Revert "Drop linux capabilities and rework users/groups"

2026-03-26 21:35:03 -02:30 · 2017-02-06 15:58:54 +03:00
parent b7bf502e02
commit fd30131dc2
48 changed files with 81 additions and 413 deletions
--- a/roles/kubernetes/master/defaults/main.yml
+++ b/roles/kubernetes/master/defaults/main.yml
@@ -13,21 +13,6 @@ kube_apiserver_node_port_range: "30000-32767"
 etcd_config_dir: /etc/ssl/etcd
 etcd_cert_dir: "{{ etcd_config_dir }}/ssl"

-# Linux capabilities to be dropped for k8s apps ran by container engines
-apps_drop_cap:
-  - chown
-  - dac_override
-  - fowner
-  - fsetid
-  - kill
-  - setgid
-  - setuid
-  - setpcap
-  - sys_chroot
-  - mknod
-  - audit_write
-  - setfcap
-
 # Limits for kube components
 kube_controller_memory_limit: 512M
 kube_controller_cpu_limit: 250m
--- a/roles/kubernetes/master/tasks/main.yml
+++ b/roles/kubernetes/master/tasks/main.yml
@@ -2,9 +2,6 @@
 - include: pre-upgrade.yml
  tags: k8s-pre-upgrade

- include: set_facts.yml
-  tags: facts
-
 - name: Copy kubectl from hyperkube container
  command: "{{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/systembindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /bin/cp /hyperkube /systembindir/kubectl"
  register: kube_task_result
--- a/roles/kubernetes/master/tasks/set_facts.yml
+++ b/roles/kubernetes/master/tasks/set_facts.yml
@@ -1,22 +0,0 @@
---
- name: Master | get kube user ID
-  shell: /usr/bin/id -u {{ kubelet_user }} || echo 0
-  register: kube_uid
-
- name: Master | get kube group ID
-  shell: /usr/bin/getent group {{ kubelet_group }} | cut -d':' -f3 || echo 0
-  register: kube_gid
-
- name: Master | get kube cert group ID
-  shell: /usr/bin/getent group {{ kube_cert_group }} | cut -d':' -f3 || echo 0
-  register: kube_cert_gid
-
- name: Master | get etcd cert group ID
-  shell: /usr/bin/getent group {{ etcd_cert_group }} | cut -d':' -f3 || echo 0
-  register: etcd_cert_gid
-
- set_fact:
-    kubelet_user_id: "{{ kube_uid.stdout }}"
-    kubelet_group_id: "{{ kube_gid.stdout }}"
-    kube_cert_group_id: "{{ kube_cert_gid.stdout }}"
-    etcd_cert_group_id: "{{ etcd_cert_gid.stdout }}"
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@@ -12,14 +12,6 @@ spec:
  - name: kube-apiserver
    image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
    imagePullPolicy: {{ k8s_image_pull_policy }}
-    securityContext:
-      capabilities:
-        drop:
-{% for c in apps_drop_cap %}
-          - {{ c.upper() }}
-{% endfor %}
-        add:
-          - DAC_OVERRIDE
    resources:
      limits:
        cpu: {{ kube_apiserver_cpu_limit }}
--- a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
@@ -11,17 +11,6 @@ spec:
  - name: kube-controller-manager
    image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
    imagePullPolicy: {{ k8s_image_pull_policy }}
-    securityContext:
-      runAsUser: {{ kubelet_user_id }}
-      fsGroup: {{ kubelet_group_id }}
-      supplementalGroups:
-        - {{ kube_cert_group_id }}
-        - {{ etcd_cert_group_id }}
-      capabilities:
-        drop:
-{% for c in apps_drop_cap %}
-          - {{ c.upper() }}
-{% endfor %}
    resources:
      limits:
        cpu: {{ kube_controller_cpu_limit }}
--- a/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2
@@ -11,17 +11,6 @@ spec:
  - name: kube-scheduler
    image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
    imagePullPolicy: {{ k8s_image_pull_policy }}
-    securityContext:
-      runAsUser: {{ kubelet_user_id }}
-      fsGroup: {{ kubelet_group_id }}
-      supplementalGroups:
-        - {{ kube_cert_group_id }}
-        - {{ etcd_cert_group_id }}
-      capabilities:
-        drop:
-{% for c in apps_drop_cap %}
-          - {{ c.upper() }}
-{% endfor %}
    resources:
      limits:
        cpu: {{ kube_scheduler_cpu_limit }}
--- a/roles/kubernetes/node/defaults/main.yml
+++ b/roles/kubernetes/node/defaults/main.yml
@@ -29,18 +29,3 @@ nginx_image_repo: nginx
 nginx_image_tag: 1.11.4-alpine

 etcd_config_dir: /etc/ssl/etcd
-
-# Linux capabilities to be dropped for container engines
-apps_drop_cap:
-  - chown
-  - dac_override
-  - fowner
-  - fsetid
-  - kill
-  - setgid
-  - setuid
-  - setpcap
-  - sys_chroot
-  - mknod
-  - audit_write
-  - setfcap
--- a/roles/kubernetes/node/tasks/install.yml
+++ b/roles/kubernetes/node/tasks/install.yml
@@ -26,6 +26,6 @@
  notify: restart kubelet

