48e77cd8bb
* Drop linux capabilities for unprivileged containerized worlkoads Kargo configures for deployments. * Configure required securityContext/user/group/groups for kube components' static manifests, etcd, calico-rr and k8s apps, like dnsmasq daemonset. * Rework cloud-init (etcd) users creation for CoreOS. * Fix nologin paths, adjust defaults for addusers role and ensure supplementary groups membership added for users. * Add netplug user for network plugins (yet unused by privileged networking containers though). * Grant the kube and netplug users read access for etcd certs via the etcd certs group. * Grant group read access to kube certs via the kube cert group. * Remove priveleged mode for calico-rr and run it under its uid/gid and supplementary etcd_cert group. * Adjust docs. * Align cpu/memory limits and dropped caps with added rkt support for control plane. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
32 lines
1,002 B
Django/Jinja
32 lines
1,002 B
Django/Jinja
[Unit]
|
|
Description=calico-rr
|
|
After=docker.service
|
|
Requires=docker.service
|
|
|
|
[Service]
|
|
EnvironmentFile=/etc/calico/calico-rr.env
|
|
ExecStartPre=-{{ docker_bin_dir }}/docker rm -f calico-rr
|
|
ExecStart={{ docker_bin_dir }}/docker run --net=host \
|
|
--name=calico-rr \
|
|
-e IP=${IP} \
|
|
-e IP6=${IP6} \
|
|
-e ETCD_ENDPOINTS=${ETCD_ENDPOINTS} \
|
|
-e ETCD_CA_CERT_FILE=${ETCD_CA_CERT_FILE} \
|
|
-e ETCD_CERT_FILE=${ETCD_CERT_FILE} \
|
|
-e ETCD_KEY_FILE=${ETCD_KEY_FILE} \
|
|
-v /var/log/calico-rr:/var/log/calico \
|
|
-v {{ calico_cert_dir }}:{{ calico_cert_dir }}:ro \
|
|
{% for c in calico_drop_cap %}
|
|
--cap-drop={{ c }} \
|
|
{% endfor %}
|
|
-u {{ netplug_user_id }}:{{ netplug_group_id }} --group-add {{ etcd_cert_group }} \
|
|
--memory={{ calico_rr_memory_limit|regex_replace('Mi', 'M') }} --cpu-shares={{ calico_rr_cpu_limit|regex_replace('m', '') }} \
|
|
{{ calico_rr_image_repo }}:{{ calico_rr_image_tag }}
|
|
|
|
Restart=always
|
|
RestartSec=10s
|
|
|
|
ExecStop=-{{ docker_bin_dir }}/docker stop calico-rr
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|