Drop linux capabilities and rework users/groups

* Drop linux capabilities for unprivileged containerized worlkoads Kargo configures for deployments. * Configure required securityContext/user/group/groups for kube components' static manifests, etcd, calico-rr and k8s apps, like dnsmasq daemonset. * Rework cloud-init (etcd) users creation for CoreOS. * Fix nologin paths, adjust defaults for addusers role and ensure supplementary groups membership added for users. * Add netplug user for network plugins (yet unused by privileged networking containers though). * Grant the kube and netplug users read access for etcd certs via the etcd certs group. * Grant group read access to kube certs via the kube cert group. * Remove priveleged mode for calico-rr and run it under its uid/gid and supplementary etcd_cert group. * Adjust docs. * Align cpu/memory limits and dropped caps with added rkt support for control plane. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2026-02-01 01:28:11 -03:30 · 2016-12-28 14:58:37 +01:00
parent 8ce32eb3e1
commit cb2e5ac776
48 changed files with 413 additions and 81 deletions
--- a/roles/network_plugin/calico/defaults/main.yml
+++ b/roles/network_plugin/calico/defaults/main.yml
@@ -20,6 +20,23 @@ global_as_num: "64512"
 # defaults. The value should be a number, not a string.
 # calico_mtu: 1500

+# Linux capabilities to be dropped for container engines
+calico_drop_cap:
+  - chown
+  - dac_override
+  - fowner
+  - fsetid
+  - kill
+  - setgid
+  - setuid
+  - setpcap
+  - net_bind_service
+  - net_raw
+  - sys_chroot
+  - mknod
+  - audit_write
+  - setfcap
+
 # Limits for apps
 calico_node_memory_limit: 500M
 calico_node_cpu_limit: 300m
--- a/roles/network_plugin/calico/rr/tasks/main.yml
+++ b/roles/network_plugin/calico/rr/tasks/main.yml
@@ -12,8 +12,8 @@
    dest: "{{ calico_cert_dir }}"
    state: directory
    mode: 0750
-    owner: root
-    group: root
+    owner: "{{ netplug_user }}"
+    group: "{{ netplug_group }}"

 - name: Calico-rr | Link etcd certificates for calico-node
  file:
@@ -31,8 +31,8 @@
    path: /var/log/calico-rr
    state: directory
    mode: 0755
-    owner: root
-    group: root
+    owner: "{{ netplug_user }}"
+    group: "{{ netplug_group }}"

 - name: Calico-rr | Write calico-rr.env for systemd init file
  template: src=calico-rr.env.j2 dest=/etc/calico/calico-rr.env
--- a/roles/network_plugin/calico/rr/templates/calico-rr.service.j2
+++ b/roles/network_plugin/calico/rr/templates/calico-rr.service.j2
@@ -6,7 +6,7 @@ Requires=docker.service
 [Service]
 EnvironmentFile=/etc/calico/calico-rr.env
 ExecStartPre=-{{ docker_bin_dir }}/docker rm -f calico-rr
-ExecStart={{ docker_bin_dir }}/docker run --net=host --privileged \
+ExecStart={{ docker_bin_dir }}/docker run --net=host \
 --name=calico-rr \
 -e IP=${IP} \
 -e IP6=${IP6} \
@@ -16,6 +16,10 @@ ExecStart={{ docker_bin_dir }}/docker run --net=host --privileged \
 -e ETCD_KEY_FILE=${ETCD_KEY_FILE} \
 -v /var/log/calico-rr:/var/log/calico \
 -v {{ calico_cert_dir }}:{{ calico_cert_dir }}:ro \
+{% for c in calico_drop_cap %}
+ --cap-drop={{ c }} \
+{% endfor %}
+ -u {{ netplug_user_id }}:{{ netplug_group_id }} --group-add {{ etcd_cert_group }} \
 --memory={{ calico_rr_memory_limit|regex_replace('Mi', 'M') }} --cpu-shares={{ calico_rr_cpu_limit|regex_replace('m', '') }} \
 {{ calico_rr_image_repo }}:{{ calico_rr_image_tag }}

--- a/roles/network_plugin/calico/tasks/main.yml
+++ b/roles/network_plugin/calico/tasks/main.yml
@@ -9,15 +9,16 @@
  template:
    src: "cni-calico.conf.j2"
    dest: "/etc/cni/net.d/10-calico.conf"
-    owner: kube
+    owner: "{{ kubelet_user }}"
+    group: "{{ kubelet_group }}"

 - name: Calico | Create calico certs directory
  file:
    dest: "{{ calico_cert_dir }}"
    state: directory
    mode: 0750
-    owner: root
-    group: root
+    owner: "{{ netplug_user }}"
+    group: "{{ netplug_group }}"

 - name: Calico | Link etcd certificates for calico-node
  file:
--- a/roles/network_plugin/canal/tasks/main.yml
+++ b/roles/network_plugin/canal/tasks/main.yml
@@ -3,15 +3,16 @@
  template:
    src: "cni-canal.conf.j2"
    dest: "/etc/cni/net.d/10-canal.conf"
-    owner: kube
+    owner: "{{ kubelet_user }}"
+    group: "{{ kubelet_group }}"

 - name: Canal | Create canal certs directory
  file:
    dest: "{{ canal_cert_dir }}"
    state: directory
    mode: 0750
-    owner: root
-    group: root
+    owner: "{{ netplug_user }}"
+    group: "{{ netplug_group }}"

 - name: Canal | Link etcd certificates for canal-node
  file: