Principle of least privilege for kubeone user #2712

steled · 2023-03-09T07:50:40Z

steled
Mar 9, 2023

Hi,

for the SSH connection to the instances I want to use a dedicated user called kubeone.

Based on the principle of least privilege, I would like to grant the user only the permissions necessary for the installation (via KubeOne). So far I have been able to break this down to the following commands that I have defined in the /etc/sudoers.d/kubeone file:

# installation
kubeone ALL=NOPASSWD:/usr/bin/cat /etc/os-release
kubeone ALL=NOPASSWD:/usr/bin/mkdir -p /etc/kubeone
kubeone ALL=NOPASSWD:/usr/bin/tee /etc/kubeone/proxy-env
kubeone ALL=NOPASSWD:/usr/bin/rm -f /tmp/k1-etc-environment
kubeone ALL=NOPASSWD:/usr/bin/tee /etc/environment
kubeone ALL=NOPASSWD:/usr/sbin/swapoff -a
kubeone ALL=NOPASSWD:/usr/bin/sed -i /.*swap.*/d /etc/fstab
kubeone ALL=NOPASSWD:/usr/bin/systemctl disable --now ufw
kubeone ALL=NOPASSWD:/usr/bin/tee /etc/modules-load.d/containerd.conf
kubeone ALL=NOPASSWD:/usr/sbin/modprobe overlay
kubeone ALL=NOPASSWD:/usr/sbin/modprobe br_netfilter
kubeone ALL=NOPASSWD:/usr/sbin/modprobe ip_tables
kubeone ALL=NOPASSWD:/usr/sbin/modprobe nf_conntrack_ipv4
kubeone ALL=NOPASSWD:/usr/sbin/modprobe nf_conntrack
kubeone ALL=NOPASSWD:/usr/bin/mkdir -p /etc/sysctl.d
kubeone ALL=NOPASSWD:/usr/bin/tee /etc/sysctl.d/k8s.conf
kubeone ALL=NOPASSWD:/usr/sbin/sysctl --system
kubeone ALL=NOPASSWD:/usr/bin/mkdir -p /etc/systemd/journald.conf.d
kubeone ALL=NOPASSWD:/usr/bin/tee /etc/systemd/journald.conf.d/max_disk_use.conf
kubeone ALL=NOPASSWD:/usr/bin/systemctl force-reload systemd-journald
kubeone ALL=NOPASSWD:/usr/bin/mkdir -p /etc/apt/apt.conf.d
kubeone ALL=NOPASSWD:/usr/bin/tee /etc/apt/apt.conf.d/proxy.conf
kubeone ALL=NOPASSWD:/usr/bin/apt-get update
kubeone ALL=NOPASSWD:SETENV:/usr/bin/apt-get install --option Dpkg\:\:Options\:\:=--force-confold -y --no-install-recommends apt-transport-https ca-certificates curl gnupg lsb-release rsync
kubeone ALL=NOPASSWD:/usr/bin/apt-key add -
kubeone ALL=NOPASSWD:/usr/bin/tee /etc/apt/sources.list.d/kubernetes.list
kubeone ALL=NOPASSWD:/usr/bin/apt-get install -y apt-transport-https ca-certificates curl software-properties-common lsb-release
kubeone ALL=NOPASSWD:/usr/bin/add-apt-repository deb https\://download.docker.com/linux/ubuntu * stable
kubeone ALL=NOPASSWD:/usr/bin/apt-mark unhold containerd.io
kubeone ALL=NOPASSWD:SETENV:/usr/bin/apt-get install --option Dpkg\:\:Options\:\:=--force-confold --no-install-recommends -y containerd.io=*
kubeone ALL=NOPASSWD:/usr/bin/apt-mark hold containerd.io
kubeone ALL=NOPASSWD:/usr/bin/mkdir -p /etc/containerd
kubeone ALL=NOPASSWD:/usr/bin/touch /etc/containerd/config.toml
kubeone ALL=NOPASSWD:/usr/bin/chmod 600 /etc/containerd/config.toml
kubeone ALL=NOPASSWD:/usr/bin/tee /etc/containerd/config.toml
kubeone ALL=NOPASSWD:/usr/bin/tee /etc/crictl.yaml
kubeone ALL=NOPASSWD:/usr/bin/systemctl daemon-reload
kubeone ALL=NOPASSWD:/usr/bin/systemctl enable containerd
kubeone ALL=NOPASSWD:/usr/bin/systemctl restart containerd
kubeone ALL=NOPASSWD:SETENV:/usr/bin/apt-get install --option Dpkg\:\:Options\:\:=--force-confold --no-install-recommends -y kubelet=* kubeadm=* kubectl=* kubernetes-cni=* cri-tools=*
kubeone ALL=NOPASSWD:/usr/bin/apt-mark hold kubelet kubeadm kubectl kubernetes-cni cri-tools
kubeone ALL=NOPASSWD:/usr/bin/systemctl daemon-reload
kubeone ALL=NOPASSWD:/usr/bin/systemctl enable --now kubelet
kubeone ALL=NOPASSWD:/usr/bin/systemctl restart kubelet
kubeone ALL=NOPASSWD:/usr/bin/kubeadm config images list --image-repository=registry.k8s.io --kubernetes-version=*

