capabilities for unprivileged containerized worlkoads Kargo configures for deployments. * Configure required securityContext/user/group/groups for kube components' static manifests, etcd, calico-rr and k8s apps, like dnsmasq daemonset. * Rework cloud-init (etcd) users creation for CoreOS. * Fix nologin paths, adjust defaults for addusers role and ensure supplementary groups membership added for users. * Add netplug user for network plugins (yet unused by privileged networking containers though). * Grant the kube and netplug users read access for etcd certs via the etcd certs group. * Grant group read access to kube certs via the kube cert group. * Remove priveleged mode for calico-rr and run it under its uid/gid and supplementary etcd_cert group. * Adjust docs. * Align cpu/memory limits and dropped caps with added rkt support for control plane. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
This commit is contained in:
parent
8ce32eb3e1
commit
cb2e5ac776
48 changed files with 413 additions and 81 deletions
31
docs/security.md
Normal file
31
docs/security.md
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
Users and groups
|
||||||
|
================
|
||||||
|
|
||||||
|
There are following users and groups defined by the addusers role:
|
||||||
|
|
||||||
|
* Kube user, group from the ``kubelet_user`` and ``kubelet_group`` vars.
|
||||||
|
* Etcd user, group from the ``etcd_user`` and ``etcd_group`` vars.
|
||||||
|
* Network plugin user, group from the ``netplug_user`` and ``netplug_group`` vars.
|
||||||
|
|
||||||
|
There are additional certificate access groups for kube and etcd users defined.
|
||||||
|
For example, kubelet and network plugins require read access to the
|
||||||
|
etcd certs and keys. This is defined via the corresponding ``etcd_cert_group``
|
||||||
|
var. Members of that group (defaults to `kube` and `netplug` users) will read
|
||||||
|
etcd secret keys and certs. Same applies to the ``kube_cert_group``
|
||||||
|
(defaults to `kube` user) members. You may want to share kube certs via that
|
||||||
|
group with bastion proxies or the like.
|
||||||
|
|
||||||
|
Linux capabilites
|
||||||
|
=================
|
||||||
|
|
||||||
|
Kargo allows to control dropped Linux capabilities for unprivileged docker
|
||||||
|
containers it configures for deployments. For examle, etcd or some networking
|
||||||
|
related systemd units or k8s workloads, like kubedns, dnsmasq or netchecker apps.
|
||||||
|
|
||||||
|
Dropped capabilites are represented by the ``apps_drop_cap``, ``dnsmasq_drop_cap``,
|
||||||
|
``etcd_drop_cap``, ``calico_drop_cap`` vars.
|
||||||
|
|
||||||
|
Be carefull changing defaults - different kube components and k8s apps might
|
||||||
|
expect specific capabilities to be present and can only run as root! Also note
|
||||||
|
that kublet, kube-proxy and network plugins require privileged mode and ignore
|
||||||
|
dropped capabilities.
|
|
@ -36,10 +36,19 @@ retry_stagger: 5
|
||||||
# Directory where python binary is installed
|
# Directory where python binary is installed
|
||||||
# ansible_python_interpreter: "/opt/bin/python"
|
# ansible_python_interpreter: "/opt/bin/python"
|
||||||
|
|
||||||
# This is the group that the cert creation scripts chgrp the
|
# This is the users/groups to own files and groups that the cert creation
|
||||||
# cert files to. Not really changable...
|
# scripts chgrp the cert files to
|
||||||
|
kubelet_user: kube
|
||||||
|
kubelet_group: kube
|
||||||
kube_cert_group: kube-cert
|
kube_cert_group: kube-cert
|
||||||
|
|
||||||
|
netplug_user: netplug
|
||||||
|
netplug_group: netplug
|
||||||
|
|
||||||
|
etcd_user: etcd
|
||||||
|
etcd_group: etcd
|
||||||
|
etcd_cert_group: etcd-cert
|
||||||
|
|
||||||
# Cluster Loglevel configuration
|
# Cluster Loglevel configuration
|
||||||
kube_log_level: 2
|
kube_log_level: 2
|
||||||
|
|
||||||
|
|
|
@ -1,24 +1,40 @@
|
||||||
---
|
---
|
||||||
addusers:
|
addusers:
|
||||||
etcd:
|
etcd:
|
||||||
name: etcd
|
name: "{{ etcd_user }}"
|
||||||
comment: "Etcd user"
|
comment: "Etcd user"
|
||||||
createhome: yes
|
createhome: >-
|
||||||
|
{% if ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] %}no{% else %}yes{% endif %}
|
||||||
home: "/var/lib/etcd"
|
home: "/var/lib/etcd"
|
||||||
system: yes
|
system: yes
|
||||||
shell: /bin/nologin
|
shell: /usr/sbin/nologin
|
||||||
|
group: "{{ etcd_group }}"
|
||||||
|
groups: "{{ etcd_cert_group }}"
|
||||||
|
type: >-
|
||||||
|
{% if ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] %}cloud-init{% endif %}
|
||||||
kube:
|
kube:
|
||||||
name: kube
|
name: "{{ kubelet_user }}"
|
||||||
comment: "Kubernetes user"
|
comment: "Kubernetes user"
|
||||||
shell: /sbin/nologin
|
shell: /usr/sbin/nologin
|
||||||
system: yes
|
system: yes
|
||||||
group: "{{ kube_cert_group }}"
|
group: "{{ kubelet_group }}"
|
||||||
|
groups: "{{ etcd_cert_group }},{{ kube_cert_group }}"
|
||||||
createhome: no
|
createhome: no
|
||||||
|
netplug:
|
||||||
|
name: "{{ netplug_user }}"
|
||||||
|
comment: "Network plugin user"
|
||||||
|
createhome: no
|
||||||
|
system: yes
|
||||||
|
shell: /usr/sbin/nologin
|
||||||
|
group: "{{ netplug_group }}"
