48e77cd8bb
* Drop linux capabilities for unprivileged containerized worlkoads Kargo configures for deployments. * Configure required securityContext/user/group/groups for kube components' static manifests, etcd, calico-rr and k8s apps, like dnsmasq daemonset. * Rework cloud-init (etcd) users creation for CoreOS. * Fix nologin paths, adjust defaults for addusers role and ensure supplementary groups membership added for users. * Add netplug user for network plugins (yet unused by privileged networking containers though). * Grant the kube and netplug users read access for etcd certs via the etcd certs group. * Grant group read access to kube certs via the kube cert group. * Remove priveleged mode for calico-rr and run it under its uid/gid and supplementary etcd_cert group. * Adjust docs. * Align cpu/memory limits and dropped caps with added rkt support for control plane. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
37 lines
1.2 KiB
Django/Jinja
37 lines
1.2 KiB
Django/Jinja
[Unit]
|
|
Description=etcd rkt wrapper
|
|
Documentation=https://github.com/coreos/etcd
|
|
Wants=network.target
|
|
|
|
[Service]
|
|
Restart=on-failure
|
|
RestartSec=10s
|
|
TimeoutStartSec=0
|
|
LimitNOFILE=40000
|
|
User=root
|
|
Group={{ etcd_group_id }}
|
|
SupplementaryGroups={{ etcd_cert_group_id }}
|
|
|
|
ExecStart=/usr/bin/rkt run \
|
|
--uuid-file-save=/var/run/etcd.uuid \
|
|
--volume=etc-ssl-certs,kind=host,source=/etc/ssl/certs,readOnly=true \
|
|
--mount=volume=etc-ssl-certs,target=/etc/ssl/certs \
|
|
--volume=etcd-cert-dir,kind=host,source={{ etcd_cert_dir }},readOnly=true \
|
|
--mount=volume=etcd-cert-dir,target={{ etcd_cert_dir }} \
|
|
--volume=var-lib-etcd,kind=host,source=/var/lib/etcd,readOnly=false \
|
|
--mount=volume=var-lib-etcd,target=/var/lib/etcd \
|
|
--set-env-file=/etc/etcd.env \
|
|
--stage1-from-dir=stage1-fly.aci \
|
|
{{ etcd_image_repo }}:{{ etcd_image_tag }} \
|
|
{% for c in etcd_drop_cap %}
|
|
--caps-remove=CAP_{{ c.upper() }} \
|
|
{% endfor %}
|
|
--memory={{ etcd_memory_limit }} --cpu={{ etcd_cpu_limit }} \
|
|
--user={{ etcd_user_id }} --group={{ etcd_group_id }} \
|
|
--name={{ etcd_member_name | default("etcd") }}
|
|
|
|
ExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/run/etcd.uuid
|
|
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/run/etcd.uuid
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|