[MediaWiki-commits] [Gerrit] k8s: Make kubelet run as root as well - change (operations/puppet)

Yuvipanda (Code Review) Fri, 11 Sep 2015 00:05:54 -0700

Yuvipanda has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/237590


Change subject: k8s: Make kubelet run as root as well
......................................................................

k8s: Make kubelet run as root as well

Needs to manipulate cgroups and other things that
require root

Change-Id: I642f25fe11eb4385180b502d824a92697884cb44
---
M modules/k8s/manifests/kubelet.pp
M modules/k8s/manifests/ssl.pp
M modules/k8s/manifests/users.pp
M modules/k8s/templates/initscripts/kubelet.systemd.erb
4 files changed, 21 insertions(+), 23 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/90/237590/1

diff --git a/modules/k8s/manifests/kubelet.pp b/modules/k8s/manifests/kubelet.pp
index c973473..25ded0c 100644
--- a/modules/k8s/manifests/kubelet.pp
+++ b/modules/k8s/manifests/kubelet.pp
@@ -9,16 +9,16 @@
         '/etc/kubernetes/manifests',
     ]:
         ensure => directory,
-        owner  => 'kubernetes',
-        group  => 'kubernetes',
+        owner  => 'root',
+        group  => 'root',
         mode   => '0755',
     }
 
     file { '/etc/kubernetes/kubeconfig':
         ensure  => present,
         content => template('k8s/kubeconfig-client.yaml.erb'),
-        owner   => 'kubernetes',
-        group   => 'kubernetes',
+        owner   => 'root',
+        group   => 'root',
         mode    => '0400',
         notify  => Base::Service_unit['kubelet'],
     }
@@ -28,15 +28,15 @@
         '/var/lib/kubelet',
     ] :
         ensure => directory,
-        owner  => 'kubernetes',
-        group  => 'kubernetes',
+        owner  => 'root',
+        group  => 'root',
         mode   => '0700',
     }
 
-    include k8s::users
-
     class { '::k8s::ssl':
-        notify  => Base::Service_unit['kubelet'],
+        notify => Base::Service_unit['kubelet'],
+        user   => 'root',
+        group  => 'root',
     }
 
     base::service_unit { 'kubelet':
diff --git a/modules/k8s/manifests/ssl.pp b/modules/k8s/manifests/ssl.pp
index c7ce555..2be0020 100644
--- a/modules/k8s/manifests/ssl.pp
+++ b/modules/k8s/manifests/ssl.pp
@@ -4,6 +4,8 @@
 # Note: Only copies public components, no private keys
 class k8s::ssl(
     $provide_private = false,
+    $user = 'kubernetes',
+    $group = 'kubernetes',
 ) {
     $puppet_cert_name = $::fqdn
     $ssldir = '/var/lib/puppet/ssl'
@@ -15,25 +17,25 @@
         '/var/lib/kubernetes/ssl/private_keys',
     ]:
         ensure => directory,
-        owner  => 'kubernetes',
-        group  => 'kubernetes',
-        mode   => '0500',
+        owner  => $user,
+        group  => $group,
+        mode   => '0555',
     }
 
 
     file { '/var/lib/kubernetes/ssl/certs/ca.pem':
         ensure  => present,
-        owner   => 'kubernetes',
-        group   => 'kubernetes',
-        mode    => '0400',
+        owner   => $user,
+        group   => $group,
+        mode    => '0444',
         source  => "${ssldir}/certs/ca.pem",
         require => File['/var/lib/kubernetes/ssl/certs'],
     }
 
     file { '/var/lib/kubernetes/ssl/certs/cert.pem':
         ensure  => present,
-        owner   => 'kubernetes',
-        group   => 'kubernetes',
+        owner   => $user,
+        group   => $group,
         mode    => '0400',
         source  => "${ssldir}/certs/${puppet_cert_name}.pem",
         require => File['/var/lib/kubernetes/ssl/certs/ca.pem'],
@@ -42,8 +44,8 @@
     if $provide_private {
         file { '/var/lib/kubernetes/ssl/private_keys/server.key':
             ensure  => present,
-            owner   => 'kubernetes',
-            group   => 'kubernetes',
+            owner   => $user,
+            group   => $group,
             mode    => '0400',
             source  => "${ssldir}/private_keys/${puppet_cert_name}.pem",
             require => File['/var/lib/kubernetes/ssl/private_keys'],
diff --git a/modules/k8s/manifests/users.pp b/modules/k8s/manifests/users.pp
index c0262ea..11c889d 100644
--- a/modules/k8s/manifests/users.pp
+++ b/modules/k8s/manifests/users.pp
@@ -9,7 +9,5 @@
         shell      => '/bin/false',
         system     => true,
         managehome => false,
-        groups     => ['docker',],
     }
-
 }
diff --git a/modules/k8s/templates/initscripts/kubelet.systemd.erb 
b/modules/k8s/templates/initscripts/kubelet.systemd.erb
index 8750e26..dbe788c 100644
--- a/modules/k8s/templates/initscripts/kubelet.systemd.erb
+++ b/modules/k8s/templates/initscripts/kubelet.systemd.erb
@@ -2,8 +2,6 @@
 Description=Kubelet
 
 [Service]
-User=kubernetes
-Group=kubernetes
 ExecStart=/usr/bin/kubelet \
     --config=/etc/kubernetes/manifests \
     --kubeconfig=/etc/kubernetes/kubeconfig \

-- 
To view, visit https://gerrit.wikimedia.org/r/237590
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I642f25fe11eb4385180b502d824a92697884cb44
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Yuvipanda <yuvipa...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] k8s: Make kubelet run as root as well - change (operations/puppet)

Reply via email to