|
||||||
|
groups: "{{ etcd_cert_group }}"
|
||||||
|
|
||||||
adduser:
|
adduser:
|
||||||
name: "{{ user.name }}"
|
name: "{{ user.name }}"
|
||||||
group: "{{ user.name|default(None) }}"
|
group: "{{ user.name|default(None) }}"
|
||||||
|
groups: "{{ user.groups|default(None) }}"
|
||||||
comment: "{{ user.comment|default(None) }}"
|
comment: "{{ user.comment|default(None) }}"
|
||||||
shell: "{{ user.shell|default(None) }}"
|
shell: "{{ user.shell|default(None) }}"
|
||||||
system: "{{ user.system|default(None) }}"
|
system: "{{ user.system|default(None) }}"
|
||||||
createhome: "{{ user.createhome|default(None) }}"
|
createhome: "{{ user.createhome|default(None) }}"
|
||||||
|
type: "{{ user.type|default(None) }}"
|
||||||
|
|
4
roles/adduser/handlers/main.yml
Normal file
4
roles/adduser/handlers/main.yml
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
- name: User | update users for cloud-init
|
||||||
|
command: /usr/bin/coreos-cloudinit --from-file /etc/{{ user.name }}_user_cloud_init_conf
|
||||||
|
when: ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]
|
|
@ -1,13 +1,35 @@
|
||||||
---
|
---
|
||||||
|
- name: User | Create Certificate Access Groups
|
||||||
|
group: name={{ item }} system=yes
|
||||||
|
with_items: "{{ user.groups.split(',') }}"
|
||||||
|
|
||||||
- name: User | Create User Group
|
- name: User | Create User Group
|
||||||
group: name={{user.group|default(user.name)}} system={{user.system|default(omit)}}
|
group: name={{user.group|default(user.name)}} system={{user.system|default(omit)}}
|
||||||
|
|
||||||
|
- name: User | Create cloud-init user
|
||||||
|
template:
|
||||||
|
dest: /etc/{{ user.name }}_user_cloud_init_conf
|
||||||
|
src: users.j2
|
||||||
|
owner: root
|
||||||
|
mode: 0640
|
||||||
|
notify: User | update users for cloud-init
|
||||||
|
when: "{{ user.type|default('standard') == 'cloud-init' }}"
|
||||||
|
|
||||||
|
- meta: flush_handlers
|
||||||
|
|
||||||
|
- name: User | Hack groups for existing cloud-init users CoreOS
|
||||||
|
command: /usr/sbin/usermod -aG {{ item }} {{ user.name }}
|
||||||
|
with_items: "{{ user.groups.split(',') }}"
|
||||||
|
when: "{{ ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] and user.type|default('standard') == 'cloud-init' }}"
|
||||||
|
|
||||||
- name: User | Create User
|
- name: User | Create User
|
||||||
user:
|
user:
|
||||||
comment: "{{user.comment|default(omit)}}"
|
comment: "{{user.comment|default(omit)}}"
|
||||||
createhome: "{{user.create_home|default(omit)}}"
|
createhome: "{{user.createhome|default(omit)}}"
|
||||||
group: "{{user.group|default(user.name)}}"
|
group: "{{user.group|default(user.name)}}"
|
||||||
|
groups: "{{user.groups|default(omit)}}"
|
||||||
home: "{{user.home|default(omit)}}"
|
home: "{{user.home|default(omit)}}"
|
||||||
shell: "{{user.shell|default(omit)}}"
|
shell: "{{user.shell|default(omit)}}"
|
||||||
name: "{{user.name}}"
|
name: "{{user.name}}"
|
||||||
system: "{{user.system|default(omit)}}"
|
system: "{{user.system|default(omit)}}"
|
||||||
|
when: "{{ user.type|default('standard') != 'cloud-init' }}"
|
||||||
|
|
15
roles/adduser/templates/users.j2
Normal file
15
roles/adduser/templates/users.j2
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
#cloud-config
|
||||||
|
users:
|
||||||
|
- name: {{ user.name }}
|
||||||
|
gecos: {{ user.comment }}
|
||||||
|
system: {{ user.system|bool }}
|
||||||
|
no-log-init: {{ user.system|bool }}
|
||||||
|
primary-group: {{ user.group }}
|
||||||
|
no-create-home: {{ not user.createhome|bool }}
|
||||||
|
homedir: {{ user.home }}
|
||||||
|
shell: {{ user.shell }}
|
||||||
|
groups: |
|
||||||
|
{% for g in user.groups.split(',') %}
|
||||||
|
- {{ g }}
|
||||||
|
{% endfor %}
|
||||||
|
#
|
|
@ -1,8 +0,0 @@
|
||||||
---
|
|
||||||
addusers:
|
|
||||||
- name: kube
|
|
||||||
comment: "Kubernetes user"
|
|
||||||
shell: /sbin/nologin
|
|
||||||
system: yes
|
|
||||||
group: "{{ kube_cert_group }}"
|
|
||||||
createhome: no
|
|
|
@ -1,15 +0,0 @@
|
||||||
---
|
|
||||||
addusers:
|
|
||||||
- name: etcd
|
|
||||||
comment: "Etcd user"
|
|
||||||
createhome: yes
|
|
||||||
home: "/var/lib/etcd"
|
|
||||||
system: yes
|
|
||||||
shell: /bin/nologin
|
|
||||||
|
|
||||||
- name: kube
|
|
||||||
comment: "Kubernetes user"
|
|
||||||
shell: /sbin/nologin
|
|
||||||
system: yes
|
|
||||||
group: "{{ kube_cert_group }}"
|
|
||||||
createhome: no
|
|
|
@ -1,15 +0,0 @@
|
||||||
---
|
|
||||||
addusers:
|
|
||||||
- name: etcd
|
|
||||||
comment: "Etcd user"
|
|
||||||
createhome: yes
|
|
||||||
home: "/var/lib/etcd"
|
|
||||||
system: yes
|
|
||||||
shell: /bin/nologin
|
|
||||||
|
|
||||||
- name: kube
|
|
||||||
comment: "Kubernetes user"
|
|
||||||
shell: /sbin/nologin
|
|
||||||
system: yes
|
|
||||||
group: "{{ kube_cert_group }}"
|
|
||||||
createhome: no
|
|
|
@ -26,3 +26,16 @@ dns_cpu_limit: 100m
|
||||||
dns_memory_limit: 170Mi
|
dns_memory_limit: 170Mi
|
||||||
dns_cpu_requests: 70m
|
dns_cpu_requests: 70m
|
||||||
dns_memory_requests: 70Mi
|
dns_memory_requests: 70Mi
|
||||||
|
|
||||||
|
# Linux capabilities to be dropped for dnsmasq k8s app ran container engines
|
||||||
|
dnsmasq_drop_cap:
