From 83236eab5749d2eddd9110961ee315997e442833 Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Thu, 21 Jul 2022 09:01:43 -0700 Subject: [PATCH] Add table of details about static Pods * Also remote outdated mentions of rkt-fly --- docs/architecture/operating-systems.md | 4 ++-- docs/flatcar-linux/bare-metal.md | 6 +++--- docs/topics/security.md | 25 +++++++++++++++++++++++++ 3 files changed, 30 insertions(+), 5 deletions(-) diff --git a/docs/architecture/operating-systems.md b/docs/architecture/operating-systems.md index 1e257cd7..e5b08e19 100644 --- a/docs/architecture/operating-systems.md +++ b/docs/architecture/operating-systems.md @@ -9,8 +9,8 @@ Typhoon supports [Fedora CoreOS](https://getfedora.org/coreos/) and [Flatcar Lin Together, they diversify Typhoon to support a range of container technologies. -* Fedora CoreOS: rpm-ostree, podman, moby -* Flatcar Linux: Gentoo core, rkt-fly, docker +* Fedora CoreOS: rpm-ostree, podman, containerd +* Flatcar Linux: Gentoo core, docker, containerd ## Host Properties diff --git a/docs/flatcar-linux/bare-metal.md b/docs/flatcar-linux/bare-metal.md index 4b9488bc..5ae8e52e 100644 --- a/docs/flatcar-linux/bare-metal.md +++ b/docs/flatcar-linux/bare-metal.md @@ -269,10 +269,10 @@ To watch the bootstrap process in detail, SSH to the first controller and journa ``` $ ssh core@node1.example.com $ journalctl -f -u bootstrap -rkt[1750]: The connection to the server cluster.example.com:6443 was refused - did you specify the right host or port? -rkt[1750]: Waiting for static pod control plane +The connection to the server cluster.example.com:6443 was refused - did you specify the right host or port? +Waiting for static pod control plane ... -rkt[1750]: serviceaccount/calico-node unchanged +serviceaccount/calico-node unchanged systemd[1]: Started Kubernetes control plane. ``` diff --git a/docs/topics/security.md b/docs/topics/security.md index 0a9f0155..bd1eb0fd 100644 --- a/docs/topics/security.md +++ b/docs/topics/security.md @@ -81,6 +81,31 @@ Typhoon publishes Terraform providers to the Terraform Registry, GPG signed by 0 | ct | [github](https://github.com/poseidon/terraform-provider-ct) | [poseidon/ct](https://registry.terraform.io/providers/poseidon/ct/latest) | | matchbox | [github](https://github.com/poseidon/terraform-provider-matchbox) | [poseidon/matchbox](https://registry.terraform.io/providers/poseidon/matchbox/latest) | +## kube-system + +| Name | user | hostNet | privileged | +|----------------|--------|---------|------------| +| kube-apiserver | nobody | true | false | +| kube-controller-manager | nobody | true | false | +| kube-scheduler | nobody | true | false | +| coredns | NA | false | false | +| kube-proxy | root | true | true | +| cilium | root | true | true | +| calico | root | true | true | +| flannel | root | true | true | + + +| Name | priorityClassName | +|-------------------------|-------------------| +| kube-apiserver | system-cluster-critical | +| kube-controller-manager | system-cluster-critical | +| kube-scheduler | system-cluster-critical | +| coredns | system-cluster-critical | +| kube-proxy | system-node-critical | +| cilium | system-node-critical | +| calico | system-node-critical | +| flannel | system-node-critical | + ## Disclosures If you find security issues, please email `security@psdn.io`. If the issue lies in upstream Kubernetes, please inform upstream Kubernetes as well.