Drop linux capabilities and rework users/groups

* Drop linux capabilities for unprivileged containerized worlkoads Kargo configures for deployments. * Configure required securityContext/user/group/groups for kube components' static manifests, etcd, calico-rr and k8s apps, like dnsmasq daemonset. * Rework cloud-init (etcd) users creation for CoreOS. * Fix nologin paths, adjust defaults for addusers role and ensure supplementary groups membership added for users. * Add netplug user for network plugins (yet unused by privileged networking containers though). * Grant the kube and netplug users read access for etcd certs via the etcd certs group. * Grant group read access to kube certs via the kube cert group. * Remove priveleged mode for calico-rr and run it under its uid/gid and supplementary etcd_cert group. * Adjust docs. * Align cpu/memory limits and dropped caps with added rkt support for control plane. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2026-02-02 01:58:12 -03:30 · 2016-12-28 14:58:37 +01:00
parent 8ce32eb3e1
commit cb2e5ac776
48 changed files with 413 additions and 81 deletions
--- a/roles/kubernetes/master/defaults/main.yml
+++ b/roles/kubernetes/master/defaults/main.yml
@@ -13,6 +13,21 @@ kube_apiserver_node_port_range: "30000-32767"
 etcd_config_dir: /etc/ssl/etcd
 etcd_cert_dir: "{{ etcd_config_dir }}/ssl"

+# Linux capabilities to be dropped for k8s apps ran by container engines
+apps_drop_cap:
+  - chown
+  - dac_override
+  - fowner
+  - fsetid
+  - kill
+  - setgid
+  - setuid
+  - setpcap
+  - sys_chroot
+  - mknod
+  - audit_write
+  - setfcap
+
 # Limits for kube components
 kube_controller_memory_limit: 512M
 kube_controller_cpu_limit: 250m
--- a/roles/kubernetes/master/tasks/main.yml
+++ b/roles/kubernetes/master/tasks/main.yml
@@ -2,6 +2,9 @@
 - include: pre-upgrade.yml
  tags: k8s-pre-upgrade

+- include: set_facts.yml
+  tags: facts
+
 - name: Copy kubectl from hyperkube container
  command: "{{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/systembindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /bin/cp /hyperkube /systembindir/kubectl"
  register: kube_task_result
--- a/roles/kubernetes/master/tasks/set_facts.yml
+++ b/roles/kubernetes/master/tasks/set_facts.yml
@@ -0,0 +1,22 @@
+---
+- name: Master | get kube user ID
+  shell: /usr/bin/id -u {{ kubelet_user }} || echo 0
+  register: kube_uid
+
+- name: Master | get kube group ID
+  shell: /usr/bin/getent group {{ kubelet_group }} | cut -d':' -f3 || echo 0
+  register: kube_gid
+
+- name: Master | get kube cert group ID
+  shell: /usr/bin/getent group {{ kube_cert_group }} | cut -d':' -f3 || echo 0
+  register: kube_cert_gid
+
+- name: Master | get etcd cert group ID
+  shell: /usr/bin/getent group {{ etcd_cert_group }} | cut -d':' -f3 || echo 0
+  register: etcd_cert_gid
+
+- set_fact:
+    kubelet_user_id: "{{ kube_uid.stdout }}"
+    kubelet_group_id: "{{ kube_gid.stdout }}"
+    kube_cert_group_id: "{{ kube_cert_gid.stdout }}"
+    etcd_cert_group_id: "{{ etcd_cert_gid.stdout }}"
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@@ -12,6 +12,14 @@ spec:
  - name: kube-apiserver
    image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
    imagePullPolicy: {{ k8s_image_pull_policy }}
+    securityContext:
+      capabilities:
+        drop:
+{% for c in apps_drop_cap %}
+          - {{ c.upper() }}
+{% endfor %}
+        add:
+          - DAC_OVERRIDE
    resources:
      limits:
        cpu: {{ kube_apiserver_cpu_limit }}
--- a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
@@ -11,6 +11,17 @@ spec:
  - name: kube-controller-manager
    image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
    imagePullPolicy: {{ k8s_image_pull_policy }}
+    securityContext:
+      runAsUser: {{ kubelet_user_id }}
+      fsGroup: {{ kubelet_group_id }}
+      supplementalGroups:
+        - {{ kube_cert_group_id }}
+        - {{ etcd_cert_group_id }}
+      capabilities:
+        drop:
+{% for c in apps_drop_cap %}
+          - {{ c.upper() }}
+{% endfor %}
    resources:
      limits:
        cpu: {{ kube_controller_cpu_limit }}
--- a/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2
@@ -11,6 +11,17 @@ spec:
  - name: kube-scheduler
    image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
    imagePullPolicy: {{ k8s_image_pull_policy }}
+    securityContext:
+      runAsUser: {{ kubelet_user_id }}
+      fsGroup: {{ kubelet_group_id }}
+      supplementalGroups:
+        - {{ kube_cert_group_id }}
+        - {{ etcd_cert_group_id }}
+      capabilities:
+        drop:
+{% for c in apps_drop_cap %}
+          - {{ c.upper() }}
+{% endfor %}
    resources:
      limits:
        cpu: {{ kube_scheduler_cpu_limit }}
--- a/roles/kubernetes/node/defaults/main.yml
+++ b/roles/kubernetes/node/defaults/main.yml
@@ -29,3 +29,18 @@ nginx_image_repo: nginx
 nginx_image_tag: 1.11.4-alpine