|
||||||
|
- chown
|
||||||
|
- dac_override
|
||||||
|
- fowner
|
||||||
|
- fsetid
|
||||||
|
- kill
|
||||||
|
- setpcap
|
||||||
|
- sys_chroot
|
||||||
|
- mknod
|
||||||
|
- audit_write
|
||||||
|
- setfcap
|
||||||
|
|
|
@ -26,6 +26,10 @@ spec:
|
||||||
capabilities:
|
capabilities:
|
||||||
add:
|
add:
|
||||||
- NET_ADMIN
|
- NET_ADMIN
|
||||||
|
drop:
|
||||||
|
{% for c in dnsmasq_drop_cap %}
|
||||||
|
- {{ c.upper() }}
|
||||||
|
{% endfor %}
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
resources:
|
resources:
|
||||||
limits:
|
limits:
|
||||||
|
|
|
@ -3,10 +3,26 @@ etcd_bin_dir: "{{ local_release_dir }}/etcd/etcd-{{ etcd_version }}-linux-amd64/
|
||||||
|
|
||||||
etcd_config_dir: /etc/ssl/etcd
|
etcd_config_dir: /etc/ssl/etcd
|
||||||
etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
|
etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
|
||||||
etcd_cert_group: root
|
|
||||||
|
|
||||||
etcd_script_dir: "{{ bin_dir }}/etcd-scripts"
|
etcd_script_dir: "{{ bin_dir }}/etcd-scripts"
|
||||||
|
|
||||||
|
# Linux capabilities to be dropped for container engines
|
||||||
|
etcd_drop_cap:
|
||||||
|
- chown
|
||||||
|
- dac_override
|
||||||
|
- fowner
|
||||||
|
- fsetid
|
||||||
|
- kill
|
||||||
|
- setgid
|
||||||
|
- setuid
|
||||||
|
- setpcap
|
||||||
|
- net_bind_service
|
||||||
|
- net_raw
|
||||||
|
- sys_chroot
|
||||||
|
- mknod
|
||||||
|
- audit_write
|
||||||
|
- setfcap
|
||||||
|
|
||||||
# Limits
|
# Limits
|
||||||
etcd_memory_limit: 512M
|
etcd_memory_limit: 512M
|
||||||
etcd_cpu_limit: 300m
|
etcd_cpu_limit: 300m
|
||||||
|
|
|
@ -94,5 +94,8 @@ if [ -n "$HOSTS" ]; then
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Grant the group read access
|
||||||
|
chmod g+r *.pem
|
||||||
|
|
||||||
# Install certs
|
# Install certs
|
||||||
mv *.pem ${SSLDIR}/
|
mv *.pem ${SSLDIR}/
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
dependencies:
|
dependencies:
|
||||||
- role: adduser
|
- role: adduser
|
||||||
user: "{{ addusers.etcd }}"
|
user: "{{ addusers.etcd }}"
|
||||||
when: not ansible_os_family in ['CoreOS', 'Container Linux by CoreOS']
|
tags: bootstrap-os
|
||||||
- role: download
|
- role: download
|
||||||
file: "{{ downloads.etcd }}"
|
file: "{{ downloads.etcd }}"
|
||||||
tags: download
|
tags: download
|
||||||
|
|
|
@ -4,14 +4,15 @@
|
||||||
path={{ etcd_cert_dir }}
|
path={{ etcd_cert_dir }}
|
||||||
group={{ etcd_cert_group }}
|
group={{ etcd_cert_group }}
|
||||||
state=directory
|
state=directory
|
||||||
owner=root
|
mode=0750
|
||||||
|
owner={{ etcd_user }}
|
||||||
recurse=yes
|
recurse=yes
|
||||||
|
|
||||||
- name: "Gen_certs | create etcd script dir (on {{groups['etcd'][0]}})"
|
- name: "Gen_certs | create etcd script dir (on {{groups['etcd'][0]}})"
|
||||||
file:
|
file:
|
||||||
path: "{{ etcd_script_dir }}"
|
path: "{{ etcd_script_dir }}"
|
||||||
state: directory
|
state: directory
|
||||||
owner: root
|
owner: "{{ etcd_user }}"
|
||||||
run_once: yes
|
run_once: yes
|
||||||
delegate_to: "{{groups['etcd'][0]}}"
|
delegate_to: "{{groups['etcd'][0]}}"
|
||||||
|
|
||||||
|
@ -20,7 +21,8 @@
|
||||||
path={{ etcd_cert_dir }}
|
path={{ etcd_cert_dir }}
|
||||||
group={{ etcd_cert_group }}
|
group={{ etcd_cert_group }}
|
||||||
state=directory
|
state=directory
|
||||||
owner=root
|
mode=0750
|
||||||
|
owner={{ etcd_user }}
|
||||||
recurse=yes
|
recurse=yes
|
||||||
run_once: yes
|
run_once: yes
|
||||||
delegate_to: "{{groups['etcd'][0]}}"
|
delegate_to: "{{groups['etcd'][0]}}"
|
||||||
|
@ -124,12 +126,12 @@
|
||||||
path={{ etcd_cert_dir }}
|
path={{ etcd_cert_dir }}
|
||||||
group={{ etcd_cert_group }}
|
group={{ etcd_cert_group }}
|
||||||
state=directory
|
state=directory
|
||||||
owner=kube
|
owner={{ etcd_user }}
|
||||||
recurse=yes
|
recurse=yes
|
||||||
tags: facts
|
tags: facts
|
||||||
|
|
||||||
- name: Gen_certs | set permissions on keys
|
- name: Gen_certs | set shared group permissions on keys
|
||||||
shell: chmod 0600 {{ etcd_cert_dir}}/*key.pem
|
shell: chmod 0640 {{ etcd_cert_dir}}/*.pem
|
||||||
when: inventory_hostname in groups['etcd']
|
when: inventory_hostname in groups['etcd']
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
---
|
---
|
||||||
- include: pre_upgrade.yml
|
- include: pre_upgrade.yml
|
||||||
tags: etcd-pre-upgrade
|
tags: etcd-pre-upgrade
|
||||||
|
- include: set_facts.yml
|
||||||
|
tags: [bootstrap-os, facts]
|
||||||
- include: check_certs.yml
|
- include: check_certs.yml
|
||||||
tags: [etcd-secrets, facts]
|
tags: [etcd-secrets, facts]
|
||||||
- include: gen_certs.yml
|
- include: gen_certs.yml
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
---
|
||||||
- name: "Pre-upgrade | check for etcd-proxy unit file"
|
- name: "Pre-upgrade | check for etcd-proxy unit file"
|
||||||
stat:
|
stat:
|
||||||
path: /etc/systemd/system/etcd-proxy.service
|
path: /etc/systemd/system/etcd-proxy.service
|
||||||
|
@ -49,3 +50,7 @@
|
||||||
awk -F"[: =]" '{print "{{ bin_dir }}/etcdctl --peers={{ etcd_access_addresses | regex_replace('https','http') }} member update "$1" https:"$7":"$8}' | bash
|
