Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create /var/lib/etcd with 0700 #71885

Merged
merged 1 commit into from
Dec 10, 2018
Merged

Create /var/lib/etcd with 0700 #71885

merged 1 commit into from
Dec 10, 2018

Conversation

dims
Copy link
Member

@dims dims commented Dec 9, 2018
edited
Loading

If we let the hostpath with DirectoryOrCreate to create this directory
it defaults to 0755. A default install should use 0700 for better
security especially if the directory is not present.

Change-Id: Idc0266685895767b0d1c5710c8a4fb704805652f

What type of PR is this?
/kind bug

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes kubernetes/kubeadm#1308

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

 kubeadm: Create /var/lib/etcd with correct permissions (0700) by default.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. area/kubeadm sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Dec 9, 2018
@dims
Copy link
Member Author

dims commented Dec 9, 2018

/sig cluster-lifecycle

yagonobre
yagonobre approved these changes Dec 9, 2018
View reviewed changes
Copy link
Member

@yagonobre yagonobre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @dims
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 9, 2018
@dims
Create /var/lib/etcd with 0700
836f413 
If we let the hostpath with DirectoryOrCreate to create this directory
it defaults to 0755. A default install should use 0700 for better
security especially if the directory is not present.

Change-Id: Idc0266685895767b0d1c5710c8a4fb704805652f
@dims dims force-pushed the create-etcd-with-0700-permissions branch from 5fb89b0 to 836f413 Compare December 9, 2018 00:43
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 9, 2018
rosti
rosti approved these changes Dec 10, 2018
View reviewed changes
Copy link
Contributor

@rosti rosti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Thank you @dims !

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 10, 2018
neolit123
neolit123 approved these changes Dec 10, 2018
View reviewed changes
Copy link
Member

@neolit123 neolit123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks @dims
could you please prefix the release note with kubeadm: ...

/hold
/approve
/priority important-longerm

i guess this only fixes the case where the path was not created already by something else as @yagonobre outlined: https://kubernetes.io/docs/concepts/storage/volumes/#hostpath

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 10, 2018
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dims, neolit123

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 10, 2018
@dims
Copy link
Member Author

dims commented Dec 10, 2018

@neolit123 done!

@neolit123
Copy link
Member

thanks
/priority important-longterm
/hold cancel

@k8s-ci-robot k8s-ci-robot added priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. and removed do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Dec 10, 2018
@rosti
Copy link
Contributor

rosti commented Dec 10, 2018

/test pull-kubernetes-e2e-kops-aws

@k8s-ci-robot k8s-ci-robot merged commit 0b13221 into kubernetes:master Dec 10, 2018
luxas
luxas reviewed Dec 11, 2018
View reviewed changes
Copy link
Member

@luxas luxas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
Thanks a lot @dims :)

@luxas
Copy link
Member

luxas commented Dec 11, 2018

@timothysc shall we cherrypick this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@luxas luxas luxas left review comments

@neolit123 neolit123 neolit123 approved these changes

@rosti rosti rosti approved these changes

@yagonobre yagonobre yagonobre approved these changes

@chuckha chuckha Awaiting requested review from chuckha

Assignees

@rosti rosti

@yagonobre yagonobre

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubeadm cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CIS Benchmark Compliance - /var/lib/etcd permissions
6 participants
@dims @k8s-ci-robot @neolit123 @rosti @luxas @yagonobre