 - name: install | Install kubelet launch script
-  template: src=kubelet-container.j2 dest="{{ bin_dir }}/kubelet" owner={{ kubelet_user }} mode=0755 backup=yes
+  template: src=kubelet-container.j2 dest="{{ bin_dir }}/kubelet" owner=kube mode=0755 backup=yes
  notify: restart kubelet
  when: kubelet_deployment_type == "docker"
--- a/roles/kubernetes/node/tasks/main.yml
+++ b/roles/kubernetes/node/tasks/main.yml
@@ -4,9 +4,6 @@
      {%- if inventory_hostname in groups['kube-master'] and inventory_hostname not in groups['kube-node'] -%}true{%- else -%}false{%- endif -%}
  tags: facts

- include: pre-upgrade.yml
-  tags: k8s-pre-upgrade
-
 - include: install.yml
  tags: kubelet

--- a/roles/kubernetes/node/tasks/pre-upgrade.yml
+++ b/roles/kubernetes/node/tasks/pre-upgrade.yml
@@ -1,4 +0,0 @@
---
- name: "Pre-upgrade | share access to kube certs for its users"
-  shell: chmod g+r {{ kube_cert_dir }}/*.pem
-  failed_when: false
--- a/roles/kubernetes/node/templates/kubelet.rkt.service.j2
+++ b/roles/kubernetes/node/templates/kubelet.rkt.service.j2
@@ -29,7 +29,7 @@ ExecStart=/usr/bin/rkt run \
        --volume run,kind=host,source=/run,readOnly=false \
        --volume usr-share-certs,kind=host,source=/usr/share/ca-certificates,readOnly=true \
        --volume var-lib-docker,kind=host,source={{ docker_daemon_graph }},readOnly=false \
-        --volume var-lib-kubelet,kind=host,source=/var/lib/kubelet,readOnly=false \
+	--volume var-lib-kubelet,kind=host,source=/var/lib/kubelet,readOnly=false \
        --volume var-log,kind=host,source=/var/log \
        --mount volume=dns,target=/etc/resolv.conf \
        --mount volume=etc-cni,target=/etc/cni \
@@ -44,7 +44,6 @@ ExecStart=/usr/bin/rkt run \
        --mount volume=var-log,target=/var/log \
        --stage1-from-dir=stage1-fly.aci \
        {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} \
-        --memory={{ kubelet_memory_limit }} --cpu={{ kubelet_cpu_limit }} \
        --uuid-file-save=/var/run/kubelet.uuid \
        --debug --exec=/kubelet -- \
                $KUBE_LOGTOSTDERR \
--- a/roles/kubernetes/preinstall/meta/main.yml
+++ b/roles/kubernetes/preinstall/meta/main.yml
@@ -2,7 +2,4 @@
 dependencies:
  - role: adduser
    user: "{{ addusers.kube }}"
-    tags: [bootstrap-os, kubelet]
-  - role: adduser
-    user: "{{ addusers.netplug }}"
-    tags: [bootstrap-os, network]
+    tags: kubelet
--- a/roles/kubernetes/preinstall/tasks/main.yml
+++ b/roles/kubernetes/preinstall/tasks/main.yml
@@ -23,12 +23,6 @@
 - include: set_facts.yml
  tags: facts

- include: set_resolv_facts.yml
-  tags: [bootstrap-os, resolvconf, facts]
-
- include: set_uid_facts.yml
-  tags: [bootstrap-os, facts]
-
 - name: gather os specific variables
  include_vars: "{{ item }}"
  with_first_found:
@@ -48,7 +42,7 @@
  file:
    path: "{{ kube_config_dir }}"
    state: directory
-    owner: "{{ kubelet_user }}"
+    owner: kube
  when: "{{ inventory_hostname in groups['k8s-cluster'] }}"
  tags: [kubelet, k8s-secrets, kube-controller-manager, kube-apiserver, bootstrap-os, apps, network, master, node]

@@ -56,7 +50,7 @@
  file:
    path: "{{ kube_script_dir }}"
    state: directory
-    owner: "{{ kubelet_user }}"
+    owner: kube
  when: "{{ inventory_hostname in groups['k8s-cluster'] }}"
  tags: [k8s-secrets, bootstrap-os]