awk -F"[: =]" '{print "{{ bin_dir }}/etcdctl --peers={{ etcd_access_addresses | regex_replace('https','http') }} member update "$1" https:"$7":"$8}' | bash
|
||||||
run_once: true
|
run_once: true
|
||||||
when: 'etcd_member_list.rc == 0 and "http://" in etcd_member_list.stdout'
|
when: 'etcd_member_list.rc == 0 and "http://" in etcd_member_list.stdout'
|
||||||
|
|
||||||
|
- name: "Pre-upgrade | share access to etcd certs for its users"
|
||||||
|
shell: chmod g+r {{ etcd_cert_dir }}/*.pem
|
||||||
|
failed_when: false
|
||||||
|
|
17
roles/etcd/tasks/set_facts.yml
Normal file
17
roles/etcd/tasks/set_facts.yml
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
---
|
||||||
|
- name: Etcd | get etcd user ID
|
||||||
|
shell: /usr/bin/id -u {{ etcd_user }} || echo 0
|
||||||
|
register: etcd_uid
|
||||||
|
|
||||||
|
- name: Etcd | get etcd group ID
|
||||||
|
shell: /usr/bin/getent group {{ etcd_group }} | cut -d':' -f3 || echo 0
|
||||||
|
register: etcd_gid
|
||||||
|
|
||||||
|
- name: Etcd | get etcd cert group ID
|
||||||
|
shell: /usr/bin/getent group {{ etcd_cert_group }} | cut -d':' -f3 || echo 0
|
||||||
|
register: etcd_cert_gid
|
||||||
|
|
||||||
|
- set_fact:
|
||||||
|
etcd_user_id: "{{ etcd_uid.stdout }}"
|
||||||
|
etcd_group_id: "{{ etcd_gid.stdout }}"
|
||||||
|
etcd_cert_group_id: "{{ etcd_cert_gid.stdout }}"
|
|
@ -14,8 +14,12 @@ ExecStart={{ docker_bin_dir }}/docker run --restart=on-failure:5 \
|
||||||
-v /etc/ssl/certs:/etc/ssl/certs:ro \
|
-v /etc/ssl/certs:/etc/ssl/certs:ro \
|
||||||
-v {{ etcd_cert_dir }}:{{ etcd_cert_dir }}:ro \
|
-v {{ etcd_cert_dir }}:{{ etcd_cert_dir }}:ro \
|
||||||
-v /var/lib/etcd:/var/lib/etcd:rw \
|
-v /var/lib/etcd:/var/lib/etcd:rw \
|
||||||
|
{% for c in etcd_drop_cap %}
|
||||||
|
--cap-drop={{ c }} \
|
||||||
|
{% endfor %}
|
||||||
--memory={{ etcd_memory_limit|regex_replace('Mi', 'M') }} --cpu-shares={{ etcd_cpu_limit|regex_replace('m', '') }} \
|
--memory={{ etcd_memory_limit|regex_replace('Mi', 'M') }} --cpu-shares={{ etcd_cpu_limit|regex_replace('m', '') }} \
|
||||||
--name={{ etcd_member_name | default("etcd") }} \
|
--name={{ etcd_member_name | default("etcd") }} \
|
||||||
|
-u {{ etcd_user_id }}:{{ etcd_group_id }} --group-add {{ etcd_cert_group_id }} \
|
||||||
{{ etcd_image_repo }}:{{ etcd_image_tag }} \
|
{{ etcd_image_repo }}:{{ etcd_image_tag }} \
|
||||||
{% if etcd_after_v3 %}
|
{% if etcd_after_v3 %}
|
||||||
{{ etcd_container_bin_dir }}etcd
|
{{ etcd_container_bin_dir }}etcd
|
||||||
|
|
|
@ -8,6 +8,9 @@ Restart=on-failure
|
||||||
RestartSec=10s
|
RestartSec=10s
|
||||||
TimeoutStartSec=0
|
TimeoutStartSec=0
|
||||||
LimitNOFILE=40000
|
LimitNOFILE=40000
|
||||||
|
User=root
|
||||||
|
Group={{ etcd_group_id }}
|
||||||
|
SupplementaryGroups={{ etcd_cert_group_id }}
|
||||||
|
|
||||||
ExecStart=/usr/bin/rkt run \
|
ExecStart=/usr/bin/rkt run \
|
||||||
--uuid-file-save=/var/run/etcd.uuid \
|
--uuid-file-save=/var/run/etcd.uuid \
|
||||||
|
@ -20,6 +23,11 @@ ExecStart=/usr/bin/rkt run \
|
||||||
--set-env-file=/etc/etcd.env \
|
--set-env-file=/etc/etcd.env \
|
||||||
--stage1-from-dir=stage1-fly.aci \
|
--stage1-from-dir=stage1-fly.aci \
|
||||||
{{ etcd_image_repo }}:{{ etcd_image_tag }} \
|
{{ etcd_image_repo }}:{{ etcd_image_tag }} \
|
||||||
|
{% for c in etcd_drop_cap %}
|
||||||
|
--caps-remove=CAP_{{ c.upper() }} \
|
||||||
|
{% endfor %}
|
||||||
|
--memory={{ etcd_memory_limit }} --cpu={{ etcd_cpu_limit }} \
|
||||||
|
--user={{ etcd_user_id }} --group={{ etcd_group_id }} \
|
||||||
--name={{ etcd_member_name | default("etcd") }}
|
--name={{ etcd_member_name | default("etcd") }}
|
||||||
|
|
||||||
ExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/run/etcd.uuid
|
ExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/run/etcd.uuid
|
||||||
|
|
|
@ -51,3 +51,18 @@ netchecker_kubectl_memory_requests: 64M
|
||||||
etcd_cert_dir: "/etc/ssl/etcd/ssl"
|
etcd_cert_dir: "/etc/ssl/etcd/ssl"
|
||||||
calico_cert_dir: "/etc/calico/certs"
|
calico_cert_dir: "/etc/calico/certs"
|
||||||
canal_cert_dir: "/etc/canal/certs"
|
canal_cert_dir: "/etc/canal/certs"
|
||||||
|
|
||||||
|
# Linux capabilities to be dropped for k8s apps ran by container engines
|
||||||
|
apps_drop_cap:
|
||||||
|
- chown
|
||||||
|
- dac_override
|
||||||
|
- fowner
|
||||||
|
- fsetid
|
||||||
|
- kill
|
||||||
|
- setgid
|
||||||
|
- setuid
|
||||||
|
- setpcap
|
||||||
|
- sys_chroot
|
||||||
|
- mknod
|
||||||
|
- audit_write
|
||||||
|
- setfcap
|
||||||
|
|
|
@ -25,6 +25,12 @@ spec:
|
||||||
- name: calico-policy-controller
|
- name: calico-policy-controller
|
||||||
image: {{ calico_policy_image_repo }}:{{ calico_policy_image_tag }}
|
image: {{ calico_policy_image_repo }}:{{ calico_policy_image_tag }}
|
||||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
{% for c in apps_drop_cap %}
|
||||||
|
- {{ c.upper() }}
|
||||||
|
{% endfor %}
|
||||||
resources:
|
resources:
|
||||||
limits:
|
limits:
|
||||||
cpu: {{ calico_policy_controller_cpu_limit }}
|
cpu: {{ calico_policy_controller_cpu_limit }}
|
||||||
|
|
|
@ -23,6 +23,12 @@ spec:
|
||||||
- name: REPORT_INTERVAL
|
- name: REPORT_INTERVAL
|
||||||
value: '{{ agent_report_interval }}'
|
value: '{{ agent_report_interval }}'
|