# deinstallation/removal
kubeone ALL=NOPASSWD:/usr/bin/kubeadm --v=6 reset --force
kubeone ALL=NOPASSWD:/usr/bin/rm -f /etc/kubernetes/cloud-config
kubeone ALL=NOPASSWD:/usr/bin/rm -rf /etc/kubernetes/admission
kubeone ALL=NOPASSWD:/usr/bin/rm -rf /etc/kubernetes/encryption-providers
kubeone ALL=NOPASSWD:/usr/bin/rm -rf /var/lib/etcd/
kubeone ALL=NOPASSWD:/usr/bin/rm -rf ./kubeone
kubeone ALL=NOPASSWD:/usr/bin/rm -rf /etc/kubeone

It also looks quite good unfortunately I don't get further with the following step:

INFO[15:06:24 CET] Generating kubeadm config file...
INFO[15:06:24 CET] Determining Kubernetes pause image...
[10.110.139.132] + export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/sbin:/usr/local/bin:/opt/bin
[10.110.139.132] + PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/sbin:/usr/local/bin:/opt/bin
[10.110.139.132] + sudo kubeadm config images list --image-repository=registry.k8s.io --kubernetes-version=1.25.6
[10.110.139.132] + cut -d : -f2
[10.110.139.132] + grep registry.k8s.io/pause
[10.110.139.132] 3.8
ERRO[15:06:24 CET] mkdir kubeone/cfg: ssh: popen
Process exited with status 1  sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required  node=10.110.139.132
WARN[15:06:24 CET] Task failed, error was: runtime: running task on "10.110.139.132"
mkdir kubeone/cfg: ssh: popen
Process exited with status 1  sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required

This step is executed a total of 10 times, then the kubeone command aborts with the following stacktrace:

---stacktrace---
runtime: running task on "10.110.139.132"
mkdir kubeone/cfg: ssh: popen
Process exited with status 1  sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required

k8c.io/kubeone/pkg/fail.Runtime
        k8c.io/kubeone/pkg/fail/helpers.go:112
k8c.io/kubeone/pkg/tasks.Tasks.Run
        k8c.io/kubeone/pkg/tasks/tasks.go:42
k8c.io/kubeone/pkg/cmd.runApplyInstall
        k8c.io/kubeone/pkg/cmd/apply.go:320
k8c.io/kubeone/pkg/cmd.runApply
        k8c.io/kubeone/pkg/cmd/apply.go:177
k8c.io/kubeone/pkg/cmd.applyCmd.func1
        k8c.io/kubeone/pkg/cmd/apply.go:93
github.com/spf13/cobra.(*Command).execute
        github.com/spf13/cobra@v1.6.1/command.go:916
github.com/spf13/cobra.(*Command).ExecuteC
        github.com/spf13/cobra@v1.6.1/command.go:1044
github.com/spf13/cobra.(*Command).Execute
        github.com/spf13/cobra@v1.6.1/command.go:968
k8c.io/kubeone/pkg/cmd.Execute
        k8c.io/kubeone/pkg/cmd/root.go:55
main.main
        k8c.io/kubeone/main.go:24
runtime.main
        runtime/proc.go:250
runtime.goexit
        runtime/asm_amd64.s:1594

Maybe someone has an idea which commando I have to add to the list so that this step also runs successfully.

I have a hunch that the problem is with this function:

kubeone/pkg/tasks/kubeadm_config.go

Line 54 in 2e12000

func generateKubeadm(s *state.State) error {

Answered by steled

Mar 15, 2023

Finally I could find the answer myself.
By the help of the tool Snoopy all the used commands could be logged at the machines and I was able to see which one are needed.

