Skip to content
  1. Apr 29, 2017
  3. Apr 03, 2017
    • Matthew Mosesohn's avatar
      Add /var/lib/cni to kubelet · b4d06ff8
      Matthew Mosesohn authored 
      Necessary to persist this directory for host-local IPAM used by Canal
Add pre-upgrade task to copy /var/lib/cni out of old kubelet.
      b4d06ff8
  5. Feb 28, 2017
  7. Feb 14, 2017
  9. Feb 13, 2017
  11. Feb 06, 2017
  13. Jan 20, 2017
    • Bogdan Dobrelya's avatar
      Drop linux capabilities and rework users/groups · cb2e5ac7
      Bogdan Dobrelya authored 
      

* Drop linux capabilities for unprivileged containerized
  worlkoads Kargo configures for deployments.
* Configure required securityContext/user/group/groups for kube
  components' static manifests, etcd, calico-rr and k8s apps,
  like dnsmasq daemonset.
* Rework cloud-init (etcd) users creation for CoreOS.
* Fix nologin paths, adjust defaults for addusers role and ensure
  supplementary groups membership added for users.
* Add netplug user for network plugins (yet unused by privileged
  networking containers though).
* Grant the kube and netplug users read access for etcd certs via
  the etcd certs group.
* Grant group read access to kube certs via the kube cert group.
* Remove priveleged mode for calico-rr and run it under its uid/gid
  and supplementary etcd_cert group.
* Adjust docs.
* Align cpu/memory limits and dropped caps with added rkt support
  for control plane.

Signed-off-by: default avatarBogdan Dobrelya <bogdando@mail.ru>
      cb2e5ac7
  15. Jan 10, 2017
  17. Jan 04, 2017