cb2e5ac776
* Drop linux capabilities for unprivileged containerized worlkoads Kargo configures for deployments. * Configure required securityContext/user/group/groups for kube components' static manifests, etcd, calico-rr and k8s apps, like dnsmasq daemonset. * Rework cloud-init (etcd) users creation for CoreOS. * Fix nologin paths, adjust defaults for addusers role and ensure supplementary groups membership added for users. * Add netplug user for network plugins (yet unused by privileged networking containers though). * Grant the kube and netplug users read access for etcd certs via the etcd certs group. * Grant group read access to kube certs via the kube cert group. * Remove priveleged mode for calico-rr and run it under its uid/gid and supplementary etcd_cert group. * Adjust docs. * Align cpu/memory limits and dropped caps with added rkt support for control plane. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
57 lines
2 KiB
YAML
57 lines
2 KiB
YAML
---
|
|
- name: "Pre-upgrade | check for etcd-proxy unit file"
|
|
stat:
|
|
path: /etc/systemd/system/etcd-proxy.service
|
|
register: etcd_proxy_service_file
|
|
tags: facts
|
|
|
|
- name: "Pre-upgrade | check for etcd-proxy init script"
|
|
stat:
|
|
path: /etc/init.d/etcd-proxy
|
|
register: etcd_proxy_init_script
|
|
tags: facts
|
|
|
|
- name: "Pre-upgrade | stop etcd-proxy if service defined"
|
|
service:
|
|
name: etcd-proxy
|
|
state: stopped
|
|
when: (etcd_proxy_service_file.stat.exists|default(False) or etcd_proxy_init_script.stat.exists|default(False))
|
|
|
|
- name: "Pre-upgrade | remove etcd-proxy service definition"
|
|
file:
|
|
path: "{{ item }}"
|
|
state: absent
|
|
when: (etcd_proxy_service_file.stat.exists|default(False) or etcd_proxy_init_script.stat.exists|default(False))
|
|
with_items:
|
|
- /etc/systemd/system/etcd-proxy.service
|
|
- /etc/init.d/etcd-proxy
|
|
|
|
- name: "Pre-upgrade | find etcd-proxy container"
|
|
command: "{{ docker_bin_dir }}/docker ps -aq --filter 'name=etcd-proxy*'"
|
|
register: etcd_proxy_container
|
|
failed_when: false
|
|
|
|
- name: "Pre-upgrade | remove etcd-proxy if it exists"
|
|
command: "{{ docker_bin_dir }}/docker rm -f {{item}}"
|
|
with_items: "{{etcd_proxy_container.stdout_lines}}"
|
|
|
|
- name: "Pre-upgrade | check if member list is non-SSL"
|
|
command: "{{ bin_dir }}/etcdctl --no-sync --peers={{ etcd_access_addresses | regex_replace('https','http') }} member list"
|
|
register: etcd_member_list
|
|
retries: 10
|
|
delay: 3
|
|
until: etcd_member_list.rc != 2
|
|
run_once: true
|
|
failed_when: false
|
|
|
|
- name: "Pre-upgrade | change peer names to SSL"
|
|
shell: >-
|
|
{{ bin_dir }}/etcdctl --no-sync --peers={{ etcd_access_addresses | regex_replace('https','http') }} member list |
|
|
awk -F"[: =]" '{print "{{ bin_dir }}/etcdctl --peers={{ etcd_access_addresses | regex_replace('https','http') }} member update "$1" https:"$7":"$8}' | bash
|
|
run_once: true
|
|
when: 'etcd_member_list.rc == 0 and "http://" in etcd_member_list.stdout'
|
|
|
|
- name: "Pre-upgrade | share access to etcd certs for its users"
|
|
shell: chmod g+r {{ etcd_cert_dir }}/*.pem
|
|
failed_when: false
|