feat: make kubernetes owner parametrized (#8952)

* feat: make kubernetes owner parametrized * docs: update hardening guide with configuration for CIS 1.1.19 * fix: set etcd data directory permissions to be compliant to CIS 1.1.12
2026-03-05 18:51:13 -03:30 · 2022-06-17 10:34:32 +02:00
parent 890fad389d
commit 97b4d79ed5
17 changed files with 40 additions and 14 deletions
--- a/roles/kubernetes/control-plane/defaults/main/etcd.yml
+++ b/roles/kubernetes/control-plane/defaults/main/etcd.yml
@@ -1,4 +1,7 @@
 ---
+# Set etcd user/group
+etcd_owner: etcd
+
 # Note: This does not set up DNS entries. It simply adds the following DNS
 # entries to the certificate
 etcd_cert_alt_names:
--- a/roles/kubernetes/control-plane/tasks/kubeadm-etcd.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-etcd.yml
@@ -16,3 +16,10 @@
  import_role:
    name: etcdctl
  when: etcd_deployment_type == "kubeadm"
+
+- name: Set ownership for etcd data directory
+  file:
+    path: "{{ etcd_data_dir }}"
+    owner: "{{ etcd_owner }}"
+    group: "{{ etcd_owner }}"
+    mode: 0700
--- a/roles/kubernetes/preinstall/defaults/main.yml
+++ b/roles/kubernetes/preinstall/defaults/main.yml
@@ -22,6 +22,7 @@ common_required_pkgs:
 # GCE docker repository
 disable_ipv6_dns: false

+kube_owner: kube
 kube_cert_group: kube-cert
 kube_config_dir: /etc/kubernetes
 kube_cert_dir: "{{ kube_config_dir }}/ssl"
--- a/roles/kubernetes/preinstall/tasks/0050-create_directories.yml
+++ b/roles/kubernetes/preinstall/tasks/0050-create_directories.yml
@@ -3,7 +3,7 @@
  file:
    path: "{{ item }}"
    state: directory
-    owner: kube
+    owner: "{{ kube_owner }}"
    mode: 0755
  when: inventory_hostname in groups['k8s_cluster']
  become: true
@@ -71,7 +71,7 @@
  file:
    path: "{{ item }}"
    state: directory
-    owner: kube
+    owner: "{{ kube_owner }}"
    mode: 0755
  with_items:
    - "/etc/cni/net.d"