[MediaWiki-commits] [Gerrit] k8s: Make kubelet run as root as well - change (operations/puppet)
Yuvipanda has submitted this change and it was merged.
Change subject: k8s: Make kubelet run as root as well
..
k8s: Make kubelet run as root as well
Needs to manipulate cgroups and other things that
require root
Change-Id: I642f25fe11eb4385180b502d824a92697884cb44
---
M modules/k8s/manifests/kubelet.pp
M modules/k8s/manifests/ssl.pp
M modules/k8s/manifests/users.pp
M modules/k8s/templates/initscripts/kubelet.systemd.erb
4 files changed, 21 insertions(+), 23 deletions(-)
Approvals:
Yuvipanda: Looks good to me, approved
jenkins-bot: Verified
diff --git a/modules/k8s/manifests/kubelet.pp b/modules/k8s/manifests/kubelet.pp
index c973473..25ded0c 100644
--- a/modules/k8s/manifests/kubelet.pp
+++ b/modules/k8s/manifests/kubelet.pp
@@ -9,16 +9,16 @@
'/etc/kubernetes/manifests',
]:
ensure => directory,
-owner => 'kubernetes',
-group => 'kubernetes',
+owner => 'root',
+group => 'root',
mode => '0755',
}
file { '/etc/kubernetes/kubeconfig':
ensure => present,
content => template('k8s/kubeconfig-client.yaml.erb'),
-owner => 'kubernetes',
-group => 'kubernetes',
+owner => 'root',
+group => 'root',
mode=> '0400',
notify => Base::Service_unit['kubelet'],
}
@@ -28,15 +28,15 @@
'/var/lib/kubelet',
] :
ensure => directory,
-owner => 'kubernetes',
-group => 'kubernetes',
+owner => 'root',
+group => 'root',
mode => '0700',
}
-include k8s::users
-
class { '::k8s::ssl':
-notify => Base::Service_unit['kubelet'],
+notify => Base::Service_unit['kubelet'],
+user => 'root',
+group => 'root',
}
base::service_unit { 'kubelet':
diff --git a/modules/k8s/manifests/ssl.pp b/modules/k8s/manifests/ssl.pp
index c7ce555..2be0020 100644
--- a/modules/k8s/manifests/ssl.pp
+++ b/modules/k8s/manifests/ssl.pp
@@ -4,6 +4,8 @@
# Note: Only copies public components, no private keys
class k8s::ssl(
$provide_private = false,
+$user = 'kubernetes',
+$group = 'kubernetes',
) {
$puppet_cert_name = $::fqdn
$ssldir = '/var/lib/puppet/ssl'
@@ -15,25 +17,25 @@
'/var/lib/kubernetes/ssl/private_keys',
]:
ensure => directory,
-owner => 'kubernetes',
-group => 'kubernetes',
-mode => '0500',
+owner => $user,
+group => $group,
+mode => '0555',
}
file { '/var/lib/kubernetes/ssl/certs/ca.pem':
ensure => present,
-owner => 'kubernetes',
-group => 'kubernetes',
-mode=> '0400',
+owner => $user,
+group => $group,
+mode=> '0444',
source => "${ssldir}/certs/ca.pem",
require => File['/var/lib/kubernetes/ssl/certs'],
}
file { '/var/lib/kubernetes/ssl/certs/cert.pem':
ensure => present,
-owner => 'kubernetes',
-group => 'kubernetes',
+owner => $user,
+group => $group,
mode=> '0400',
source => "${ssldir}/certs/${puppet_cert_name}.pem",
require => File['/var/lib/kubernetes/ssl/certs/ca.pem'],
@@ -42,8 +44,8 @@
if $provide_private {
file { '/var/lib/kubernetes/ssl/private_keys/server.key':
ensure => present,
-owner => 'kubernetes',
-group => 'kubernetes',
+owner => $user,
+group => $group,
mode=> '0400',
source => "${ssldir}/private_keys/${puppet_cert_name}.pem",
require => File['/var/lib/kubernetes/ssl/private_keys'],
diff --git a/modules/k8s/manifests/users.pp b/modules/k8s/manifests/users.pp
index c0262ea..11c889d 100644
--- a/modules/k8s/manifests/users.pp
+++ b/modules/k8s/manifests/users.pp
@@ -9,7 +9,5 @@
shell => '/bin/false',
system => true,
managehome => false,
-groups => ['docker',],
}
-
}
diff --git a/modules/k8s/templates/initscripts/kubelet.systemd.erb
b/modules/k8s/templates/initscripts/kubelet.systemd.erb
index 8750e26..dbe788c 100644
--- a/modules/k8s/templates/initscripts/kubelet.systemd.erb
+++ b/modules/k8s/templates/initscripts/kubelet.systemd.erb
@@ -2,8 +2,6 @@
Description=Kubelet
[Service]
-User=kubernetes
-Group=kubernetes
ExecStart=/usr/bin/kubelet \
--config=/etc/kubernetes/manifests \
--kubeconfig=/etc/kubernetes/kubeconfig \
--
To view, visit https://gerrit.wikimedia.org/r/237590
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I642f25fe11eb4385180b502d824a92697884cb44
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Yuvipanda
Gerrit-Reviewer:
[MediaWiki-commits] [Gerrit] k8s: Make kubelet run as root as well - change (operations/puppet)
Yuvipanda has uploaded a new change for review.