||||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
{% for c in apps_drop_cap %}
|
||||||
|
- {{ c.upper() }}
|
||||||
|
{% endfor %}
|
||||||
resources:
|
resources:
|
||||||
limits:
|
limits:
|
||||||
cpu: {{ netchecker_agent_cpu_limit }}
|
cpu: {{ netchecker_agent_cpu_limit }}
|
||||||
|
|
|
@ -24,6 +24,12 @@ spec:
|
||||||
- name: REPORT_INTERVAL
|
- name: REPORT_INTERVAL
|
||||||
value: '{{ agent_report_interval }}'
|
value: '{{ agent_report_interval }}'
|
||||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
{% for c in apps_drop_cap %}
|
||||||
|
- {{ c.upper() }}
|
||||||
|
{% endfor %}
|
||||||
resources:
|
resources:
|
||||||
limits:
|
limits:
|
||||||
cpu: {{ netchecker_agent_cpu_limit }}
|
cpu: {{ netchecker_agent_cpu_limit }}
|
||||||
|
|
|
@ -33,3 +33,9 @@ spec:
|
||||||
memory: {{ netchecker_kubectl_memory_requests }}
|
memory: {{ netchecker_kubectl_memory_requests }}
|
||||||
args:
|
args:
|
||||||
- proxy
|
- proxy
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
{% for c in apps_drop_cap %}
|
||||||
|
- {{ c.upper() }}
|
||||||
|
{% endfor %}
|
||||||
|
|
|
@ -13,6 +13,21 @@ kube_apiserver_node_port_range: "30000-32767"
|
||||||
etcd_config_dir: /etc/ssl/etcd
|
etcd_config_dir: /etc/ssl/etcd
|
||||||
etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
|
etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
|
||||||
|
|
||||||
|
# Linux capabilities to be dropped for k8s apps ran by container engines
|
||||||
|
apps_drop_cap:
|
||||||
|
- chown
|
||||||
|
- dac_override
|
||||||
|
- fowner
|
||||||
|
- fsetid
|
||||||
|
- kill
|
||||||
|
- setgid
|
||||||
|
- setuid
|
||||||
|
- setpcap
|
||||||
|
- sys_chroot
|
||||||
|
- mknod
|
||||||
|
- audit_write
|
||||||
|
- setfcap
|
||||||
|
|
||||||
# Limits for kube components
|
# Limits for kube components
|
||||||
kube_controller_memory_limit: 512M
|
kube_controller_memory_limit: 512M
|
||||||
kube_controller_cpu_limit: 250m
|
kube_controller_cpu_limit: 250m
|
||||||
|
|
|
@ -2,6 +2,9 @@
|
||||||
- include: pre-upgrade.yml
|
- include: pre-upgrade.yml
|
||||||
tags: k8s-pre-upgrade
|
tags: k8s-pre-upgrade
|
||||||
|
|
||||||
|
- include: set_facts.yml
|
||||||
|
tags: facts
|
||||||
|
|
||||||
- name: Copy kubectl from hyperkube container
|
- name: Copy kubectl from hyperkube container
|
||||||
command: "{{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/systembindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /bin/cp /hyperkube /systembindir/kubectl"
|
command: "{{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/systembindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /bin/cp /hyperkube /systembindir/kubectl"
|
||||||
register: kube_task_result
|
register: kube_task_result
|
||||||
|
|
22
roles/kubernetes/master/tasks/set_facts.yml
Normal file
22
roles/kubernetes/master/tasks/set_facts.yml
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
---
|
||||||
|
- name: Master | get kube user ID
|
||||||
|
shell: /usr/bin/id -u {{ kubelet_user }} || echo 0
|
||||||
|
register: kube_uid
|
||||||
|
|
||||||
|
- name: Master | get kube group ID
|
||||||
|
shell: /usr/bin/getent group {{ kubelet_group }} | cut -d':' -f3 || echo 0
|
||||||
|
register: kube_gid
|
||||||
|
|
||||||
|
- name: Master | get kube cert group ID
|
||||||
|
shell: /usr/bin/getent group {{ kube_cert_group }} | cut -d':' -f3 || echo 0
|
||||||
|
register: kube_cert_gid
|
||||||
|
|
||||||
|
- name: Master | get etcd cert group ID
|
||||||
|
shell: /usr/bin/getent group {{ etcd_cert_group }} | cut -d':' -f3 || echo 0
|
||||||
|
register: etcd_cert_gid
|
||||||
|
|
||||||
|
- set_fact:
|
||||||
|
kubelet_user_id: "{{ kube_uid.stdout }}"
|
||||||
|
kubelet_group_id: "{{ kube_gid.stdout }}"
|
||||||
|
kube_cert_group_id: "{{ kube_cert_gid.stdout }}"
|
||||||
|
etcd_cert_group_id: "{{ etcd_cert_gid.stdout }}"
|
|
@ -12,6 +12,14 @@ spec:
|
||||||
- name: kube-apiserver
|
- name: kube-apiserver
|
||||||
image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
|
image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
|
||||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
{% for c in apps_drop_cap %}
|
||||||
|
- {{ c.upper() }}
|
||||||
|
{% endfor %}
|
||||||
|
add:
|
||||||
|
- DAC_OVERRIDE
|
||||||
resources:
|
resources:
|
||||||
limits:
|
limits:
|
||||||
cpu: {{ kube_apiserver_cpu_limit }}
|
cpu: {{ kube_apiserver_cpu_limit }}
|
||||||
|
|
|
@ -11,6 +11,17 @@ spec:
|
||||||
- name: kube-controller-manager
|
- name: kube-controller-manager
|
||||||
image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
|
image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
|
||||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||||
|
securityContext:
|
||||||
|
runAsUser: {{ kubelet_user_id }}
|
||||||
|
fsGroup: {{ kubelet_group_id }}
|
||||||
|
supplementalGroups:
|
||||||
|
- {{ kube_cert_group_id }}
|
||||||
|
- {{ etcd_cert_group_id }}
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
{% for c in apps_drop_cap %}
|
||||||
|
- {{ c.upper() }}
|
||||||
|
{% endfor %}
|
||||||
resources:
|
resources:
|
||||||
limits:
|
limits:
|
||||||
cpu: {{ kube_controller_cpu_limit }}
|
cpu: {{ kube_controller_cpu_limit }}
|
||||||
|
|
|