Below you can find a full list of commands, maybe someone else also want to go this way:

# installation
kubeone ALL=NOPASSWD:/usr/bin/cat /etc/os-release
kubeone ALL=NOPASSWD:/usr/bin/mkdir -p /etc/kubeone
kubeone ALL=NOPASSWD:/usr/bin/tee /etc/kubeone/proxy-env
kubeone ALL=NOPASSWD:/usr/bin/rm -f /tmp/k1-etc-environment
kubeone ALL=NOPASSWD:/usr/bin/tee /etc/environment
kubeone ALL=NOPASSWD:/usr/sbin/swapoff -a
kubeone ALL=NOPASSWD:/usr/bin/sed -i /.*swap.*/d /etc/fstab
kubeone ALL=NOPASSWD:/usr/bin/systemctl disable --no…

View full answer

steled · 2023-03-15T10:40:51Z

steled
Mar 15, 2023
Author

Finally I could find the answer myself.
By the help of the tool Snoopy all the used commands could be logged at the machines and I was able to see which one are needed.

Below you can find a full list of commands, maybe someone else also want to go this way:

# installation
kubeone ALL=NOPASSWD:/usr/bin/cat /etc/os-release
kubeone ALL=NOPASSWD:/usr/bin/mkdir -p /etc/kubeone
kubeone ALL=NOPASSWD:/usr/bin/tee /etc/kubeone/proxy-env
kubeone ALL=NOPASSWD:/usr/bin/rm -f /tmp/k1-etc-environment
kubeone ALL=NOPASSWD:/usr/bin/tee /etc/environment
kubeone ALL=NOPASSWD:/usr/sbin/swapoff -a
kubeone ALL=NOPASSWD:/usr/bin/sed -i /.*swap.*/d /etc/fstab
kubeone ALL=NOPASSWD:/usr/bin/systemctl disable --now ufw
kubeone ALL=NOPASSWD:/usr/bin/tee /etc/modules-load.d/containerd.conf
kubeone ALL=NOPASSWD:/usr/sbin/modprobe overlay
kubeone ALL=NOPASSWD:/usr/sbin/modprobe br_netfilter
kubeone ALL=NOPASSWD:/usr/sbin/modprobe ip_tables
kubeone ALL=NOPASSWD:/usr/sbin/modprobe nf_conntrack_ipv4
kubeone ALL=NOPASSWD:/usr/sbin/modprobe nf_conntrack
kubeone ALL=NOPASSWD:/usr/bin/mkdir -p /etc/sysctl.d
kubeone ALL=NOPASSWD:/usr/bin/tee /etc/sysctl.d/k8s.conf
kubeone ALL=NOPASSWD:/usr/sbin/sysctl --system
kubeone ALL=NOPASSWD:/usr/bin/mkdir -p /etc/systemd/journald.conf.d
kubeone ALL=NOPASSWD:/usr/bin/tee /etc/systemd/journald.conf.d/max_disk_use.conf
kubeone ALL=NOPASSWD:/usr/bin/systemctl force-reload systemd-journald
kubeone ALL=NOPASSWD:/usr/bin/mkdir -p /etc/apt/apt.conf.d
kubeone ALL=NOPASSWD:/usr/bin/tee /etc/apt/apt.conf.d/proxy.conf
kubeone ALL=NOPASSWD:/usr/bin/apt-get update
kubeone ALL=NOPASSWD:SETENV:/usr/bin/apt-get install --option Dpkg\:\:Options\:\:=--force-confold -y --no-install-recommends apt-transport-https ca-certificates curl gnupg lsb-release rsync
kubeone ALL=NOPASSWD:/usr/bin/apt-key add -
kubeone ALL=NOPASSWD:/usr/bin/tee /etc/apt/sources.list.d/kubernetes.list
kubeone ALL=NOPASSWD:/usr/bin/apt-get install -y apt-transport-https ca-certificates curl software-properties-common lsb-release
kubeone ALL=NOPASSWD:/usr/bin/add-apt-repository deb https\://download.docker.com/linux/ubuntu * stable
kubeone ALL=NOPASSWD:/usr/bin/apt-mark unhold containerd.io
kubeone ALL=NOPASSWD:SETENV:/usr/bin/apt-get install --option Dpkg\:\:Options\:\:=--force-confold --no-install-recommends -y containerd.io=*
kubeone ALL=NOPASSWD:/usr/bin/apt-mark hold containerd.io
kubeone ALL=NOPASSWD:/usr/bin/mkdir -p /etc/containerd
kubeone ALL=NOPASSWD:/usr/bin/touch /etc/containerd/config.toml
kubeone ALL=NOPASSWD:/usr/bin/chmod 600 /etc/containerd/config.toml
kubeone ALL=NOPASSWD:/usr/bin/tee /etc/containerd/config.toml
kubeone ALL=NOPASSWD:/usr/bin/tee /etc/crictl.yaml
kubeone ALL=NOPASSWD:/usr/bin/systemctl daemon-reload
kubeone ALL=NOPASSWD:/usr/bin/systemctl enable containerd
kubeone ALL=NOPASSWD:/usr/bin/systemctl restart containerd
kubeone ALL=NOPASSWD:SETENV:/usr/bin/apt-get install --option Dpkg\:\:Options\:\:=--force-confold --no-install-recommends -y kubelet=* kubeadm=* kubectl=* kubernetes-cni=* cri-tools=*
kubeone ALL=NOPASSWD:/usr/bin/apt-mark hold kubelet kubeadm kubectl kubernetes-cni cri-tools
kubeone ALL=NOPASSWD:/usr/bin/systemctl daemon-reload
kubeone ALL=NOPASSWD:/usr/bin/systemctl enable --now kubelet
kubeone ALL=NOPASSWD:/usr/bin/systemctl restart kubelet
kubeone ALL=NOPASSWD:/usr/bin/kubeadm config images list --image-repository=registry.k8s.io --kubernetes-version=*
kubeone ALL=NOPASSWD:/usr/bin/mkdir --mode=700 --parents kubeone/cfg
kubeone ALL=NOPASSWD:/usr/bin/truncate --size=0 kubeone/cfg/*
kubeone ALL=NOPASSWD:/usr/bin/dd status=none oflag=seek_bytes conv=notrunc seek=0 of=kubeone/cfg/*
kubeone ALL=NOPASSWD:/usr/bin/chmod 600 kubeone/cfg/*
kubeone ALL=NOPASSWD:/usr/bin/mkdir -p /etc/systemd/system/kubelet.service.d/ /etc/kubernetes
kubeone ALL=NOPASSWD:/usr/bin/mv ./kubeone/cfg/cloud-config /etc/kubernetes/cloud-config
kubeone ALL=NOPASSWD:/usr/bin/chown root\:root /etc/kubernetes/cloud-config
kubeone ALL=NOPASSWD:/usr/bin/chmod 600 /etc/kubernetes/cloud-config
kubeone ALL=NOPASSWD:/usr/bin/test -f ./kubeone/cfg/audit-policy.yaml
kubeone ALL=NOPASSWD:/usr/bin/test -f ./kubeone/cfg/podnodeselector.yaml
kubeone ALL=NOPASSWD:/usr/bin/test -f ./kubeone/cfg/encryption-providers.yaml
kubeone ALL=NOPASSWD:/usr/bin/kubeadm config images pull --config=./kubeone/cfg/*
kubeone ALL=NOPASSWD:/usr/bin/kubeadm --v=6 init phase certs all --config=./kubeone/cfg/*
kubeone ALL=NOPASSWD:/usr/bin/mkdir --mode=700 --parents /etc/kubernetes/pki
kubeone ALL=NOPASSWD:/usr/bin/truncate --size=0 /etc/kubernetes/pki/ca.crt
kubeone ALL=NOPASSWD:/usr/bin/chmod 600 /etc/kubernetes/pki/ca.crt
kubeone ALL=NOPASSWD:/usr/bin/dd status=none oflag=seek_bytes conv=notrunc seek=0 of=/etc/kubernetes/pki/ca.crt
kubeone ALL=NOPASSWD:/usr/bin/truncate --size=0 /etc/kubernetes/pki/ca.key
kubeone ALL=NOPASSWD:/usr/bin/chmod 600 /etc/kubernetes/pki/ca.key
kubeone ALL=NOPASSWD:/usr/bin/dd status=none oflag=seek_bytes conv=notrunc seek=0 of=/etc/kubernetes/pki/ca.key
kubeone ALL=NOPASSWD:/usr/bin/truncate --size=0 /etc/kubernetes/pki/sa.key
kubeone ALL=NOPASSWD:/usr/bin/chmod 600 /etc/kubernetes/pki/sa.key
kubeone ALL=NOPASSWD:/usr/bin/dd status=none oflag=seek_bytes conv=notrunc seek=0 of=/etc/kubernetes/pki/sa.key
kubeone ALL=NOPASSWD:/usr/bin/truncate --size=0 /etc/kubernetes/pki/sa.pub
kubeone ALL=NOPASSWD:/usr/bin/chmod 600 /etc/kubernetes/pki/sa.pub
kubeone ALL=NOPASSWD:/usr/bin/dd status=none oflag=seek_bytes conv=notrunc seek=0 of=/etc/kubernetes/pki/sa.pub
kubeone ALL=NOPASSWD:/usr/bin/truncate --size=0 /etc/kubernetes/pki/front-proxy-ca.crt
kubeone ALL=NOPASSWD:/usr/bin/chmod 600 /etc/kubernetes/pki/front-proxy-ca.crt
kubeone ALL=NOPASSWD:/usr/bin/dd status=none oflag=seek_bytes conv=notrunc seek=0 of=/etc/kubernetes/pki/front-proxy-ca.crt
kubeone ALL=NOPASSWD:/usr/bin/truncate --size=0 /etc/kubernetes/pki/front-proxy-ca.key
kubeone ALL=NOPASSWD:/usr/bin/chmod 600 /etc/kubernetes/pki/front-proxy-ca.key
kubeone ALL=NOPASSWD:/usr/bin/dd status=none oflag=seek_bytes conv=notrunc seek=0 of=/etc/kubernetes/pki/front-proxy-ca.key
kubeone ALL=NOPASSWD:/usr/bin/mkdir --mode=700 --parents /etc/kubernetes/pki/etcd
kubeone ALL=NOPASSWD:/usr/bin/truncate --size=0 /etc/kubernetes/pki/etcd/ca.crt
kubeone ALL=NOPASSWD:/usr/bin/chmod 600 /etc/kubernetes/pki/etcd/ca.crt
kubeone ALL=NOPASSWD:/usr/bin/dd status=none oflag=seek_bytes conv=notrunc seek=0 of=/etc/kubernetes/pki/etcd/ca.crt
kubeone ALL=NOPASSWD:/usr/bin/truncate --size=0 /etc/kubernetes/pki/etcd/ca.key
kubeone ALL=NOPASSWD:/usr/bin/chmod 600 /etc/kubernetes/pki/etcd/ca.key
kubeone ALL=NOPASSWD:/usr/bin/dd status=none oflag=seek_bytes conv=notrunc seek=0 of=/etc/kubernetes/pki/etcd/ca.key
kubeone ALL=NOPASSWD:/usr/bin/cat /etc/kubernetes/pki/ca.crt
kubeone ALL=NOPASSWD:/usr/bin/cat /etc/kubernetes/pki/ca.key
kubeone ALL=NOPASSWD:/usr/bin/cat /etc/kubernetes/pki/sa.key
kubeone ALL=NOPASSWD:/usr/bin/cat /etc/kubernetes/pki/sa.pub
kubeone ALL=NOPASSWD:/usr/bin/cat /etc/kubernetes/pki/front-proxy-ca.crt
kubeone ALL=NOPASSWD:/usr/bin/cat /etc/kubernetes/pki/front-proxy-ca.key
kubeone ALL=NOPASSWD:/usr/bin/cat /etc/kubernetes/pki/etcd/ca.crt
kubeone ALL=NOPASSWD:/usr/bin/cat /etc/kubernetes/pki/etcd/ca.key
kubeone ALL=NOPASSWD:/usr/bin/cat /etc/kubernetes/pki/apiserver-etcd-client.crt
kubeone ALL=NOPASSWD:/usr/bin/cat /etc/kubernetes/pki/apiserver-kubelet-client.crt
kubeone ALL=NOPASSWD:/usr/bin/cat /etc/kubernetes/pki/apiserver.crt
kubeone ALL=NOPASSWD:/usr/bin/cat /etc/kubernetes/pki/etcd/healthcheck-client.crt
kubeone ALL=NOPASSWD:/usr/bin/cat /etc/kubernetes/pki/etcd/peer.crt
kubeone ALL=NOPASSWD:/usr/bin/cat /etc/kubernetes/pki/etcd/server.crt
kubeone ALL=NOPASSWD:/usr/bin/cat /etc/kubernetes/pki/front-proxy-client.crt
kubeone ALL=NOPASSWD:/usr/bin/cat /etc/kubernetes/pki/etcd/server.key
kubeone ALL=NOPASSWD:/usr/bin/kubeadm --v=6 init --config=./kubeone/cfg/*
kubeone ALL=NOPASSWD:/usr/bin/cat /etc/kubernetes/admin.conf
kubeone ALL=NOPASSWD:/usr/bin/kubeadm --v=6 token create * --ttl 1h0m0s
kubeone ALL=NOPASSWD:/usr/bin/crictl ps --name=kube-apiserver -q
kubeone ALL=NOPASSWD:/usr/bin/crictl logs *
kubeone ALL=NOPASSWD:/usr/bin/grep -q * /tmp/kube-apiserver.log
kubeone ALL=NOPASSWD:/usr/bin/dd status=none iflag=count_bytes\,skip_bytes skip=* count=* if=/etc/kubernetes/manifests/kube-controller-manager.yaml
kubeone ALL=NOPASSWD:/usr/bin/truncate --size=0 /etc/kubernetes/manifests/kube-controller-manager.yaml
kubeone ALL=NOPASSWD:/usr/bin/dd status=none oflag=seek_bytes conv=notrunc seek=0 of=/etc/kubernetes/manifests/kube-controller-manager.yaml
kubeone ALL=NOPASSWD:SETENV:/usr/bin/kubectl apply -f - --prune -l kubeone.io/addon=coredns-pdb
kubeone ALL=NOPASSWD:SETENV:/usr/bin/kubectl apply -f - --prune -l kubeone.io/addon=metrics-server
kubeone ALL=NOPASSWD:SETENV:/usr/bin/kubectl apply -f - --prune -l kubeone.io/addon=cni-canal
kubeone ALL=NOPASSWD:SETENV:/usr/bin/kubectl apply -f - --prune -l kubeone.io/addon=nodelocaldns
kubeone ALL=NOPASSWD:SETENV:/usr/bin/kubectl apply -f - --prune -l kubeone.io/addon=machinecontroller
kubeone ALL=NOPASSWD:SETENV:/usr/bin/kubectl apply -f - --prune -l kubeone.io/addon=operating-system-manager
kubeone ALL=NOPASSWD:/usr/bin/kubeadm --v=6 join --config=./kubeone/cfg/*
# deinstallation/removal
kubeone ALL=NOPASSWD:/usr/bin/kubeadm --v=6 reset --force
kubeone ALL=NOPASSWD:/usr/bin/rm -f /etc/kubernetes/cloud-config
kubeone ALL=NOPASSWD:/usr/bin/rm -rf /etc/kubernetes/admission
kubeone ALL=NOPASSWD:/usr/bin/rm -rf /etc/kubernetes/encryption-providers
kubeone ALL=NOPASSWD:/usr/bin/rm -rf /var/lib/etcd/
kubeone ALL=NOPASSWD:/usr/bin/rm -rf ./kubeone
kubeone ALL=NOPASSWD:/usr/bin/rm -rf /etc/kubeone
# update
kubeone ALL=NOPASSWD:/usr/bin/dd status=none iflag=count_bytes\,skip_bytes skip=* count=* if=/var/lib/kubelet/kubeadm-flags.env
kubeone ALL=NOPASSWD:/usr/bin/truncate --size=0 /var/lib/kubelet/kubeadm-flags.env
kubeone ALL=NOPASSWD:/usr/bin/dd status=none oflag=seek_bytes conv=notrunc seek=0 of=/var/lib/kubelet/kubeadm-flags.env
kubeone ALL=NOPASSWD:/usr/bin/apt-mark unhold kubelet kubeadm kubectl kubernetes-cni cri-tools
kubeone ALL=NOPASSWD:SETENV:/usr/bin/apt-get install --option Dpkg\:\:Options\:\:=--force-confold --no-install-recommends -y kubeadm=* kubernetes-cni=* cri-tools=*
kubeone ALL=NOPASSWD:/usr/bin/kubeadm upgrade apply -y --certificate-renewal=true * --config=./kubeone/cfg/*
kubeone ALL=NOPASSWD:SETENV:/usr/bin/apt-get install --option Dpkg\:\:Options\:\:=--force-confold --no-install-recommends -y kubelet=* kubectl=* kubernetes-cni=* cri-tools=*
kubeone ALL=NOPASSWD:/usr/bin/kubeadm upgrade node --certificate-renewal=true

EDIT: I updated the list with commands that are needed for a version upgrade of kubernetes.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Principle of least privilege for kubeone user #2712

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Principle of least privilege for kubeone user #2712

steled Mar 9, 2023

Replies: 1 comment

steled Mar 15, 2023 Author

steled
Mar 9, 2023

steled
Mar 15, 2023
Author