 etcd_config_dir: /etc/ssl/etcd
+
+# Linux capabilities to be dropped for container engines
+apps_drop_cap:
+  - chown
+  - dac_override
+  - fowner
+  - fsetid
+  - kill
+  - setgid
+  - setuid
+  - setpcap
+  - sys_chroot
+  - mknod
+  - audit_write
+  - setfcap
--- a/roles/kubernetes/node/tasks/install.yml
+++ b/roles/kubernetes/node/tasks/install.yml
@@ -26,6 +26,6 @@
  notify: restart kubelet

 - name: install | Install kubelet launch script
-  template: src=kubelet-container.j2 dest="{{ bin_dir }}/kubelet" owner=kube mode=0755 backup=yes
+  template: src=kubelet-container.j2 dest="{{ bin_dir }}/kubelet" owner={{ kubelet_user }} mode=0755 backup=yes
  notify: restart kubelet
  when: kubelet_deployment_type == "docker"
--- a/roles/kubernetes/node/tasks/main.yml
+++ b/roles/kubernetes/node/tasks/main.yml
@@ -4,6 +4,9 @@
      {%- if inventory_hostname in groups['kube-master'] and inventory_hostname not in groups['kube-node'] -%}true{%- else -%}false{%- endif -%}
  tags: facts

+- include: pre-upgrade.yml
+  tags: k8s-pre-upgrade
+
 - include: install.yml
  tags: kubelet

--- a/roles/kubernetes/node/tasks/pre-upgrade.yml
+++ b/roles/kubernetes/node/tasks/pre-upgrade.yml
@@ -0,0 +1,4 @@
+---
+- name: "Pre-upgrade | share access to kube certs for its users"
+  shell: chmod g+r {{ kube_cert_dir }}/*.pem
+  failed_when: false
--- a/roles/kubernetes/node/templates/kubelet.rkt.service.j2
+++ b/roles/kubernetes/node/templates/kubelet.rkt.service.j2
@@ -29,7 +29,7 @@ ExecStart=/usr/bin/rkt run \
        --volume run,kind=host,source=/run,readOnly=false \
        --volume usr-share-certs,kind=host,source=/usr/share/ca-certificates,readOnly=true \
        --volume var-lib-docker,kind=host,source={{ docker_daemon_graph }},readOnly=false \
-	--volume var-lib-kubelet,kind=host,source=/var/lib/kubelet,readOnly=false \
+        --volume var-lib-kubelet,kind=host,source=/var/lib/kubelet,readOnly=false \
        --volume var-log,kind=host,source=/var/log \
        --mount volume=dns,target=/etc/resolv.conf \
        --mount volume=etc-cni,target=/etc/cni \
@@ -44,6 +44,7 @@ ExecStart=/usr/bin/rkt run \
        --mount volume=var-log,target=/var/log \
        --stage1-from-dir=stage1-fly.aci \
        {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} \
+        --memory={{ kubelet_memory_limit }} --cpu={{ kubelet_cpu_limit }} \
        --uuid-file-save=/var/run/kubelet.uuid \
        --debug --exec=/kubelet -- \
                $KUBE_LOGTOSTDERR \
--- a/roles/kubernetes/preinstall/meta/main.yml
+++ b/roles/kubernetes/preinstall/meta/main.yml
@@ -2,4 +2,7 @@
 dependencies:
  - role: adduser
    user: "{{ addusers.kube }}"
-    tags: kubelet
+    tags: [bootstrap-os, kubelet]
+  - role: adduser
+    user: "{{ addusers.netplug }}"
+    tags: [bootstrap-os, network]
--- a/roles/kubernetes/preinstall/tasks/main.yml
+++ b/roles/kubernetes/preinstall/tasks/main.yml
@@ -23,6 +23,12 @@
 - include: set_facts.yml
  tags: facts

+- include: set_resolv_facts.yml
+  tags: [bootstrap-os, resolvconf, facts]
+
+- include: set_uid_facts.yml
+  tags: [bootstrap-os, facts]
+
 - name: gather os specific variables
  include_vars: "{{ item }}"
  with_first_found:
@@ -42,7 +48,7 @@
  file:
    path: "{{ kube_config_dir }}"
    state: directory
-    owner: kube
+    owner: "{{ kubelet_user }}"
  when: "{{ inventory_hostname in groups['k8s-cluster'] }}"
  tags: [kubelet, k8s-secrets, kube-controller-manager, kube-apiserver, bootstrap-os, apps, network, master, node]

