Change admin.conf file ownership to root:root

In this commit, added the code to change the /etc/kubenetes/admin.conf file ownership to root:root in fresh install. Also, added the code to run the command "setfacl -m g:sys_protected:r /etc/kubernetes/admin.conf" such that all the WRCP users/applications that are in the sys_protected group continue to have read access to this file. TEST CASES: PASSED: Checked ownership using below command "ls -al /etc/kubernetes/admin.conf". PASSES: Checked the file permission using below command which will show 640. "stat -c %a /etc/kubernetes/admin.conf" PASSED: Checked the ACL entries using below command "getfacl /etc/kubernetes/admin.conf". PASSED: No error when ran "system host-swact" in AIO-DX. PASSED: No alarms when ran "fm alarm-list". PASSED: Verified that sysinv can read admin.conf file using below commands: "sudo -u sysinv cat "/etc/kubernetes/admin.conf" &>/dev/null" "sudo -u sysadmin cat "/etc/kubernetes/admin.conf" &>/dev/null" Added "testuser" to the users group and ran below command and this gives output "can not read /etc/kubernetes/admin.conf": sudo -u "testuser" cat "/etc/kubernetes/admin.conf" &>/dev/null Also verified using system command which can read admin.conf: "system service-parameter-modify kubernetes kube_apiserver audit-log-maxage=30" Story: 2011334 Task: 51610 Change-Id: I6097f9f4863d83f69b5e804fec6cf4a02607c799 Signed-off-by: Md Irshad Sheikh <mdirshad.sheikh@windriver.com>
2025-01-23 01:20:35 -05:00 · 2025-01-23 01:20:35 -05:00 · 2ec6ee7039
commit 2ec6ee7039
parent afbc586f86
1 changed files with 10 additions and 2 deletions
--- a/puppet-manifests/src/modules/platform/manifests/kubernetes.pp
+++ b/puppet-manifests/src/modules/platform/manifests/kubernetes.pp
@ -461,9 +461,13 @@ class platform::kubernetes::master::init
    -> file { '/etc/kubernetes/admin.conf':
      ensure => file,
      owner  => 'root',
-      group  => $::platform::params::protected_group_name,
+      group  => 'root',
      mode   => '0640',
    }
+    -> exec { 'set_acl_on_admin_conf':
+      command   => 'setfacl -m g:sys_protected:r /etc/kubernetes/admin.conf',
+      logoutput => true,
+    }
    # Fresh installation with Kubernetes 1.29 generates the super-admin.conf
    # only in controller-0 and not in controller-1. The following command
    # generates the super-admin.conf in controller-1.
@ -558,9 +562,13 @@ class platform::kubernetes::master::init
    # to kube config during the host reboots after the initial install.
    file { '/etc/kubernetes/admin.conf':
      owner => 'root',
-      group => 'sys_protected',
+      group => 'root',
      mode  => '0640',
    }
+    -> exec { 'set_acl_on_admin_conf':
+      command   => 'setfacl -m g:sys_protected:r /etc/kubernetes/admin.conf',
+      logoutput => true,
+    }

    # Regenerate CPUShares since we may reconfigure number of platform cpus
    file { '/etc/systemd/system/kubelet.service.d/kubelet-cpu-shares.conf':