Skip to content

Commit 5059ce8

Browse files
vinayakankugoyalvinayakankugoyal
committed
Update the KEP to call out why we don't plan to create groups for shared access to certificate files.
1 parent a4cf338 commit 5059ce8

File tree

1 file changed

+12
-13
lines changed
  • keps/sig-cluster-lifecycle/kubeadm/2568-kubeadm-non-root-control-plane

1 file changed

+12
-13
lines changed

keps/sig-cluster-lifecycle/kubeadm/2568-kubeadm-non-root-control-plane/README.md

Lines changed: 12 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -573,39 +573,38 @@ spec:
573573

574574
Each of the components will run with a unique `UID` and `GID`. For each of the components we will create a unique user. For the shared files/resources we will create groups. The naming convention of these groups is tabulated below. It should be noted that `kubeadm` will take exclusive ownership of these users/groups and will throw erros if users/groups with these names exist and are not in the expected ID range of `SYS_UID_MIN`-`SYS_UID_MAX` for users and `SYS_GID_MIN`-`SYS_GID_MAX` for groups.
575575

576+
Many of the components need shared access to certificate files, these are not protected by creating a group with read permissions because certificates are not secrets, protecting them and creating groups for them does not improve our security posture in anyway and only makes the change more complicated because we are adding unnecessary groups. Hence we only propose that we create a group with read access for the `/etc/kubernetes/pki/sa.key` file, which is the only secret that is shared between `kube-apiserver` and `kube-controller-manager`. `kubeadm` creates all certificate files with `0644` so we do not need to modify their owners as they are already world readable.
577+
576578
| User/Group name | Explanation |
577579
|--------------|-------------|
578580
| kubeadm-etcd | The UID/GID that we will assign to `etcd` |
579581
| kubeadm-kas | The UID/GID that we will assign to `kube-apiserver` |
580582
| kubeadm-kcm | The UID/GID that we will assign to `kube-controller-manager` |
581583
| kubeadm-ks | The UID/GID that we will assign to `kube-scheduler` |
582-
| kubeadm-etcd-ca-crt-readers | The GID we will assign to a group that allows you to read /etc/kubernetes/pki/etcd/ca.crt |
583-
| kubeadm-ca-crt-readers | The GID we will assign to a group that allows you to read /etc/kubernetes/pki/etcd/ca.crt |
584584
| kubeadm-sa-key-readers | The GID we will assign to a group that allows you to read /etc/kubernetes/pki/sa.key |
585-
| kubeadm-front-proxy-ca-crt-readers | The GID we will assign to a group that allows you to read /etc/kubernetes/pki/front-proxy-ca.crt |
586585

587586
Here is a table of all the things that `kube-apiserver`, `kube-controller-manager`, `kube-scheduler` and `etcd` mount and the permissions that we will set for them.
588587

589588
**Files that we care about for this kep:-**
590589
| file/directory | Component(s) | File permission |
591590
| -------------------------------------------------|------------|-----------------|
592-
| /etc/kubernetes/pki/etcd/server.crt | etcd | 600 kubeadm-etcd kubeadm-etcd |
591+
| /etc/kubernetes/pki/etcd/server.crt | etcd | 644 kubeadm-etcd kubeadm-etcd |
593592
| /etc/kubernetes/pki/etcd/server.key | etcd | 600 kubeadm-etcd kubeadm-etcd |
594-
| /etc/kubernetes/pki/etcd/peer.crt | etcd | 600 kubeadm-etcd kubeadm-etcd |
593+
| /etc/kubernetes/pki/etcd/peer.crt | etcd | 644 kubeadm-etcd kubeadm-etcd |
595594
| /etc/kubernetes/pki/etcd/peer.key | etcd | 600 kubeadm-etcd kubeadm-etcd |
596-
| /etc/kubernetes/pki/etcd/ca.crt | etcd, kas | 640 root kubeadm-etcd-ca-crt-readers |
595+
| /etc/kubernetes/pki/etcd/ca.crt | etcd, kas | 644 root root |
597596
| /var/lib/etcd/ | etcd | 600 kubeadm-etcd kubeadm-etcd |
598-
| /etc/kubernetes/pki/ca.crt | kas, kcm | 640 root kubeadm-ca-crt-readers |
599-
| /etc/kubernetes/pki/apiserver-etcd-client.crt | kas | 600 kubeadm-kas kubeadm-kas |
597+
| /etc/kubernetes/pki/ca.crt | kas, kcm | 644 root root |
598+
| /etc/kubernetes/pki/apiserver-etcd-client.crt | kas | 644 root root |
600599
| /etc/kubernetes/pki/apiserver-etcd-client.key | kas | 600 kakubeadm-kas kubeadm-kas |
601-
| /etc/kubernetes/pki/apiserver-kubelet-client.crt | kas | 600 kubeadm-kas kubeadm-kas |
600+
| /etc/kubernetes/pki/apiserver-kubelet-client.crt | kas | 644 root root |
602601
| /etc/kubernetes/pki/apiserver-kubelet-client.key | kas | 600 kubeadm-kas kubeadm-kas |
603-
| /etc/kubernetes/pki/front-proxy-client.crt | kas | 600 kubeadm-kas kubeadm-kas |
604-
| /etc/kubernetes/pki/front-proxy-client.key | kas | 600 kubeadm-kas kubeadm-kas |
605-
| /etc/kubernetes/pki/front-proxy-ca.crt | kas, kcm | 640 root kubeadm-front-proxy-ca-crt-readers |
602+
| /etc/kubernetes/pki/front-proxy-client.crt | kas | 644 root root |
603+
| /etc/kubernetes/pki/front-proxy-client.key | No-one | 600 root root |
604+
| /etc/kubernetes/pki/front-proxy-ca.crt | kas, kcm | 644 root root |
606605
| /etc/kubernetes/pki/sa.pub | kas | 600 kkubeadm-kass kubeadm-kas |
607606
| /etc/kubernetes/pki/sa.key | kas, kcm | 640 kubeadm-sa-key-readers |
608-
| /etc/kubernetes/pki/apiserver.crt | kas | 600 kubeadm-kas kubeadm-kas |
607+
| /etc/kubernetes/pki/apiserver.crt | kas | 644 root root |
609608
| /etc/kubernetes/pki/apiserver.key | kas | 600 kubeadm-kas kubeadm-kas |
610609
| /etc/kubernetes/pki/ca.key | kcm | 600 kubeadm-kcm kubeadm-kcm |
611610
| /etc/kubernetes/controller-manager.conf | kcm | 600 kubeadm-kcm kubeadm-kcm |

0 commit comments

Comments
 (0)