Restrict etcd data directory permissions
Leverage the divingbell perm module to set the etcd data directories to 700. Prior to this change, they are 755 in Promenade-based deployments. However, this change is more of a best-practice technicality than a true value-add, since all the directories *inside* these data directories already have 700 permissions. Change-Id: I92290c46441d008f05b40f0c219c1709627d2803
This commit is contained in:
parent
6d6a598945
commit
50aa5eb736
|
@ -78,6 +78,29 @@ data:
|
||||||
# were restarted. "Failed to add /run/systemd/ask-password to directory
|
# were restarted. "Failed to add /run/systemd/ask-password to directory
|
||||||
# watch: No space left on device". https://bit.ly/2Mj5qn2 TDP bug 427616
|
# watch: No space left on device". https://bit.ly/2Mj5qn2 TDP bug 427616
|
||||||
fs.inotify.max_user_watches: '1048576'
|
fs.inotify.max_user_watches: '1048576'
|
||||||
|
overrides:
|
||||||
|
divingbell_perm:
|
||||||
|
labels:
|
||||||
|
- label:
|
||||||
|
key: kubernetes-etcd
|
||||||
|
values:
|
||||||
|
- enabled
|
||||||
|
conf:
|
||||||
|
perm:
|
||||||
|
- path: '/var/lib/etcd/*'
|
||||||
|
owner: 'root'
|
||||||
|
group: 'root'
|
||||||
|
permissions: '0700'
|
||||||
|
- label:
|
||||||
|
key: calico-etcd
|
||||||
|
values:
|
||||||
|
- enabled
|
||||||
|
conf:
|
||||||
|
perm:
|
||||||
|
- path: '/var/lib/etcd/*'
|
||||||
|
owner: 'root'
|
||||||
|
group: 'root'
|
||||||
|
permissions: '0700'
|
||||||
dependencies:
|
dependencies:
|
||||||
- ucp-divingbell-htk
|
- ucp-divingbell-htk
|
||||||
---
|
---
|
||||||
|
|
Loading…
Reference in New Issue