c12s-kubespray/docs/security.md
Bogdan Dobrelya 48e77cd8bb Drop linux capabilities and rework users/groups
* Drop linux capabilities for unprivileged containerized
  worlkoads Kargo configures for deployments.
* Configure required securityContext/user/group/groups for kube
  components' static manifests, etcd, calico-rr and k8s apps,
  like dnsmasq daemonset.
* Rework cloud-init (etcd) users creation for CoreOS.
* Fix nologin paths, adjust defaults for addusers role and ensure
  supplementary groups membership added for users.
* Add netplug user for network plugins (yet unused by privileged
  networking containers though).
* Grant the kube and netplug users read access for etcd certs via
  the etcd certs group.
* Grant group read access to kube certs via the kube cert group.
* Remove priveleged mode for calico-rr and run it under its uid/gid
  and supplementary etcd_cert group.
* Adjust docs.
* Align cpu/memory limits and dropped caps with added rkt support
  for control plane.

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-20 08:50:42 +01:00

1.4 KiB

Users and groups

There are following users and groups defined by the addusers role:

  • Kube user, group from the kubelet_user and kubelet_group vars.
  • Etcd user, group from the etcd_user and etcd_group vars.
  • Network plugin user, group from the netplug_user and netplug_group vars.

There are additional certificate access groups for kube and etcd users defined. For example, kubelet and network plugins require read access to the etcd certs and keys. This is defined via the corresponding etcd_cert_group var. Members of that group (defaults to kube and netplug users) will read etcd secret keys and certs. Same applies to the kube_cert_group (defaults to kube user) members. You may want to share kube certs via that group with bastion proxies or the like.

Linux capabilites

Kargo allows to control dropped Linux capabilities for unprivileged docker containers it configures for deployments. For examle, etcd or some networking related systemd units or k8s workloads, like kubedns, dnsmasq or netchecker apps.

Dropped capabilites are represented by the apps_drop_cap, dnsmasq_drop_cap, etcd_drop_cap, calico_drop_cap vars.

Be carefull changing defaults - different kube components and k8s apps might expect specific capabilities to be present and can only run as root! Also note that kublet, kube-proxy and network plugins require privileged mode and ignore dropped capabilities.