Restrict etcd data directory permissions
Leverage the divingbell perm module to set the etcd data directories to 700. Prior to this change, they are 755 in Promenade-based deployments. However, this change is more of a best-practice technicality than a true value-add, since all the directories *inside* these data directories already have 700 permissions. Change-Id: I92290c46441d008f05b40f0c219c1709627d2803
This commit is contained in:
parent
6d6a598945
commit
50aa5eb736
|
@ -78,6 +78,29 @@ data:
|
|||
# were restarted. "Failed to add /run/systemd/ask-password to directory
|
||||
# watch: No space left on device". https://bit.ly/2Mj5qn2 TDP bug 427616
|
||||
fs.inotify.max_user_watches: '1048576'
|
||||
overrides:
|
||||
divingbell_perm:
|
||||
labels:
|
||||
- label:
|
||||
key: kubernetes-etcd
|
||||
values:
|
||||
- enabled
|
||||
conf:
|
||||
perm:
|
||||
- path: '/var/lib/etcd/*'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
permissions: '0700'
|
||||
- label:
|
||||
key: calico-etcd
|
||||
values:
|
||||
- enabled
|
||||
conf:
|
||||
perm:
|
||||
- path: '/var/lib/etcd/*'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
permissions: '0700'
|
||||
dependencies:
|
||||
- ucp-divingbell-htk
|
||||
---
|
||||
|
|
Loading…
Reference in New Issue