@ -11,6 +11,17 @@ spec:
|
||||||
- name: kube-scheduler
|
- name: kube-scheduler
|
||||||
image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
|
image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
|
||||||
imagePullPolicy: {{ k8s_image_pull_policy }}
|
imagePullPolicy: {{ k8s_image_pull_policy }}
|
||||||
|
securityContext:
|
||||||
|
runAsUser: {{ kubelet_user_id }}
|
||||||
|
fsGroup: {{ kubelet_group_id }}
|
||||||
|
supplementalGroups:
|
||||||
|
- {{ kube_cert_group_id }}
|
||||||
|
- {{ etcd_cert_group_id }}
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
{% for c in apps_drop_cap %}
|
||||||
|
- {{ c.upper() }}
|
||||||
|
{% endfor %}
|
||||||
resources:
|
resources:
|
||||||
limits:
|
limits:
|
||||||
cpu: {{ kube_scheduler_cpu_limit }}
|
cpu: {{ kube_scheduler_cpu_limit }}
|
||||||
|
|
|
@ -29,3 +29,18 @@ nginx_image_repo: nginx
|
||||||
nginx_image_tag: 1.11.4-alpine
|
nginx_image_tag: 1.11.4-alpine
|
||||||
|
|
||||||
etcd_config_dir: /etc/ssl/etcd
|
etcd_config_dir: /etc/ssl/etcd
|
||||||
|
|
||||||
|
# Linux capabilities to be dropped for container engines
|
||||||
|
apps_drop_cap:
|
||||||
|
- chown
|
||||||
|
- dac_override
|
||||||
|
- fowner
|
||||||
|
- fsetid
|
||||||
|
- kill
|
||||||
|
- setgid
|
||||||
|
- setuid
|
||||||
|
- setpcap
|
||||||
|
- sys_chroot
|
||||||
|
- mknod
|
||||||
|
- audit_write
|
||||||
|
- setfcap
|
||||||
|
|
|
@ -26,6 +26,6 @@
|
||||||
notify: restart kubelet
|
notify: restart kubelet
|
||||||
|
|
||||||
- name: install | Install kubelet launch script
|
- name: install | Install kubelet launch script
|
||||||
template: src=kubelet-container.j2 dest="{{ bin_dir }}/kubelet" owner=kube mode=0755 backup=yes
|
template: src=kubelet-container.j2 dest="{{ bin_dir }}/kubelet" owner={{ kubelet_user }} mode=0755 backup=yes
|
||||||
notify: restart kubelet
|
notify: restart kubelet
|
||||||
when: kubelet_deployment_type == "docker"
|
when: kubelet_deployment_type == "docker"
|
||||||
|
|
|
@ -4,6 +4,9 @@
|
||||||
{%- if inventory_hostname in groups['kube-master'] and inventory_hostname not in groups['kube-node'] -%}true{%- else -%}false{%- endif -%}
|
{%- if inventory_hostname in groups['kube-master'] and inventory_hostname not in groups['kube-node'] -%}true{%- else -%}false{%- endif -%}
|
||||||
tags: facts
|
tags: facts
|
||||||
|
|
||||||
|
- include: pre-upgrade.yml
|
||||||
|
tags: k8s-pre-upgrade
|
||||||
|
|
||||||
- include: install.yml
|
- include: install.yml
|
||||||
tags: kubelet
|
tags: kubelet
|
||||||
|
|
||||||
|
|
4
roles/kubernetes/node/tasks/pre-upgrade.yml
Normal file
4
roles/kubernetes/node/tasks/pre-upgrade.yml
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
- name: "Pre-upgrade | share access to kube certs for its users"
|
||||||
|
shell: chmod g+r {{ kube_cert_dir }}/*.pem
|
||||||
|
failed_when: false
|
|
@ -44,6 +44,7 @@ ExecStart=/usr/bin/rkt run \
|
||||||
--mount volume=var-log,target=/var/log \
|
--mount volume=var-log,target=/var/log \
|
||||||
--stage1-from-dir=stage1-fly.aci \
|
--stage1-from-dir=stage1-fly.aci \
|
||||||
{{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} \
|
{{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} \
|
||||||
|
--memory={{ kubelet_memory_limit }} --cpu={{ kubelet_cpu_limit }} \
|
||||||
--uuid-file-save=/var/run/kubelet.uuid \
|
--uuid-file-save=/var/run/kubelet.uuid \
|
||||||
--debug --exec=/kubelet -- \
|
--debug --exec=/kubelet -- \
|
||||||
$KUBE_LOGTOSTDERR \
|
$KUBE_LOGTOSTDERR \
|
||||||
|
|
|
@ -2,4 +2,7 @@
|
||||||
dependencies:
|
dependencies:
|
||||||
- role: adduser
|
- role: adduser
|
||||||
user: "{{ addusers.kube }}"
|
user: "{{ addusers.kube }}"
|
||||||
tags: kubelet
|
tags: [bootstrap-os, kubelet]
|
||||||
|
- role: adduser
|
||||||
|
user: "{{ addusers.netplug }}"
|
||||||
|
tags: [bootstrap-os, network]
|
||||||
|
|
|
@ -23,6 +23,12 @@
|
||||||
- include: set_facts.yml
|
- include: set_facts.yml
|
||||||
tags: facts
|
tags: facts
|
||||||
|
|
||||||
|
- include: set_resolv_facts.yml
|
||||||
|
tags: [bootstrap-os, resolvconf, facts]
|
||||||
|
|
||||||
|
- include: set_uid_facts.yml
|
||||||
|
tags: [bootstrap-os, facts]
|
||||||
|
|
||||||
- name: gather os specific variables
|
- name: gather os specific variables
|
||||||
include_vars: "{{ item }}"
|
include_vars: "{{ item }}"
|
||||||
with_first_found:
|
with_first_found:
|
||||||
|
@ -42,7 +48,7 @@
|
||||||
file:
|
file:
|
||||||
path: "{{ kube_config_dir }}"
|
path: "{{ kube_config_dir }}"
|
||||||
state: directory
|
state: directory
|
||||||
owner: kube
|
owner: "{{ kubelet_user }}"
|
||||||
when: "{{ inventory_hostname in groups['k8s-cluster'] }}"
|
when: "{{ inventory_hostname in groups['k8s-cluster'] }}"
|
||||||
tags: [kubelet, k8s-secrets, kube-controller-manager, kube-apiserver, bootstrap-os, apps, network, master, node]
|
tags: [kubelet, k8s-secrets, kube-controller-manager, kube-apiserver, bootstrap-os, apps, network, master, node]
|
||||||
|
|
||||||
|
@ -50,7 +56,7 @@
|
||||||
file:
|
file:
|
||||||
path: "{{ kube_script_dir }}"
|
path: "{{ kube_script_dir }}"
|
||||||
state: directory
|
state: directory
|
||||||
owner: kube
|
owner: "{{ kubelet_user }}"
|
||||||
when: "{{ inventory_hostname in groups['k8s-cluster'] }}"
|
when: "{{ inventory_hostname in groups['k8s-cluster'] }}"
|
||||||
tags: [k8s-secrets, bootstrap-os]
|
tags: [k8s-secrets, bootstrap-os]
|
||||||
|
|
||||||
|
@ -58,7 +64,7 @@
|
||||||
file:
|
file:
|
||||||
path: "{{ kube_manifest_dir }}"
|
path: "{{ kube_manifest_dir }}"
|
||||||
state: directory
|
state: directory
|
||||||
owner: kube
|
owner: "{{ kubelet_user }}"
|
||||||
when: "{{ inventory_hostname in groups['k8s-cluster'] }}"
|
when: "{{ inventory_hostname in groups['k8s-cluster'] }}"
|
||||||
tags: [kubelet, bootstrap-os, master, node]
|
tags: [kubelet, bootstrap-os, master, node]
|
||||||
|
|
||||||
|
@ -80,7 +86,7 @@
|
||||||
file:
|
file:
|
||||||
path: "{{ item }}"
|
path: "{{ item }}"
|
||||||
state: directory
|
state: directory
|
||||||
owner: kube
|
owner: "{{ kubelet_user }}"
|
||||||
with_items:
|
with_items:
|
||||||
- "/etc/cni/net.d"
|
- "/etc/cni/net.d"
|
||||||
- "/opt/cni/bin"
|
- "/opt/cni/bin"
|
||||||
|
|
|
@ -51,6 +51,3 @@
|
||||||
etcd_container_bin_dir: "{% if etcd_after_v3 %}/usr/local/bin/{% else %}/{% endif %}"
|
etcd_container_bin_dir: "{% if etcd_after_v3 %}/usr/local/bin/{% else %}/{% endif %}"
|
||||||
- set_fact:
|
- set_fact:
|
||||||
peer_with_calico_rr: "{{ 'calico-rr' in groups and groups['calico-rr']|length > 0 }}"
|
peer_with_calico_rr: "{{ 'calico-rr' in groups and groups['calico-rr']|length > 0 }}"
|
||||||
|
|
||||||
- include: set_resolv_facts.yml
|
|
||||||
tags: [bootstrap-os, resolvconf, facts]
|
|
||||||
|
|
32
roles/kubernetes/preinstall/tasks/set_uid_facts.yml
Normal file
32
roles/kubernetes/preinstall/tasks/set_uid_facts.yml
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
---
|
||||||
|
- name: Preinstall | get kube user ID
|
||||||
|
shell: /usr/bin/id -u {{ kubelet_user }} || echo 0
|
||||||
|
register: kube_uid
|
||||||
|
|
||||||
|
- name: Preinstall | get kube group ID
|
||||||
|
shell: /usr/bin/id -g {{ kubelet_group }} || echo 0
|
||||||
|
register: kube_gid
|
||||||
|
|
||||||
|
- name: Preinstall | get kube cert group ID
|
||||||
|
shell: /usr/bin/id -g {{ kube_cert_group }} || echo 0
|
||||||
|
register: kube_cert_gid
|
||||||
|
|
||||||
|
- name: Preinstall | get etcd cert group ID
|
||||||
|
shell: /usr/bin/id -g {{ etcd_cert_group }} || echo 0
|
||||||
|
register: etcd_cert_gid
|
||||||
|
|
||||||
|
- name: Preinstall | get netplug user ID
|
||||||
|
shell: /usr/bin/id -u {{ netplug_user }} || echo 0
|
||||||
|
register: netplug_uid
|
||||||
|
|
||||||
|
- name: Preinstall | get netplug group ID
|
||||||
|
shell: /usr/bin/getent group {{ netplug_group }} | cut -d':' -f3 || echo 0
|
||||||
|
register: netplug_gid
|
||||||
|
|
||||||
|
- set_fact:
|
||||||
|
kubelet_user_id: "{{ kube_uid.stdout }}"
|
||||||
|
kubelet_group_id: "{{ kube_gid.stdout }}"
|
||||||
|
kube_cert_group_id: "{{ kube_cert_gid.stdout }}"
|
||||||
|
etcd_cert_group_id: "{{ etcd_cert_gid.stdout }}"
|
||||||
|
netplug_user_id: "{{ netplug_uid.stdout }}"
|
||||||
|
netplug_group_id: "{{ netplug_gid.stdout }}"
|
|
@ -101,5 +101,8 @@ if [ -n "$HOSTS" ]; then
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Grant the group read access
|
||||||
|
chmod g+r *.pem
|
||||||
|
|
||||||
# Install certs
|
# Install certs
|
||||||
mv *.pem ${SSLDIR}/
|
mv *.pem ${SSLDIR}/
|
||||||
|
|
|
@ -110,11 +110,11 @@
|
||||||
file:
|
file:
|
||||||
path={{ kube_cert_dir }}
|
path={{ kube_cert_dir }}
|
||||||
group={{ kube_cert_group }}
|
group={{ kube_cert_group }}
|
||||||
owner=kube
|
owner={{ kubelet_user }}
|
||||||
recurse=yes
|
recurse=yes
|
||||||
|
|
||||||
- name: Gen_certs | set permissions on keys
|
- name: Gen_certs | set shared group permissions on keys
|
||||||
shell: chmod 0600 {{ kube_cert_dir}}/*key.pem
|
shell: chmod 0640 {{ kube_cert_dir}}/*.pem
|
||||||
when: inventory_hostname in groups['kube-master']
|
when: inventory_hostname in groups['kube-master']
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
|
||||||
|
|
|
@ -9,6 +9,7 @@
|
||||||
path={{ kube_cert_dir }}
|
path={{ kube_cert_dir }}
|
||||||
state=directory
|
state=directory
|
||||||
mode=o-rwx
|
mode=o-rwx
|
||||||
|
owner={{ kubelet_user }}
|
||||||
group={{ kube_cert_group }}
|
group={{ kube_cert_group }}
|
||||||
|
|
||||||
- name: Make sure the tokens directory exits
|
- name: Make sure the tokens directory exits
|
||||||
|
@ -16,14 +17,16 @@
|
||||||
path={{ kube_token_dir }}
|
path={{ kube_token_dir }}
|
||||||
state=directory
|
state=directory
|
||||||
mode=o-rwx
|
mode=o-rwx
|
||||||
group={{ kube_cert_group }}
|
owner={{ kubelet_user }}
|
||||||
|
group={{ kubelet_group }}
|
||||||
|
|
||||||
- name: Make sure the users directory exits
|
- name: Make sure the users directory exits
|
||||||
file:
|
file:
|
||||||
path={{ kube_users_dir }}
|
path={{ kube_users_dir }}
|
||||||
state=directory
|
state=directory
|
||||||
mode=o-rwx
|
mode=o-rwx
|
||||||
group={{ kube_cert_group }}
|
owner={{ kubelet_user }}
|
||||||
|
group={{ kubelet_group }}
|
||||||
|
|
||||||
- name: Populate users for basic auth in API
|
- name: Populate users for basic auth in API
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
|
|
@ -20,6 +20,23 @@ global_as_num: "64512"
|
||||||
# defaults. The value should be a number, not a string.
|
# defaults. The value should be a number, not a string.
|
||||||
# calico_mtu: 1500
|
# calico_mtu: 1500
|
||||||
|
|
||||||
|
# Linux capabilities to be dropped for container engines
|
||||||
|
calico_drop_cap:
|
||||||
|
- chown
|
||||||
|
- dac_override
|
||||||
|
- fowner
|
||||||
|
- fsetid
|
||||||
|
- kill
|
||||||
|
- setgid
|
||||||
|
- setuid
|
||||||
|
- setpcap
|
||||||
|
- net_bind_service
|
||||||
|
- net_raw
|
||||||
|
- sys_chroot
|
||||||
|
- mknod
|
||||||
|
- audit_write
|
||||||
|
- setfcap
|
||||||
|
|
||||||
# Limits for apps
|
# Limits for apps
|
||||||
calico_node_memory_limit: 500M
|
calico_node_memory_limit: 500M
|
||||||
calico_node_cpu_limit: 300m
|
calico_node_cpu_limit: 300m
|
||||||
|
|
|
@ -12,8 +12,8 @@
|
||||||
dest: "{{ calico_cert_dir }}"
|
dest: "{{ calico_cert_dir }}"
|
||||||
state: directory
|
state: directory
|
||||||
mode: 0750
|
mode: 0750
|
||||||
owner: root
|
owner: "{{ netplug_user }}"
|
||||||
group: root
|
group: "{{ netplug_group }}"
|
||||||
|
|
||||||
- name: Calico-rr | Link etcd certificates for calico-node
|
- name: Calico-rr | Link etcd certificates for calico-node
|
||||||
file:
|
file:
|
||||||
|
@ -31,8 +31,8 @@
|
||||||
path: /var/log/calico-rr
|
path: /var/log/calico-rr
|
||||||
state: directory
|
state: directory
|
||||||
mode: 0755
|
mode: 0755
|
||||||
owner: root
|
owner: "{{ netplug_user }}"
|
||||||
group: root
|
group: "{{ netplug_group }}"
|
||||||
|
|
||||||
- name: Calico-rr | Write calico-rr.env for systemd init file
|
- name: Calico-rr | Write calico-rr.env for systemd init file
|
||||||
template: src=calico-rr.env.j2 dest=/etc/calico/calico-rr.env
|
template: src=calico-rr.env.j2 dest=/etc/calico/calico-rr.env
|
||||||
|
|
|
@ -6,7 +6,7 @@ Requires=docker.service
|
||||||
[Service]
|
[Service]
|
||||||
EnvironmentFile=/etc/calico/calico-rr.env
|
EnvironmentFile=/etc/calico/calico-rr.env
|
||||||
ExecStartPre=-{{ docker_bin_dir }}/docker rm -f calico-rr
|
ExecStartPre=-{{ docker_bin_dir }}/docker rm -f calico-rr
|
||||||
ExecStart={{ docker_bin_dir }}/docker run --net=host --privileged \
|
ExecStart={{ docker_bin_dir }}/docker run --net=host \
|
||||||
--name=calico-rr \
|
--name=calico-rr \
|
||||||
-e IP=${IP} \
|
-e IP=${IP} \
|
||||||
-e IP6=${IP6} \
|
-e IP6=${IP6} \
|
||||||
|
@ -16,6 +16,10 @@ ExecStart={{ docker_bin_dir }}/docker run --net=host --privileged \
|
||||||
-e ETCD_KEY_FILE=${ETCD_KEY_FILE} \
|
-e ETCD_KEY_FILE=${ETCD_KEY_FILE} \
|
||||||
-v /var/log/calico-rr:/var/log/calico \
|
-v /var/log/calico-rr:/var/log/calico \
|
||||||
-v {{ calico_cert_dir }}:{{ calico_cert_dir }}:ro \
|
-v {{ calico_cert_dir }}:{{ calico_cert_dir }}:ro \
|
||||||
|
{% for c in calico_drop_cap %}
|
||||||
|
--cap-drop={{ c }} \
|
||||||
|
{% endfor %}
|
||||||
|
-u {{ netplug_user_id }}:{{ netplug_group_id }} --group-add {{ etcd_cert_group }} \
|
||||||
--memory={{ calico_rr_memory_limit|regex_replace('Mi', 'M') }} --cpu-shares={{ calico_rr_cpu_limit|regex_replace('m', '') }} \
|
--memory={{ calico_rr_memory_limit|regex_replace('Mi', 'M') }} --cpu-shares={{ calico_rr_cpu_limit|regex_replace('m', '') }} \
|
||||||
{{ calico_rr_image_repo }}:{{ calico_rr_image_tag }}
|
{{ calico_rr_image_repo }}:{{ calico_rr_image_tag }}
|
||||||
|
|
||||||
|
|
|
@ -9,15 +9,16 @@
|
||||||
template:
|
template:
|
||||||
src: "cni-calico.conf.j2"
|
src: "cni-calico.conf.j2"
|
||||||
dest: "/etc/cni/net.d/10-calico.conf"
|
dest: "/etc/cni/net.d/10-calico.conf"
|
||||||
owner: kube
|
owner: "{{ kubelet_user }}"
|
||||||
|
group: "{{ kubelet_group }}"
|
||||||
|
|
||||||
- name: Calico | Create calico certs directory
|
- name: Calico | Create calico certs directory
|
||||||
file:
|
file:
|
||||||
dest: "{{ calico_cert_dir }}"
|
dest: "{{ calico_cert_dir }}"
|
||||||
state: directory
|
state: directory
|
||||||
mode: 0750
|
mode: 0750
|
||||||
owner: root
|
owner: "{{ netplug_user }}"
|
||||||
group: root
|
group: "{{ netplug_group }}"
|
||||||
|
|
||||||
- name: Calico | Link etcd certificates for calico-node
|
- name: Calico | Link etcd certificates for calico-node
|
||||||
file:
|
file:
|
||||||
|
|
|
@ -3,15 +3,16 @@
|
||||||
template:
|
template:
|
||||||
src: "cni-canal.conf.j2"
|
src: "cni-canal.conf.j2"
|
||||||
dest: "/etc/cni/net.d/10-canal.conf"
|
dest: "/etc/cni/net.d/10-canal.conf"
|
||||||
owner: kube
|
owner: "{{ kubelet_user }}"
|
||||||
|
group: "{{ kubelet_group }}"
|
||||||
|
|
||||||
- name: Canal | Create canal certs directory
|
- name: Canal | Create canal certs directory
|
||||||
file:
|
file:
|
||||||
dest: "{{ canal_cert_dir }}"
|
dest: "{{ canal_cert_dir }}"
|
||||||
state: directory
|
state: directory
|
||||||
mode: 0750
|
mode: 0750
|
||||||
owner: root
|
owner: "{{ netplug_user }}"
|
||||||
group: root
|
group: "{{ netplug_group }}"
|
||||||
|
|
||||||
- name: Canal | Link etcd certificates for canal-node
|
- name: Canal | Link etcd certificates for canal-node
|
||||||
file:
|
file:
|
||||||
|
|
Loading…
Reference in a new issue