Revert "Drop linux capabilities and rework users/groups"

2026-03-09 11:47:47 +03:00 · 2017-02-06 15:58:54 +03:00
parent b7bf502e02
commit fd30131dc2
48 changed files with 81 additions and 413 deletions
--- a/roles/kubernetes-apps/ansible/defaults/main.yml
+++ b/roles/kubernetes-apps/ansible/defaults/main.yml
@@ -51,18 +51,3 @@ netchecker_kubectl_memory_requests: 64M
 etcd_cert_dir: "/etc/ssl/etcd/ssl"
 calico_cert_dir: "/etc/calico/certs"
 canal_cert_dir: "/etc/canal/certs"
-
-# Linux capabilities to be dropped for k8s apps ran by container engines
-apps_drop_cap:
-  - chown
-  - dac_override
-  - fowner
-  - fsetid
-  - kill
-  - setgid
-  - setuid
-  - setpcap
-  - sys_chroot
-  - mknod
-  - audit_write
-  - setfcap
--- a/roles/kubernetes-apps/ansible/templates/calico-policy-controller.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/calico-policy-controller.yml.j2
@@ -25,12 +25,6 @@ spec:
        - name: calico-policy-controller
          image: {{ calico_policy_image_repo }}:{{ calico_policy_image_tag }}
          imagePullPolicy: {{ k8s_image_pull_policy }}
-          securityContext:
-            capabilities:
-              drop:
-{% for c in apps_drop_cap %}
-                - {{ c.upper() }}
-{% endfor %}
          resources:
            limits:
              cpu: {{ calico_policy_controller_cpu_limit }}
--- a/roles/kubernetes-apps/ansible/templates/netchecker-agent-ds.yml
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-agent-ds.yml
@@ -23,12 +23,6 @@ spec:
            - name: REPORT_INTERVAL
              value: '{{ agent_report_interval }}'
          imagePullPolicy: {{ k8s_image_pull_policy }}
-          securityContext:
-            capabilities:
-              drop:
-{% for c in apps_drop_cap %}
-                - {{ c.upper() }}
-{% endfor %}
          resources:
            limits:
              cpu: {{ netchecker_agent_cpu_limit }}
--- a/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-ds.yml
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-ds.yml
@@ -24,12 +24,6 @@ spec:
            - name: REPORT_INTERVAL
              value: '{{ agent_report_interval }}'
          imagePullPolicy: {{ k8s_image_pull_policy }}
-          securityContext:
-            capabilities:
-              drop:
-{% for c in apps_drop_cap %}
-                - {{ c.upper() }}
-{% endfor %}
          resources:
            limits:
              cpu: {{ netchecker_agent_cpu_limit }}
--- a/roles/kubernetes-apps/ansible/templates/netchecker-server-pod.yml
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-server-pod.yml
@@ -33,9 +33,3 @@ spec:
          memory: {{ netchecker_kubectl_memory_requests }}
      args:
        - proxy
-      securityContext:
-        capabilities:
-          drop:
-{% for c in apps_drop_cap %}
-            - {{ c.upper() }}
-{% endfor %}