k3s icon indicating copy to clipboard operation
k3s copied to clipboard

Published 20 hours ago verified publisher icon k3s-io

New k3s server flag: --write-kubeconfig-own or --write-kubeconfig-group

Open kittydoor opened this issue 1 year ago • 1 comments

Per #389 the default mode for kubeconfig was changed to 600 with ability to override this to 644 (or any other) via a config flag. This is awesome! However, I would like to go with 640 so that I can make it only accessible to a certain group as opposed to world.

It would be great if a flag such as --write-kubeconfig-own <user>:<group> or --write-kubeconfig-group <group> existed so that I can define a group myself, and used together with --write-kubeconfig-mode the file is written as 640 root:.

At the moment, this is a step I take manually after installation. I think it would be more helpful to be able to add this into the configuration file.

kittydoor avatar Jan 10 '24 17:01 kittydoor

I think --write-kubeconfig-group would be reasonable.

brandond avatar Jan 10 '24 18:01 brandond

validated with commit_id on v1.30 branch

$ echo $COMMIT

79ba10f5ec88a2458b44f67d009b4ee071918e4d

$ sudo INSTALL_K3S_COMMIT=$COMMIT INSTALL_K3S_EXEC="server --write-kubeconfig-group=testingNewFeature" ./install-k3s.sh

[INFO]  Using commit 79ba10f5ec88a2458b44f67d009b4ee071918e4d as release
[INFO]  Downloading hash https://k3s-ci-builds.s3.amazonaws.com/k3s-79ba10f5ec88a2458b44f67d009b4ee071918e4d.sha256sum
[INFO]  Downloading binary https://k3s-ci-builds.s3.amazonaws.com/k3s-79ba10f5ec88a2458b44f67d009b4ee071918e4d
[INFO]  Verifying binary download
[INFO]  Installing k3s to /usr/local/bin/k3s
[INFO]  Skipping installation of SELinux RPM
[INFO]  Creating /usr/local/bin/kubectl symlink to k3s
[INFO]  Creating /usr/local/bin/crictl symlink to k3s
[INFO]  Creating /usr/local/bin/ctr symlink to k3s
[INFO]  Creating killall script /usr/local/bin/k3s-killall.sh
[INFO]  Creating uninstall script /usr/local/bin/k3s-uninstall.sh
[INFO]  env: Creating environment file /etc/systemd/system/k3s.service.env
[INFO]  systemd: Creating service file /etc/systemd/system/k3s.service
[INFO]  systemd: Enabling k3s unit
Created symlink /etc/systemd/system/multi-user.target.wants/k3s.service → /etc/systemd/system/k3s.service.
[INFO]  systemd: Starting k3s

$ ls -lahr /etc/rancher/k3s/

total 8.0K
-rw-r--r-- 1 root testingNewFeature 2.9K Jun  4 00:15 k3s.yaml
-rw-r--r-- 1 root root               223 Jun  4 00:15 config.yaml
drwxr-xr-x 4 root root                29 Jun  4 00:15 ..
drwxr-xr-x 2 root root                41 Jun  4 00:15 .

VestigeJ avatar Jun 04 '24 00:06 VestigeJ

Hi @VestigeJ ,

Is this feature officially released? I could not find a reference on https://docs.k3s.io/cli/server, but I can see it on my machine with k3s server -h. My k3s version is v1.30.5+k3s1 (9b586704)

davidshen84 avatar Oct 21 '24 04:10 davidshen84

Yep. Docs frequently lag behind features. A docs PR would be welcomed!

brandond avatar Oct 21 '24 05:10 brandond

Create PR https://github.com/k3s-io/docs/issues/345.

On Mon, 21 Oct 2024 at 16:01, Brad Davidson @.***> wrote:

Yep. Docs frequently lag behind features. A docs PR would be welcomed!

— Reply to this email directly, view it on GitHub https://github.com/k3s-io/k3s/issues/9209#issuecomment-2425591193, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAQBTLLJVJ42F375256UCLZ4SDA3AVCNFSM6AAAAABBVGSFQKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMRVGU4TCMJZGM . You are receiving this because you commented.Message ID: @.***>

davidshen84 avatar Oct 27 '24 00:10 davidshen84

Thank you for pitching in on this! :)

kittydoor avatar Oct 27 '24 09:10 kittydoor