https://gerrit.wikimedia.org/r/237590
Change subject: k8s: Make kubelet run as root as well
..
k8s: Make kubelet run as root as well
Needs to manipulate cgroups and other things that
require root
Change-Id: I642f25fe11eb4385180b502d824a92697884cb44
---
M modules/k8s/manifests/kubelet.pp
M modules/k8s/manifests/ssl.pp
M modules/k8s/manifests/users.pp
M modules/k8s/templates/initscripts/kubelet.systemd.erb
4 files changed, 21 insertions(+), 23 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/90/237590/1
diff --git a/modules/k8s/manifests/kubelet.pp b/modules/k8s/manifests/kubelet.pp
index c973473..25ded0c 100644
--- a/modules/k8s/manifests/kubelet.pp
+++ b/modules/k8s/manifests/kubelet.pp
@@ -9,16 +9,16 @@
'/etc/kubernetes/manifests',
]:
ensure => directory,
-owner => 'kubernetes',
-group => 'kubernetes',
+owner => 'root',
+group => 'root',
mode => '0755',
}
file { '/etc/kubernetes/kubeconfig':
ensure => present,
content => template('k8s/kubeconfig-client.yaml.erb'),
-owner => 'kubernetes',
-group => 'kubernetes',
+owner => 'root',
+group => 'root',
mode=> '0400',
notify => Base::Service_unit['kubelet'],
}
@@ -28,15 +28,15 @@
'/var/lib/kubelet',
] :
ensure => directory,
-owner => 'kubernetes',
-group => 'kubernetes',
+owner => 'root',
+group => 'root',
mode => '0700',
}
-include k8s::users
-
class { '::k8s::ssl':
-notify => Base::Service_unit['kubelet'],
+notify => Base::Service_unit['kubelet'],
+user => 'root',
+group => 'root',
}
base::service_unit { 'kubelet':
diff --git a/modules/k8s/manifests/ssl.pp b/modules/k8s/manifests/ssl.pp
index c7ce555..2be0020 100644
--- a/modules/k8s/manifests/ssl.pp
+++ b/modules/k8s/manifests/ssl.pp
@@ -4,6 +4,8 @@
# Note: Only copies public components, no private keys
class k8s::ssl(
$provide_private = false,
+$user = 'kubernetes',
+$group = 'kubernetes',
) {
$puppet_cert_name = $::fqdn
$ssldir = '/var/lib/puppet/ssl'
@@ -15,25 +17,25 @@
'/var/lib/kubernetes/ssl/private_keys',
]:
ensure => directory,
-owner => 'kubernetes',
-group => 'kubernetes',
-mode => '0500',
+owner => $user,
+group => $group,
+mode => '0555',
}
file { '/var/lib/kubernetes/ssl/certs/ca.pem':
ensure => present,
-owner => 'kubernetes',
-group => 'kubernetes',
-mode=> '0400',
+owner => $user,
+group => $group,
+mode=> '0444',
source => "${ssldir}/certs/ca.pem",
require => File['/var/lib/kubernetes/ssl/certs'],
}
file { '/var/lib/kubernetes/ssl/certs/cert.pem':
ensure => present,
-owner => 'kubernetes',
-group => 'kubernetes',
+owner => $user,
+group => $group,
mode=> '0400',
source => "${ssldir}/certs/${puppet_cert_name}.pem",
require => File['/var/lib/kubernetes/ssl/certs/ca.pem'],
@@ -42,8 +44,8 @@
if $provide_private {
file { '/var/lib/kubernetes/ssl/private_keys/server.key':
ensure => present,
-owner => 'kubernetes',
-group => 'kubernetes',
+owner => $user,
+group => $group,
mode=> '0400',
source => "${ssldir}/private_keys/${puppet_cert_name}.pem",
require => File['/var/lib/kubernetes/ssl/private_keys'],
diff --git a/modules/k8s/manifests/users.pp b/modules/k8s/manifests/users.pp
index c0262ea..11c889d 100644
--- a/modules/k8s/manifests/users.pp
+++ b/modules/k8s/manifests/users.pp
@@ -9,7 +9,5 @@
shell => '/bin/false',
system => true,
managehome => false,
-groups => ['docker',],
}
-
}
diff --git a/modules/k8s/templates/initscripts/kubelet.systemd.erb
b/modules/k8s/templates/initscripts/kubelet.systemd.erb
index 8750e26..dbe788c 100644
--- a/modules/k8s/templates/initscripts/kubelet.systemd.erb
+++ b/modules/k8s/templates/initscripts/kubelet.systemd.erb
@@ -2,8 +2,6 @@
Description=Kubelet
[Service]
-User=kubernetes
-Group=kubernetes
ExecStart=/usr/bin/kubelet \
--config=/etc/kubernetes/manifests \
--kubeconfig=/etc/kubernetes/kubeconfig \
--
To view, visit https://gerrit.wikimedia.org/r/237590
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I642f25fe11eb4385180b502d824a92697884cb44
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Yuvipanda
