Restrict etcd data directory permissions

Leverage the divingbell perm module to set the etcd data directories
to 700.  Prior to this change, they are 755 in Promenade-based
deployments.  However, this change is more of a best-practice
technicality than a true value-add, since all the directories
*inside* these data directories already have 700 permissions.

Change-Id: I92290c46441d008f05b40f0c219c1709627d2803
This commit is contained in:
Matt McEuen 2018-12-03 23:23:59 -06:00
parent 6d6a598945
commit 50aa5eb736
1 changed files with 23 additions and 0 deletions

View File

@ -78,6 +78,29 @@ data:
# were restarted. "Failed to add /run/systemd/ask-password to directory
# watch: No space left on device". https://bit.ly/2Mj5qn2 TDP bug 427616
fs.inotify.max_user_watches: '1048576'
overrides:
divingbell_perm:
labels:
- label:
key: kubernetes-etcd
values:
- enabled
conf:
perm:
- path: '/var/lib/etcd/*'
owner: 'root'
group: 'root'
permissions: '0700'
- label:
key: calico-etcd
values:
- enabled
conf:
perm:
- path: '/var/lib/etcd/*'
owner: 'root'
group: 'root'
permissions: '0700'
dependencies:
- ucp-divingbell-htk
---