48e77cd8bb
* Drop linux capabilities for unprivileged containerized worlkoads Kargo configures for deployments. * Configure required securityContext/user/group/groups for kube components' static manifests, etcd, calico-rr and k8s apps, like dnsmasq daemonset. * Rework cloud-init (etcd) users creation for CoreOS. * Fix nologin paths, adjust defaults for addusers role and ensure supplementary groups membership added for users. * Add netplug user for network plugins (yet unused by privileged networking containers though). * Grant the kube and netplug users read access for etcd certs via the etcd certs group. * Grant group read access to kube certs via the kube cert group. * Remove priveleged mode for calico-rr and run it under its uid/gid and supplementary etcd_cert group. * Adjust docs. * Align cpu/memory limits and dropped caps with added rkt support for control plane. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
31 lines
1.4 KiB
Markdown
31 lines
1.4 KiB
Markdown
Users and groups
|
|
================
|
|
|
|
There are following users and groups defined by the addusers role:
|
|
|
|
* Kube user, group from the ``kubelet_user`` and ``kubelet_group`` vars.
|
|
* Etcd user, group from the ``etcd_user`` and ``etcd_group`` vars.
|
|
* Network plugin user, group from the ``netplug_user`` and ``netplug_group`` vars.
|
|
|
|
There are additional certificate access groups for kube and etcd users defined.
|
|
For example, kubelet and network plugins require read access to the
|
|
etcd certs and keys. This is defined via the corresponding ``etcd_cert_group``
|
|
var. Members of that group (defaults to `kube` and `netplug` users) will read
|
|
etcd secret keys and certs. Same applies to the ``kube_cert_group``
|
|
(defaults to `kube` user) members. You may want to share kube certs via that
|
|
group with bastion proxies or the like.
|
|
|
|
Linux capabilites
|
|
=================
|
|
|
|
Kargo allows to control dropped Linux capabilities for unprivileged docker
|
|
containers it configures for deployments. For examle, etcd or some networking
|
|
related systemd units or k8s workloads, like kubedns, dnsmasq or netchecker apps.
|
|
|
|
Dropped capabilites are represented by the ``apps_drop_cap``, ``dnsmasq_drop_cap``,
|
|
``etcd_drop_cap``, ``calico_drop_cap`` vars.
|
|
|
|
Be carefull changing defaults - different kube components and k8s apps might
|
|
expect specific capabilities to be present and can only run as root! Also note
|
|
that kublet, kube-proxy and network plugins require privileged mode and ignore
|
|
dropped capabilities.
|