mirror of
https://github.com/k3s-io/k3s-ansible.git
synced 2025-12-25 00:12:37 +01:00
2d98982809
* Security exposure related to the token The installation playbook saves the token into the systemd unit configuration file /etc/systemd/system/k3s.service. The problem is that according to K3s' documentation "the server token should be guarded carefully" (https://docs.k3s.io/cli/token), yet the configuration file is readable by anybody. A better solution is to save the token into its corresponding environment file /etc/systemd/system/k3s.service.env which is readable by the super user only. This is what the standard K3s' installation script (https://get.k3s.io) does. Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com> * Restore the server URL into systemd configuration file There aren't any security implications in keeping it there. Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com> --------- Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
30 lines
943 B
Django/Jinja
30 lines
943 B
Django/Jinja
[Unit]
|
|
Description=Lightweight Kubernetes
|
|
Documentation=https://k3s.io
|
|
Wants=network-online.target
|
|
After=network-online.target
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
|
|
[Service]
|
|
Type=notify
|
|
EnvironmentFile=-/etc/default/%N
|
|
EnvironmentFile=-/etc/sysconfig/%N
|
|
EnvironmentFile=-/etc/systemd/system/k3s-agent.service.env
|
|
KillMode=process
|
|
Delegate=yes
|
|
# Having non-zero Limit*s causes performance problems due to accounting overhead
|
|
# in the kernel. We recommend using cgroups to do container-local accounting.
|
|
LimitNOFILE=1048576
|
|
LimitNPROC=infinity
|
|
LimitCORE=infinity
|
|
TasksMax=infinity
|
|
TimeoutStartSec=0
|
|
Restart=always
|
|
RestartSec=5s
|
|
ExecStartPre=/bin/sh -xc '! /usr/bin/systemctl is-enabled --quiet nm-cloud-setup.service'
|
|
ExecStartPre=-/sbin/modprobe br_netfilter
|
|
ExecStartPre=-/sbin/modprobe overlay
|
|
ExecStart=/usr/local/bin/k3s agent --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} {{ extra_agent_args }}
|