Drop linux capabilities and rework users/groups

* Drop linux capabilities for unprivileged containerized worlkoads Kargo configures for deployments. * Configure required securityContext/user/group/groups for kube components' static manifests, etcd, calico-rr and k8s apps, like dnsmasq daemonset. * Rework cloud-init (etcd) users creation for CoreOS. * Fix nologin paths, adjust defaults for addusers role and ensure supplementary groups membership added for users. * Add netplug user for network plugins (yet unused by privileged networking containers though). * Grant the kube and netplug users read access for etcd certs via the etcd certs group. * Grant group read access to kube certs via the kube cert group. * Remove priveleged mode for calico-rr and run it under its uid/gid and supplementary etcd_cert group. * Adjust docs. * Align cpu/memory limits and dropped caps with added rkt support for control plane. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2026-02-01 01:28:11 -03:30 · 2016-12-28 14:58:37 +01:00
parent 8ce32eb3e1
commit cb2e5ac776
48 changed files with 413 additions and 81 deletions
--- a/roles/etcd/tasks/gen_certs.yml
+++ b/roles/etcd/tasks/gen_certs.yml
@@ -4,14 +4,15 @@
    path={{ etcd_cert_dir }}
    group={{ etcd_cert_group }}
    state=directory
-    owner=root
+    mode=0750
+    owner={{ etcd_user }}
    recurse=yes

 - name: "Gen_certs | create etcd script dir (on {{groups['etcd'][0]}})"
  file:
    path: "{{ etcd_script_dir }}"
    state: directory
-    owner: root
+    owner: "{{ etcd_user }}"
  run_once: yes
  delegate_to: "{{groups['etcd'][0]}}"

@@ -20,7 +21,8 @@
    path={{ etcd_cert_dir }}
    group={{ etcd_cert_group }}
    state=directory
-    owner=root
+    mode=0750
+    owner={{ etcd_user }}
    recurse=yes
  run_once: yes
  delegate_to: "{{groups['etcd'][0]}}"
@@ -124,12 +126,12 @@
    path={{ etcd_cert_dir }}
    group={{ etcd_cert_group }}
    state=directory
-    owner=kube
+    owner={{ etcd_user }}
    recurse=yes
  tags: facts

- name: Gen_certs | set permissions on keys
-  shell: chmod 0600 {{ etcd_cert_dir}}/*key.pem
+- name: Gen_certs | set shared group permissions on keys
+  shell: chmod 0640 {{ etcd_cert_dir}}/*.pem
  when: inventory_hostname in groups['etcd']
  changed_when: false

--- a/roles/etcd/tasks/main.yml
+++ b/roles/etcd/tasks/main.yml
@@ -1,6 +1,8 @@
 ---
 - include: pre_upgrade.yml
  tags: etcd-pre-upgrade
+- include: set_facts.yml
+  tags: [bootstrap-os, facts]
 - include: check_certs.yml
  tags: [etcd-secrets, facts]
 - include: gen_certs.yml
--- a/roles/etcd/tasks/pre_upgrade.yml
+++ b/roles/etcd/tasks/pre_upgrade.yml
@@ -1,3 +1,4 @@
+---
 - name: "Pre-upgrade | check for etcd-proxy unit file"
  stat:
    path: /etc/systemd/system/etcd-proxy.service
@@ -49,3 +50,7 @@
    awk -F"[: =]" '{print "{{ bin_dir }}/etcdctl --peers={{ etcd_access_addresses | regex_replace('https','http') }} member update "$1" https:"$7":"$8}' | bash
  run_once: true
  when: 'etcd_member_list.rc == 0 and "http://" in etcd_member_list.stdout'
+
+- name: "Pre-upgrade | share access to etcd certs for its users"
+  shell: chmod g+r {{ etcd_cert_dir }}/*.pem
+  failed_when: false
--- a/roles/etcd/tasks/set_facts.yml
+++ b/roles/etcd/tasks/set_facts.yml
@@ -0,0 +1,17 @@
+---
+- name: Etcd | get etcd user ID
+  shell: /usr/bin/id -u {{ etcd_user }} || echo 0
+  register: etcd_uid
+
+- name: Etcd | get etcd group ID
+  shell: /usr/bin/getent group {{ etcd_group }} | cut -d':' -f3 || echo 0
+  register: etcd_gid
+
+- name: Etcd | get etcd cert group ID
+  shell: /usr/bin/getent group {{ etcd_cert_group }} | cut -d':' -f3 || echo 0
+  register: etcd_cert_gid
+
+- set_fact:
+    etcd_user_id: "{{ etcd_uid.stdout }}"
+    etcd_group_id: "{{ etcd_gid.stdout }}"
+    etcd_cert_group_id: "{{ etcd_cert_gid.stdout }}"