Yuvipanda has uploaded a new change for review. https://gerrit.wikimedia.org/r/237590
Change subject: k8s: Make kubelet run as root as well ...................................................................... k8s: Make kubelet run as root as well Needs to manipulate cgroups and other things that require root Change-Id: I642f25fe11eb4385180b502d824a92697884cb44 --- M modules/k8s/manifests/kubelet.pp M modules/k8s/manifests/ssl.pp M modules/k8s/manifests/users.pp M modules/k8s/templates/initscripts/kubelet.systemd.erb 4 files changed, 21 insertions(+), 23 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/90/237590/1 diff --git a/modules/k8s/manifests/kubelet.pp b/modules/k8s/manifests/kubelet.pp index c973473..25ded0c 100644 --- a/modules/k8s/manifests/kubelet.pp +++ b/modules/k8s/manifests/kubelet.pp @@ -9,16 +9,16 @@ '/etc/kubernetes/manifests', ]: ensure => directory, - owner => 'kubernetes', - group => 'kubernetes', + owner => 'root', + group => 'root', mode => '0755', } file { '/etc/kubernetes/kubeconfig': ensure => present, content => template('k8s/kubeconfig-client.yaml.erb'), - owner => 'kubernetes', - group => 'kubernetes', + owner => 'root', + group => 'root', mode => '0400', notify => Base::Service_unit['kubelet'], } @@ -28,15 +28,15 @@ '/var/lib/kubelet', ] : ensure => directory, - owner => 'kubernetes', - group => 'kubernetes', + owner => 'root', + group => 'root', mode => '0700', } - include k8s::users - class { '::k8s::ssl': - notify => Base::Service_unit['kubelet'], + notify => Base::Service_unit['kubelet'], + user => 'root', + group => 'root', } base::service_unit { 'kubelet': diff --git a/modules/k8s/manifests/ssl.pp b/modules/k8s/manifests/ssl.pp index c7ce555..2be0020 100644 --- a/modules/k8s/manifests/ssl.pp +++ b/modules/k8s/manifests/ssl.pp @@ -4,6 +4,8 @@ # Note: Only copies public components, no private keys class k8s::ssl( $provide_private = false, + $user = 'kubernetes', + $group = 'kubernetes', ) { $puppet_cert_name = $::fqdn $ssldir = '/var/lib/puppet/ssl' @@ -15,25 +17,25 @@ '/var/lib/kubernetes/ssl/private_keys', ]: ensure => directory, - owner => 'kubernetes', - group => 'kubernetes', - mode => '0500', + owner => $user, + group => $group, + mode => '0555', } file { '/var/lib/kubernetes/ssl/certs/ca.pem': ensure => present, - owner => 'kubernetes', - group => 'kubernetes', - mode => '0400', + owner => $user, + group => $group, + mode => '0444', source => "${ssldir}/certs/ca.pem", require => File['/var/lib/kubernetes/ssl/certs'], } file { '/var/lib/kubernetes/ssl/certs/cert.pem': ensure => present, - owner => 'kubernetes', - group => 'kubernetes', + owner => $user, + group => $group, mode => '0400', source => "${ssldir}/certs/${puppet_cert_name}.pem", require => File['/var/lib/kubernetes/ssl/certs/ca.pem'], @@ -42,8 +44,8 @@ if $provide_private { file { '/var/lib/kubernetes/ssl/private_keys/server.key': ensure => present, - owner => 'kubernetes', - group => 'kubernetes', + owner => $user, + group => $group, mode => '0400', source => "${ssldir}/private_keys/${puppet_cert_name}.pem", require => File['/var/lib/kubernetes/ssl/private_keys'], diff --git a/modules/k8s/manifests/users.pp b/modules/k8s/manifests/users.pp index c0262ea..11c889d 100644 --- a/modules/k8s/manifests/users.pp +++ b/modules/k8s/manifests/users.pp @@ -9,7 +9,5 @@ shell => '/bin/false', system => true, managehome => false, - groups => ['docker',], } - } diff --git a/modules/k8s/templates/initscripts/kubelet.systemd.erb b/modules/k8s/templates/initscripts/kubelet.systemd.erb index 8750e26..dbe788c 100644 --- a/modules/k8s/templates/initscripts/kubelet.systemd.erb +++ b/modules/k8s/templates/initscripts/kubelet.systemd.erb @@ -2,8 +2,6 @@ Description=Kubelet [Service] -User=kubernetes -Group=kubernetes ExecStart=/usr/bin/kubelet \ --config=/etc/kubernetes/manifests \ --kubeconfig=/etc/kubernetes/kubeconfig \ -- To view, visit https://gerrit.wikimedia.org/r/237590 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I642f25fe11eb4385180b502d824a92697884cb44 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Yuvipanda <yuvipa...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits