48e77cd8bb
* Drop linux capabilities for unprivileged containerized worlkoads Kargo configures for deployments. * Configure required securityContext/user/group/groups for kube components' static manifests, etcd, calico-rr and k8s apps, like dnsmasq daemonset. * Rework cloud-init (etcd) users creation for CoreOS. * Fix nologin paths, adjust defaults for addusers role and ensure supplementary groups membership added for users. * Add netplug user for network plugins (yet unused by privileged networking containers though). * Grant the kube and netplug users read access for etcd certs via the etcd certs group. * Grant group read access to kube certs via the kube cert group. * Remove priveleged mode for calico-rr and run it under its uid/gid and supplementary etcd_cert group. * Adjust docs. * Align cpu/memory limits and dropped caps with added rkt support for control plane. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
79 lines
2.2 KiB
YAML
79 lines
2.2 KiB
YAML
---
|
|
- include: check-certs.yml
|
|
tags: [k8s-secrets, facts]
|
|
- include: check-tokens.yml
|
|
tags: [k8s-secrets, facts]
|
|
|
|
- name: Make sure the certificate directory exits
|
|
file:
|
|
path={{ kube_cert_dir }}
|
|
state=directory
|
|
mode=o-rwx
|
|
owner={{ kubelet_user }}
|
|
group={{ kube_cert_group }}
|
|
|
|
- name: Make sure the tokens directory exits
|
|
file:
|
|
path={{ kube_token_dir }}
|
|
state=directory
|
|
mode=o-rwx
|
|
owner={{ kubelet_user }}
|
|
group={{ kubelet_group }}
|
|
|
|
- name: Make sure the users directory exits
|
|
file:
|
|
path={{ kube_users_dir }}
|
|
state=directory
|
|
mode=o-rwx
|
|
owner={{ kubelet_user }}
|
|
group={{ kubelet_group }}
|
|
|
|
- name: Populate users for basic auth in API
|
|
lineinfile:
|
|
dest: "{{ kube_users_dir }}/known_users.csv"
|
|
create: yes
|
|
line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}'
|
|
backup: yes
|
|
with_dict: "{{ kube_users }}"
|
|
when: inventory_hostname in "{{ groups['kube-master'] }}"
|
|
notify: set secret_changed
|
|
|
|
#
|
|
# The following directory creates make sure that the directories
|
|
# exist on the first master for cases where the first master isn't
|
|
# being run.
|
|
#
|
|
- name: "Gen_certs | Create kubernetes config directory (on {{groups['kube-master'][0]}})"
|
|
file:
|
|
path: "{{ kube_config_dir }}"
|
|
state: directory
|
|
owner: kube
|
|
run_once: yes
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
tags: [kubelet, k8s-secrets, kube-controller-manager, kube-apiserver, bootstrap-os, apps, network, master, node]
|
|
when: gen_certs|default(false) or gen_tokens|default(false)
|
|
|
|
- name: "Gen_certs | Create kubernetes script directory (on {{groups['kube-master'][0]}})"
|
|
file:
|
|
path: "{{ kube_script_dir }}"
|
|
state: directory
|
|
owner: kube
|
|
run_once: yes
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
tags: [k8s-secrets, bootstrap-os]
|
|
when: gen_certs|default(false) or gen_tokens|default(false)
|
|
|
|
- name: "Get_tokens | Make sure the tokens directory exits (on {{groups['kube-master'][0]}})"
|
|
file:
|
|
path={{ kube_token_dir }}
|
|
state=directory
|
|
mode=o-rwx
|
|
group={{ kube_cert_group }}
|
|
run_once: yes
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
when: gen_tokens|default(false)
|
|
|
|
- include: gen_certs.yml
|
|
tags: k8s-secrets
|
|
- include: gen_tokens.yml
|
|
tags: k8s-secrets
|