48e77cd8bb
* Drop linux capabilities for unprivileged containerized worlkoads Kargo configures for deployments. * Configure required securityContext/user/group/groups for kube components' static manifests, etcd, calico-rr and k8s apps, like dnsmasq daemonset. * Rework cloud-init (etcd) users creation for CoreOS. * Fix nologin paths, adjust defaults for addusers role and ensure supplementary groups membership added for users. * Add netplug user for network plugins (yet unused by privileged networking containers though). * Grant the kube and netplug users read access for etcd certs via the etcd certs group. * Grant group read access to kube certs via the kube cert group. * Remove priveleged mode for calico-rr and run it under its uid/gid and supplementary etcd_cert group. * Adjust docs. * Align cpu/memory limits and dropped caps with added rkt support for control plane. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
31 lines
1,004 B
YAML
31 lines
1,004 B
YAML
---
|
|
- name: Trust kubelet container
|
|
command: >-
|
|
/usr/bin/rkt trust
|
|
--skip-fingerprint-review
|
|
--root
|
|
{{ item }}
|
|
register: kubelet_rkt_trust_result
|
|
until: kubelet_rkt_trust_result.rc == 0
|
|
with_items:
|
|
- "https://quay.io/aci-signing-key"
|
|
- "https://coreos.com/dist/pubkeys/aci-pubkeys.gpg"
|
|
retries: 4
|
|
delay: "{{ retry_stagger | random + 3 }}"
|
|
changed_when: false
|
|
when: kubelet_deployment_type == "rkt"
|
|
|
|
- name: create kubelet working directory
|
|
file:
|
|
state: directory
|
|
path: /var/lib/kubelet
|
|
when: kubelet_deployment_type == "rkt"
|
|
|
|
- name: install | Write kubelet systemd init file
|
|
template: "src=kubelet.{{ kubelet_deployment_type }}.service.j2 dest=/etc/systemd/system/kubelet.service backup=yes"
|
|
notify: restart kubelet
|
|
|
|
- name: install | Install kubelet launch script
|
|
template: src=kubelet-container.j2 dest="{{ bin_dir }}/kubelet" owner={{ kubelet_user }} mode=0755 backup=yes
|
|
notify: restart kubelet
|
|
when: kubelet_deployment_type == "docker"
|