@@ -64,7 +58,7 @@
  file:
    path: "{{ kube_manifest_dir }}"
    state: directory
-    owner: "{{ kubelet_user }}"
+    owner: kube
  when: "{{ inventory_hostname in groups['k8s-cluster'] }}"
  tags: [kubelet, bootstrap-os, master, node]

@@ -86,7 +80,7 @@
  file:
    path: "{{ item }}"
    state: directory
-    owner: "{{ kubelet_user }}"
+    owner: kube
  with_items:
    - "/etc/cni/net.d"
    - "/opt/cni/bin"
--- a/roles/kubernetes/preinstall/tasks/set_facts.yml
+++ b/roles/kubernetes/preinstall/tasks/set_facts.yml
@@ -51,3 +51,6 @@
    etcd_container_bin_dir: "{% if etcd_after_v3 %}/usr/local/bin/{% else %}/{% endif %}"
 - set_fact:
    peer_with_calico_rr: "{{ 'calico-rr' in groups and groups['calico-rr']|length > 0 }}"
+
+- include: set_resolv_facts.yml
+  tags: [bootstrap-os, resolvconf, facts]
--- a/roles/kubernetes/preinstall/tasks/set_uid_facts.yml
+++ b/roles/kubernetes/preinstall/tasks/set_uid_facts.yml
@@ -1,32 +0,0 @@
---
- name: Preinstall | get kube user ID
-  shell: /usr/bin/id -u {{ kubelet_user }} || echo 0
-  register: kube_uid
-
- name: Preinstall | get kube group ID
-  shell: /usr/bin/id -g {{ kubelet_group }} || echo 0
-  register: kube_gid
-
- name: Preinstall | get kube cert group ID
-  shell: /usr/bin/id -g {{ kube_cert_group }} || echo 0
-  register: kube_cert_gid
-
- name: Preinstall | get etcd cert group ID
-  shell: /usr/bin/id -g {{ etcd_cert_group }} || echo 0
-  register: etcd_cert_gid
-
- name: Preinstall | get netplug user ID
-  shell: /usr/bin/id -u {{ netplug_user }} || echo 0
-  register: netplug_uid
-
- name: Preinstall | get netplug group ID
-  shell: /usr/bin/getent group {{ netplug_group }} | cut -d':' -f3 || echo 0
-  register: netplug_gid
-
- set_fact:
-    kubelet_user_id: "{{ kube_uid.stdout }}"
-    kubelet_group_id: "{{ kube_gid.stdout }}"
-    kube_cert_group_id: "{{ kube_cert_gid.stdout }}"
-    etcd_cert_group_id: "{{ etcd_cert_gid.stdout }}"
-    netplug_user_id: "{{ netplug_uid.stdout }}"
-    netplug_group_id: "{{ netplug_gid.stdout }}"
--- a/roles/kubernetes/secrets/files/make-ssl.sh
+++ b/roles/kubernetes/secrets/files/make-ssl.sh
@@ -101,8 +101,5 @@ if [ -n "$HOSTS" ]; then
    done
 fi

-# Grant the group read access
-chmod g+r *.pem
-
 # Install certs
 mv *.pem ${SSLDIR}/
--- a/roles/kubernetes/secrets/tasks/gen_certs.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs.yml
@@ -140,11 +140,11 @@
  file:
    path={{ kube_cert_dir }}
    group={{ kube_cert_group }}
-    owner={{ kubelet_user }}
+    owner=kube
    recurse=yes

- name: Gen_certs | set shared group permissions on keys
-  shell: chmod 0640 {{ kube_cert_dir}}/*.pem
+- name: Gen_certs | set permissions on keys
+  shell: chmod 0600 {{ kube_cert_dir}}/*key.pem
  when: inventory_hostname in groups['kube-master']
  changed_when: false

--- a/roles/kubernetes/secrets/tasks/main.yml
+++ b/roles/kubernetes/secrets/tasks/main.yml
@@ -9,7 +9,6 @@
    path={{ kube_cert_dir }}
    state=directory
    mode=o-rwx
-    owner={{ kubelet_user }}
    group={{ kube_cert_group }}

 - name: Make sure the tokens directory exits
@@ -17,16 +16,14 @@
    path={{ kube_token_dir }}
    state=directory
    mode=o-rwx
-    owner={{ kubelet_user }}
-    group={{ kubelet_group }}
+    group={{ kube_cert_group }}

 - name: Make sure the users directory exits
  file:
    path={{ kube_users_dir }}
    state=directory
    mode=o-rwx
-    owner={{ kubelet_user }}
-    group={{ kubelet_group }}
+    group={{ kube_cert_group }}

 - name: Populate users for basic auth in API
  lineinfile: