48e77cd8bb
* Drop linux capabilities for unprivileged containerized worlkoads Kargo configures for deployments. * Configure required securityContext/user/group/groups for kube components' static manifests, etcd, calico-rr and k8s apps, like dnsmasq daemonset. * Rework cloud-init (etcd) users creation for CoreOS. * Fix nologin paths, adjust defaults for addusers role and ensure supplementary groups membership added for users. * Add netplug user for network plugins (yet unused by privileged networking containers though). * Grant the kube and netplug users read access for etcd certs via the etcd certs group. * Grant group read access to kube certs via the kube cert group. * Remove priveleged mode for calico-rr and run it under its uid/gid and supplementary etcd_cert group. * Adjust docs. * Align cpu/memory limits and dropped caps with added rkt support for control plane. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
68 lines
1.9 KiB
YAML
68 lines
1.9 KiB
YAML
# Versions
|
|
kubedns_version: 1.9
|
|
kubednsmasq_version: 1.3
|
|
exechealthz_version: 1.1
|
|
|
|
# Limits for dnsmasq/kubedns apps
|
|
dns_cpu_limit: 100m
|
|
dns_memory_limit: 170Mi
|
|
dns_cpu_requests: 70m
|
|
dns_memory_requests: 70Mi
|
|
dns_replicas: 1
|
|
|
|
# Images
|
|
kubedns_image_repo: "gcr.io/google_containers/kubedns-amd64"
|
|
kubedns_image_tag: "{{ kubedns_version }}"
|
|
kubednsmasq_image_repo: "gcr.io/google_containers/kube-dnsmasq-amd64"
|
|
kubednsmasq_image_tag: "{{ kubednsmasq_version }}"
|
|
exechealthz_image_repo: "gcr.io/google_containers/exechealthz-amd64"
|
|
exechealthz_image_tag: "{{ exechealthz_version }}"
|
|
|
|
# Limits for calico apps
|
|
calico_policy_controller_cpu_limit: 100m
|
|
calico_policy_controller_memory_limit: 256M
|
|
calico_policy_controller_cpu_requests: 30m
|
|
calico_policy_controller_memory_requests: 128M
|
|
|
|
# Netchecker
|
|
deploy_netchecker: false
|
|
netchecker_port: 31081
|
|
agent_report_interval: 15
|
|
netcheck_namespace: default
|
|
agent_img: "{{ netcheck_agent_img_repo }}:{{ netcheck_tag }}"
|
|
server_img: "{{ netcheck_server_img_repo }}:{{ netcheck_tag }}"
|
|
kubectl_image: "{{ netcheck_kubectl_img_repo }}:{{ netcheck_kubectl_tag }}"
|
|
|
|
# Limits for netchecker apps
|
|
netchecker_agent_cpu_limit: 30m
|
|
netchecker_agent_memory_limit: 100M
|
|
netchecker_agent_cpu_requests: 15m
|
|
netchecker_agent_memory_requests: 64M
|
|
netchecker_server_cpu_limit: 100m
|
|
netchecker_server_memory_limit: 256M
|
|
netchecker_server_cpu_requests: 50m
|
|
netchecker_server_memory_requests: 128M
|
|
netchecker_kubectl_cpu_limit: 30m
|
|
netchecker_kubectl_memory_limit: 128M
|
|
netchecker_kubectl_cpu_requests: 15m
|
|
netchecker_kubectl_memory_requests: 64M
|
|
|
|
# SSL
|
|
etcd_cert_dir: "/etc/ssl/etcd/ssl"
|
|
calico_cert_dir: "/etc/calico/certs"
|
|
canal_cert_dir: "/etc/canal/certs"
|
|
|
|
# Linux capabilities to be dropped for k8s apps ran by container engines
|
|
apps_drop_cap:
|
|
- chown
|
|
- dac_override
|
|
- fowner
|
|
- fsetid
|
|
- kill
|
|
- setgid
|
|
- setuid
|
|
- setpcap
|
|
- sys_chroot
|
|
- mknod
|
|
- audit_write
|
|
- setfcap
|