@@ -50,7 +56,7 @@
  file:
    path: "{{ kube_script_dir }}"
    state: directory
-    owner: kube
+    owner: "{{ kubelet_user }}"
  when: "{{ inventory_hostname in groups['k8s-cluster'] }}"
  tags: [k8s-secrets, bootstrap-os]

@@ -58,7 +64,7 @@
  file:
    path: "{{ kube_manifest_dir }}"
    state: directory
-    owner: kube
+    owner: "{{ kubelet_user }}"
  when: "{{ inventory_hostname in groups['k8s-cluster'] }}"
  tags: [kubelet, bootstrap-os, master, node]

@@ -80,7 +86,7 @@
  file:
    path: "{{ item }}"
    state: directory
-    owner: kube
+    owner: "{{ kubelet_user }}"
  with_items:
    - "/etc/cni/net.d"
    - "/opt/cni/bin"
--- a/roles/kubernetes/preinstall/tasks/set_facts.yml
+++ b/roles/kubernetes/preinstall/tasks/set_facts.yml
@@ -51,6 +51,3 @@
    etcd_container_bin_dir: "{% if etcd_after_v3 %}/usr/local/bin/{% else %}/{% endif %}"
 - set_fact:
    peer_with_calico_rr: "{{ 'calico-rr' in groups and groups['calico-rr']|length > 0 }}"
-
- include: set_resolv_facts.yml
-  tags: [bootstrap-os, resolvconf, facts]
--- a/roles/kubernetes/preinstall/tasks/set_uid_facts.yml
+++ b/roles/kubernetes/preinstall/tasks/set_uid_facts.yml
@@ -0,0 +1,32 @@
+---
+- name: Preinstall | get kube user ID
+  shell: /usr/bin/id -u {{ kubelet_user }} || echo 0
+  register: kube_uid
+
+- name: Preinstall | get kube group ID
+  shell: /usr/bin/id -g {{ kubelet_group }} || echo 0
+  register: kube_gid
+
+- name: Preinstall | get kube cert group ID
+  shell: /usr/bin/id -g {{ kube_cert_group }} || echo 0
+  register: kube_cert_gid
+
+- name: Preinstall | get etcd cert group ID
+  shell: /usr/bin/id -g {{ etcd_cert_group }} || echo 0
+  register: etcd_cert_gid
+
+- name: Preinstall | get netplug user ID
+  shell: /usr/bin/id -u {{ netplug_user }} || echo 0
+  register: netplug_uid
+
+- name: Preinstall | get netplug group ID
+  shell: /usr/bin/getent group {{ netplug_group }} | cut -d':' -f3 || echo 0
+  register: netplug_gid
+
+- set_fact:
+    kubelet_user_id: "{{ kube_uid.stdout }}"
+    kubelet_group_id: "{{ kube_gid.stdout }}"
+    kube_cert_group_id: "{{ kube_cert_gid.stdout }}"
+    etcd_cert_group_id: "{{ etcd_cert_gid.stdout }}"
+    netplug_user_id: "{{ netplug_uid.stdout }}"
+    netplug_group_id: "{{ netplug_gid.stdout }}"
--- a/roles/kubernetes/secrets/files/make-ssl.sh
+++ b/roles/kubernetes/secrets/files/make-ssl.sh
@@ -101,5 +101,8 @@ if [ -n "$HOSTS" ]; then
    done
 fi

+# Grant the group read access
+chmod g+r *.pem
+
 # Install certs
 mv *.pem ${SSLDIR}/
--- a/roles/kubernetes/secrets/tasks/gen_certs.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs.yml
@@ -110,11 +110,11 @@
  file:
    path={{ kube_cert_dir }}
    group={{ kube_cert_group }}
-    owner=kube
+    owner={{ kubelet_user }}
    recurse=yes

- name: Gen_certs | set permissions on keys
-  shell: chmod 0600 {{ kube_cert_dir}}/*key.pem
+- name: Gen_certs | set shared group permissions on keys
+  shell: chmod 0640 {{ kube_cert_dir}}/*.pem
  when: inventory_hostname in groups['kube-master']
  changed_when: false

--- a/roles/kubernetes/secrets/tasks/main.yml
+++ b/roles/kubernetes/secrets/tasks/main.yml
@@ -9,6 +9,7 @@
    path={{ kube_cert_dir }}
    state=directory
    mode=o-rwx
+    owner={{ kubelet_user }}
    group={{ kube_cert_group }}

 - name: Make sure the tokens directory exits
@@ -16,14 +17,16 @@
    path={{ kube_token_dir }}
    state=directory
    mode=o-rwx
-    group={{ kube_cert_group }}
+    owner={{ kubelet_user }}
+    group={{ kubelet_group }}

 - name: Make sure the users directory exits
  file:
    path={{ kube_users_dir }}
    state=directory
    mode=o-rwx
-    group={{ kube_cert_group }}
+    owner={{ kubelet_user }}
+    group={{ kubelet_group }}

 - name: Populate users for basic auth in API
  lineinfile: