millions-book-52954
07/25/2022, 11:07 AM1.1.12 - Ensure that the etcd data directory ownership is set toetcd:etcd
1. Check that theuser and group exists on the host. If they don’t, exit with an error.etcd
2. Create etcd’s data directory withas the user and group owner.etcd
3. Ensure the etcd process is ran as theSource: https://rancher.com/docs/rancher/v2.6/en/security/hardening-guides/rke2-1.6-hardening-2.6/#ensure-etcd-is-configured-properly User creation is (partly ?) documented:user and group by setting the etcd static pod’setcd
appropriately.SecurityContext
sudo useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U
Questions:
1 - Is there a reason to not specify a UID/GID (as opposed to RKE) ?
2 - What is the best way to set the SecurityContext
for etcd pods ?
• Is it done by enabling cis profile into config.yaml
? (This is not the case of my cluster currently as I try to pass test before enabling it.)
• As opposed to RKE, it seems to not be possible to set etcd user/group explicitly into config.yaml
.
• Last option seems to update /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml
Let me know if I misunderstood something.high-waitress-66594
07/25/2022, 5:51 PMetcd
iircmillions-book-52954
07/26/2022, 7:21 AMthat's an exercise for the reader.ok
...so unless you want to break expectations, I wouldn't advise changing it.ok, thank you for this. I will continue my investigations regarding point 2.
rapid-helmet-86074
08/01/2022, 6:32 PMmillions-book-52954
08/02/2022, 7:24 AMrapid-helmet-86074
08/02/2022, 2:18 PM