mirror of
https://github.com/k3s-io/k3s-ansible.git
synced 2025-12-26 00:22:36 +01:00
2d98982809
* Security exposure related to the token The installation playbook saves the token into the systemd unit configuration file /etc/systemd/system/k3s.service. The problem is that according to K3s' documentation "the server token should be guarded carefully" (https://docs.k3s.io/cli/token), yet the configuration file is readable by anybody. A better solution is to save the token into its corresponding environment file /etc/systemd/system/k3s.service.env which is readable by the super user only. This is what the standard K3s' installation script (https://get.k3s.io) does. Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com> * Restore the server URL into systemd configuration file There aren't any security implications in keeping it there. Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com> --------- Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
29 lines
850 B
Django/Jinja
29 lines
850 B
Django/Jinja
[Unit]
|
|
Description=Lightweight Kubernetes
|
|
Documentation=https://k3s.io
|
|
Wants=network-online.target
|
|
After=network-online.target
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
|
|
[Service]
|
|
Type=notify
|
|
EnvironmentFile=-/etc/default/%N
|
|
EnvironmentFile=-/etc/sysconfig/%N
|
|
EnvironmentFile=-/etc/systemd/system/k3s.service.env
|
|
KillMode=process
|
|
Delegate=yes
|
|
# Having non-zero Limit*s causes performance problems due to accounting overhead
|
|
# in the kernel. We recommend using cgroups to do container-local accounting.
|
|
LimitNOFILE=1048576
|
|
LimitNPROC=infinity
|
|
LimitCORE=infinity
|
|
TasksMax=infinity
|
|
TimeoutStartSec=0
|
|
Restart=always
|
|
RestartSec=5s
|
|
ExecStartPre=-/sbin/modprobe br_netfilter
|
|
ExecStartPre=-/sbin/modprobe overlay
|
|
ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} {{ extra_server_args }}
|