kubeadm: adjust the logic around etcd data directory creation #94102
Conversation
|
/kind regression bug |
|
/approve cancel there is some discussion here whether this should be in 1.19 if a fix in etcd is made: EDIT: if etcd ends up supporting other permissions than 0700, we should not enforce 0700 as it stomps existing custom permissions such as 0770. |
|
+1 to wait for an etcd fix (same as Kubernetes) |
|
@fabriziopandini @neolit123 the chmod call is not recursive, plus stomping on the permissions there and setting up secure sane permissions is a good thing to do. Imagine someone with 0777 there. Practically everyone can edit or delete the data store. |
8d65882 to
9231f47
Compare
|
@neolit123 if I got this right etcd is going to be fixed (it will throw a warning in case of permission different than 0700, but not block). |
|
this is what i saw too. we need to make sure that in 1.20 kubeadm defaults to an etcd version that does not break. /milestone v1.20 |
actually, with the new milestone rules critical fixes should merge last. /milestone clear |
|
If etcd folks decide to change the error to a warning, I'd suggest that we do a pre-flight check to verify the permissions if the etcd data dir exists and dump a warning on our side. In that case we should remove the chmod, but I would advocate to keep the mkdirs with 0700 so that kubeadm creates this directory with sane default permissions if it doesn't exist. |
- Ensure the directory is created with 0700 via a new function called CreateDataDirectory(). - Call this function in the init phases instead of the manual call to MkdirAll. - Call this function when joining control-plane nodes with local etcd. If the directory creation is left to the kubelet via the static Pod hostPath mounts, it will end up with 0755 which is not desired.
9231f47 to
ebf1636
Compare
|
updated the PR to only create the directory if it does not exist on init/join-control-plane, but not chmod it. /remove-priority important-soon |
|
/retest |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: neolit123 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What this PR does / why we need it:
called CreateDataDirectory().
to MkdirAll.
If the directory creation is left to the kubelet via the
static Pod hostPath mounts, it will end up with 0755
which is not desired.
Which issue(s) this PR fixes:
xref kubernetes/kubeadm#2256
Special notes for your reviewer:
should be backported in case older versions of kubeadm decide to use newer etcd, which is a supported scenario by kubeadm.
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: