From 264d23a1b5be6377358a7d35eb6e7ebc4f35584b Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Sat, 25 Jul 2020 13:50:08 -0700 Subject: [PATCH] Declare etcd data directory permissions * Set etcd data directory /var/lib/etcd permissions to 700 * On Flatcar Linux, /var/lib/etcd is pre-existing and Ignition v2 doesn't overwrite the directory. Update the Container Linux config, but add the manual chmod workaround to bootstrap for Flatcar Linux users * https://github.com/etcd-io/etcd/blob/master/CHANGELOG-3.4.md#v3410-2020-07-16 * https://github.com/etcd-io/etcd/pull/11798 --- aws/container-linux/kubernetes/cl/controller.yaml | 6 ++++++ aws/fedora-coreos/kubernetes/fcc/controller.yaml | 2 ++ azure/container-linux/kubernetes/cl/controller.yaml | 6 ++++++ azure/fedora-coreos/kubernetes/fcc/controller.yaml | 2 ++ bare-metal/container-linux/kubernetes/cl/controller.yaml | 5 +++++ bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml | 2 ++ digital-ocean/container-linux/kubernetes/cl/controller.yaml | 5 +++++ digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml | 2 ++ google-cloud/container-linux/kubernetes/cl/controller.yaml | 6 ++++++ google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml | 2 ++ 10 files changed, 38 insertions(+) diff --git a/aws/container-linux/kubernetes/cl/controller.yaml b/aws/container-linux/kubernetes/cl/controller.yaml index 3aee27b7..ff15c3c6 100644 --- a/aws/container-linux/kubernetes/cl/controller.yaml +++ b/aws/container-linux/kubernetes/cl/controller.yaml @@ -142,6 +142,11 @@ systemd: [Install] WantedBy=multi-user.target storage: + directories: + - path: /var/lib/etcd + filesystem: root + mode: 0700 + overwrite: true files: - path: /etc/kubernetes/kubeconfig filesystem: root @@ -163,6 +168,7 @@ storage: mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/ chown -R etcd:etcd /etc/ssl/etcd chmod -R 500 /etc/ssl/etcd + chmod -R 700 /var/lib/etcd mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ mkdir -p /etc/kubernetes/manifests diff --git a/aws/fedora-coreos/kubernetes/fcc/controller.yaml b/aws/fedora-coreos/kubernetes/fcc/controller.yaml index f5d6e303..0d8b4c35 100644 --- a/aws/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/aws/fedora-coreos/kubernetes/fcc/controller.yaml @@ -129,6 +129,8 @@ systemd: ExecStartPost=-/usr/bin/podman stop bootstrap storage: directories: + - path: /var/lib/etcd + mode: 0700 - path: /etc/kubernetes - path: /opt/bootstrap files: diff --git a/azure/container-linux/kubernetes/cl/controller.yaml b/azure/container-linux/kubernetes/cl/controller.yaml index 3aee27b7..ff15c3c6 100644 --- a/azure/container-linux/kubernetes/cl/controller.yaml +++ b/azure/container-linux/kubernetes/cl/controller.yaml @@ -142,6 +142,11 @@ systemd: [Install] WantedBy=multi-user.target storage: + directories: + - path: /var/lib/etcd + filesystem: root + mode: 0700 + overwrite: true files: - path: /etc/kubernetes/kubeconfig filesystem: root @@ -163,6 +168,7 @@ storage: mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/ chown -R etcd:etcd /etc/ssl/etcd chmod -R 500 /etc/ssl/etcd + chmod -R 700 /var/lib/etcd mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ mkdir -p /etc/kubernetes/manifests diff --git a/azure/fedora-coreos/kubernetes/fcc/controller.yaml b/azure/fedora-coreos/kubernetes/fcc/controller.yaml index ec532153..a337e9a8 100644 --- a/azure/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/azure/fedora-coreos/kubernetes/fcc/controller.yaml @@ -128,6 +128,8 @@ systemd: ExecStartPost=-/usr/bin/podman stop bootstrap storage: directories: + - path: /var/lib/etcd + mode: 0700 - path: /etc/kubernetes - path: /opt/bootstrap files: diff --git a/bare-metal/container-linux/kubernetes/cl/controller.yaml b/bare-metal/container-linux/kubernetes/cl/controller.yaml index 2ad89e7b..7e72223d 100644 --- a/bare-metal/container-linux/kubernetes/cl/controller.yaml +++ b/bare-metal/container-linux/kubernetes/cl/controller.yaml @@ -156,6 +156,10 @@ systemd: WantedBy=multi-user.target storage: directories: + - path: /var/lib/etcd + filesystem: root + mode: 0700 + overwrite: true - path: /etc/kubernetes filesystem: root mode: 0755 @@ -180,6 +184,7 @@ storage: mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/ chown -R etcd:etcd /etc/ssl/etcd chmod -R 500 /etc/ssl/etcd + chmod -R 700 /var/lib/etcd mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ mkdir -p /etc/kubernetes/manifests diff --git a/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml b/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml index 9c8e0286..2f6c9ee7 100644 --- a/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml @@ -139,6 +139,8 @@ systemd: ExecStartPost=-/usr/bin/podman stop bootstrap storage: directories: + - path: /var/lib/etcd + mode: 0700 - path: /etc/kubernetes - path: /opt/bootstrap files: diff --git a/digital-ocean/container-linux/kubernetes/cl/controller.yaml b/digital-ocean/container-linux/kubernetes/cl/controller.yaml index 80397a86..415f3305 100644 --- a/digital-ocean/container-linux/kubernetes/cl/controller.yaml +++ b/digital-ocean/container-linux/kubernetes/cl/controller.yaml @@ -153,6 +153,10 @@ systemd: WantedBy=multi-user.target storage: directories: + - path: /var/lib/etcd + filesystem: root + mode: 0700 + overwrite: true - path: /etc/kubernetes filesystem: root mode: 0755 @@ -171,6 +175,7 @@ storage: mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/ chown -R etcd:etcd /etc/ssl/etcd chmod -R 500 /etc/ssl/etcd + chmod -R 700 /var/lib/etcd mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ mkdir -p /etc/kubernetes/manifests diff --git a/digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml b/digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml index 372fae95..a819e6a6 100644 --- a/digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml @@ -140,6 +140,8 @@ systemd: ExecStartPost=-/usr/bin/podman stop bootstrap storage: directories: + - path: /var/lib/etcd + mode: 0700 - path: /etc/kubernetes - path: /opt/bootstrap files: diff --git a/google-cloud/container-linux/kubernetes/cl/controller.yaml b/google-cloud/container-linux/kubernetes/cl/controller.yaml index fb11f529..17652949 100644 --- a/google-cloud/container-linux/kubernetes/cl/controller.yaml +++ b/google-cloud/container-linux/kubernetes/cl/controller.yaml @@ -140,6 +140,11 @@ systemd: [Install] WantedBy=multi-user.target storage: + directories: + - path: /var/lib/etcd + filesystem: root + mode: 0700 + overwrite: true files: - path: /etc/kubernetes/kubeconfig filesystem: root @@ -161,6 +166,7 @@ storage: mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/ chown -R etcd:etcd /etc/ssl/etcd chmod -R 500 /etc/ssl/etcd + chmod -R 700 /var/lib/etcd mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ mkdir -p /etc/kubernetes/manifests diff --git a/google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml b/google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml index 61c42925..8edb5261 100644 --- a/google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml @@ -128,6 +128,8 @@ systemd: ExecStartPost=-/usr/bin/podman stop bootstrap storage: directories: + - path: /var/lib/etcd + mode: 0700 - path: /etc/kubernetes - path: /opt/bootstrap files: