Merge pull request #911 from bogdando/DROP_CAPS

Drop linux capabilities and rework users/groups
2026-02-01 01:28:11 -03:30 · 2017-02-06 12:05:51 +01:00
parent 9bc51bd0e2 cb2e5ac776
commit cae2982d81
48 changed files with 413 additions and 81 deletions
--- a/roles/kubernetes/node/defaults/main.yml
+++ b/roles/kubernetes/node/defaults/main.yml
@@ -29,3 +29,18 @@ nginx_image_repo: nginx
 nginx_image_tag: 1.11.4-alpine

 etcd_config_dir: /etc/ssl/etcd
+
+# Linux capabilities to be dropped for container engines
+apps_drop_cap:
+  - chown
+  - dac_override
+  - fowner
+  - fsetid
+  - kill
+  - setgid
+  - setuid
+  - setpcap
+  - sys_chroot
+  - mknod
+  - audit_write
+  - setfcap
--- a/roles/kubernetes/node/tasks/install.yml
+++ b/roles/kubernetes/node/tasks/install.yml
@@ -26,6 +26,6 @@
  notify: restart kubelet

 - name: install | Install kubelet launch script
-  template: src=kubelet-container.j2 dest="{{ bin_dir }}/kubelet" owner=kube mode=0755 backup=yes
+  template: src=kubelet-container.j2 dest="{{ bin_dir }}/kubelet" owner={{ kubelet_user }} mode=0755 backup=yes
  notify: restart kubelet
  when: kubelet_deployment_type == "docker"
--- a/roles/kubernetes/node/tasks/main.yml
+++ b/roles/kubernetes/node/tasks/main.yml
@@ -4,6 +4,9 @@
      {%- if inventory_hostname in groups['kube-master'] and inventory_hostname not in groups['kube-node'] -%}true{%- else -%}false{%- endif -%}
  tags: facts

+- include: pre-upgrade.yml
+  tags: k8s-pre-upgrade
+
 - include: install.yml
  tags: kubelet

--- a/roles/kubernetes/node/tasks/pre-upgrade.yml
+++ b/roles/kubernetes/node/tasks/pre-upgrade.yml
@@ -0,0 +1,4 @@
+---
+- name: "Pre-upgrade | share access to kube certs for its users"
+  shell: chmod g+r {{ kube_cert_dir }}/*.pem
+  failed_when: false
--- a/roles/kubernetes/node/templates/kubelet.rkt.service.j2
+++ b/roles/kubernetes/node/templates/kubelet.rkt.service.j2
@@ -29,7 +29,7 @@ ExecStart=/usr/bin/rkt run \
        --volume run,kind=host,source=/run,readOnly=false \
        --volume usr-share-certs,kind=host,source=/usr/share/ca-certificates,readOnly=true \
        --volume var-lib-docker,kind=host,source={{ docker_daemon_graph }},readOnly=false \
-	--volume var-lib-kubelet,kind=host,source=/var/lib/kubelet,readOnly=false \
+        --volume var-lib-kubelet,kind=host,source=/var/lib/kubelet,readOnly=false \
        --volume var-log,kind=host,source=/var/log \
        --mount volume=dns,target=/etc/resolv.conf \
        --mount volume=etc-cni,target=/etc/cni \
@@ -44,6 +44,7 @@ ExecStart=/usr/bin/rkt run \
        --mount volume=var-log,target=/var/log \
        --stage1-from-dir=stage1-fly.aci \
        {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} \
+        --memory={{ kubelet_memory_limit }} --cpu={{ kubelet_cpu_limit }} \
        --uuid-file-save=/var/run/kubelet.uuid \
        --debug --exec=/kubelet -- \
                $KUBE_LOGTOSTDERR \