48e77cd8bb
* Drop linux capabilities for unprivileged containerized worlkoads Kargo configures for deployments. * Configure required securityContext/user/group/groups for kube components' static manifests, etcd, calico-rr and k8s apps, like dnsmasq daemonset. * Rework cloud-init (etcd) users creation for CoreOS. * Fix nologin paths, adjust defaults for addusers role and ensure supplementary groups membership added for users. * Add netplug user for network plugins (yet unused by privileged networking containers though). * Grant the kube and netplug users read access for etcd certs via the etcd certs group. * Grant group read access to kube certs via the kube cert group. * Remove priveleged mode for calico-rr and run it under its uid/gid and supplementary etcd_cert group. * Adjust docs. * Align cpu/memory limits and dropped caps with added rkt support for control plane. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
41 lines
864 B
YAML
41 lines
864 B
YAML
---
|
|
# Existing search/nameserver resolvconf entries will be purged and
|
|
# ensured by this additional data:
|
|
|
|
# Max of 4 names is allowed and no more than 256 - 17 chars total
|
|
# (a 2 is reserved for the 'default.svc.' and'svc.')
|
|
#searchdomains:
|
|
# - foo.bar.lc
|
|
|
|
# Max of 2 is allowed here (a 1 is reserved for the dns_server)
|
|
#nameservers:
|
|
# - 127.0.0.1
|
|
|
|
dns_forward_max: 150
|
|
cache_size: 1000
|
|
|
|
# Versions
|
|
dnsmasq_version: 2.72
|
|
|
|
# Images
|
|
dnsmasq_image_repo: "andyshinn/dnsmasq"
|
|
dnsmasq_image_tag: "{{ dnsmasq_version }}"
|
|
|
|
# Limits for dnsmasq/kubedns apps
|
|
dns_cpu_limit: 100m
|
|
dns_memory_limit: 170Mi
|
|
dns_cpu_requests: 70m
|
|
dns_memory_requests: 70Mi
|
|
|
|
# Linux capabilities to be dropped for dnsmasq k8s app ran container engines
|
|
dnsmasq_drop_cap:
|
|
- chown
|
|
- dac_override
|
|
- fowner
|
|
- fsetid
|
|
- kill
|
|
- setpcap
|
|
- sys_chroot
|
|
- mknod
|
|
- audit_write
|
|
- setfcap
|