48e77cd8bb
* Drop linux capabilities for unprivileged containerized worlkoads Kargo configures for deployments. * Configure required securityContext/user/group/groups for kube components' static manifests, etcd, calico-rr and k8s apps, like dnsmasq daemonset. * Rework cloud-init (etcd) users creation for CoreOS. * Fix nologin paths, adjust defaults for addusers role and ensure supplementary groups membership added for users. * Add netplug user for network plugins (yet unused by privileged networking containers though). * Grant the kube and netplug users read access for etcd certs via the etcd certs group. * Grant group read access to kube certs via the kube cert group. * Remove priveleged mode for calico-rr and run it under its uid/gid and supplementary etcd_cert group. * Adjust docs. * Align cpu/memory limits and dropped caps with added rkt support for control plane. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
65 lines
2.8 KiB
Django/Jinja
65 lines
2.8 KiB
Django/Jinja
[Unit]
|
|
Description=Kubernetes Kubelet Server
|
|
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
|
|
{% if kube_network_plugin is defined and kube_network_plugin == "calico" %}
|
|
After=calico-node.service
|
|
Wants=network.target calico-node.service
|
|
{% else %}
|
|
Wants=network.target
|
|
{% endif %}
|
|
|
|
[Service]
|
|
Restart=on-failure
|
|
RestartSec=10s
|
|
TimeoutStartSec=0
|
|
LimitNOFILE=40000
|
|
|
|
ExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/run/kubelet.uuid
|
|
ExecStartPre=-/bin/mkdir -p /var/lib/kubelet
|
|
|
|
EnvironmentFile={{kube_config_dir}}/kubelet.env
|
|
# stage1-fly mounts /proc /sys /dev so no need to duplicate the mounts
|
|
ExecStart=/usr/bin/rkt run \
|
|
--volume dns,kind=host,source=/etc/resolv.conf \
|
|
--volume etc-cni,kind=host,source=/etc/cni,readOnly=true \
|
|
--volume etc-kubernetes,kind=host,source={{ kube_config_dir }},readOnly=false \
|
|
--volume etc-ssl-certs,kind=host,source=/etc/ssl/certs,readOnly=true \
|
|
--volume etcd-ssl,kind=host,source={{ etcd_config_dir }},readOnly=true \
|
|
--volume opt-cni,kind=host,source=/opt/cni,readOnly=true \
|
|
--volume run,kind=host,source=/run,readOnly=false \
|
|
--volume usr-share-certs,kind=host,source=/usr/share/ca-certificates,readOnly=true \
|
|
--volume var-lib-docker,kind=host,source={{ docker_daemon_graph }},readOnly=false \
|
|
--volume var-lib-kubelet,kind=host,source=/var/lib/kubelet,readOnly=false \
|
|
--volume var-log,kind=host,source=/var/log \
|
|
--mount volume=dns,target=/etc/resolv.conf \
|
|
--mount volume=etc-cni,target=/etc/cni \
|
|
--mount volume=etc-kubernetes,target={{ kube_config_dir }} \
|
|
--mount volume=etc-ssl-certs,target=/etc/ssl/certs \
|
|
--mount volume=etcd-ssl,target={{ etcd_config_dir }} \
|
|
--mount volume=opt-cni,target=/opt/cni \
|
|
--mount volume=run,target=/run \
|
|
--mount volume=usr-share-certs,target=/usr/share/ca-certificates \
|
|
--mount volume=var-lib-docker,target=/var/lib/docker \
|
|
--mount volume=var-lib-kubelet,target=/var/lib/kubelet \
|
|
--mount volume=var-log,target=/var/log \
|
|
--stage1-from-dir=stage1-fly.aci \
|
|
{{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} \
|
|
--memory={{ kubelet_memory_limit }} --cpu={{ kubelet_cpu_limit }} \
|
|
--uuid-file-save=/var/run/kubelet.uuid \
|
|
--debug --exec=/kubelet -- \
|
|
$KUBE_LOGTOSTDERR \
|
|
$KUBE_LOG_LEVEL \
|
|
$KUBELET_API_SERVER \
|
|
$KUBELET_ADDRESS \
|
|
$KUBELET_PORT \
|
|
$KUBELET_HOSTNAME \
|
|
$KUBE_ALLOW_PRIV \
|
|
$KUBELET_ARGS \
|
|
$DOCKER_SOCKET \
|
|
$KUBELET_REGISTER_NODE \
|
|
$KUBELET_NETWORK_PLUGIN
|
|
|
|
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/run/kubelet.uuid
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|