Last active
February 23, 2017 20:26
-
-
Save micahhausler/641551897edc79baf476302e088f603d to your computer and use it in GitHub Desktop.
Kube-DNS SELinux
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Feb 23 19:23:04 ip-172-31-11-231.us-west-2.compute.internal audit[32554]: AVC avc: denied { open } for pid=32554 comm="dashboard" path="/public/en/index.html" dev="overlay" ino=48298053 scontext=system_u:system_r:svirt_lxc_net_t:s0:c370,c736 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 19:24:56 ip-172-31-11-231.us-west-2.compute.internal audit[10853]: AVC avc: denied { execute } for pid=10853 comm="exechealthz" name="sh" dev="xvdb" ino=2490773 scontext=system_u:system_r:svirt_lxc_net_t:s0:c399,c912 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 19:24:56 ip-172-31-11-231.us-west-2.compute.internal audit[10853]: AVC avc: denied { read open } for pid=10853 comm="exechealthz" path="/bin/sh" dev="overlay" ino=138907031 scontext=system_u:system_r:svirt_lxc_net_t:s0:c399,c912 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 19:24:56 ip-172-31-11-231.us-west-2.compute.internal audit[10853]: AVC avc: denied { execute_no_trans } for pid=10853 comm="exechealthz" path="/bin/sh" dev="overlay" ino=138907031 scontext=system_u:system_r:svirt_lxc_net_t:s0:c399,c912 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 19:25:49 ip-172-31-11-231.us-west-2.compute.internal audit[15641]: AVC avc: denied { read } for pid=15641 comm="node" name="etc-hosts" dev="xvda9" ino=541994 scontext=system_u:system_r:svirt_lxc_net_t:s0:c345,c400 tcontext=system_u:object_r:svirt_lxc_file_t:s0:c0,c138 tclass=file permissive=1 | |
Feb 23 19:27:57 ip-172-31-11-231.us-west-2.compute.internal audit[7367]: AVC avc: denied { read } for pid=7367 comm="kube2sky" name="etc-hosts" dev="xvda9" ino=541800 scontext=system_u:system_r:svirt_lxc_net_t:s0:c596,c908 tcontext=system_u:object_r:svirt_lxc_file_t:s0:c399,c912 tclass=file permissive=1 | |
Feb 23 19:28:04 ip-172-31-11-231.us-west-2.compute.internal audit[15691]: AVC avc: denied { read } for pid=15691 comm="dashboard" name="index.html" dev="xvdb" ino=3157475 scontext=system_u:system_r:svirt_lxc_net_t:s0:c370,c736 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 19:28:04 ip-172-31-11-231.us-west-2.compute.internal audit[32554]: AVC avc: denied { open } for pid=32554 comm="dashboard" path="/public/en/index.html" dev="overlay" ino=48298053 scontext=system_u:system_r:svirt_lxc_net_t:s0:c370,c736 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 19:28:07 ip-172-31-11-231.us-west-2.compute.internal audit[13245]: AVC avc: denied { execute } for pid=13245 comm="exechealthz" name="ionice" dev="xvdb" ino=2490773 scontext=system_u:system_r:svirt_lxc_net_t:s0:c399,c912 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 19:28:07 ip-172-31-11-231.us-west-2.compute.internal audit[13245]: AVC avc: denied { read open } for pid=13245 comm="exechealthz" path="/bin/sh" dev="overlay" ino=138907031 scontext=system_u:system_r:svirt_lxc_net_t:s0:c399,c912 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 19:28:07 ip-172-31-11-231.us-west-2.compute.internal audit[13245]: AVC avc: denied { execute_no_trans } for pid=13245 comm="exechealthz" path="/bin/sh" dev="overlay" ino=138907031 scontext=system_u:system_r:svirt_lxc_net_t:s0:c399,c912 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 19:28:08 ip-172-31-11-231.us-west-2.compute.internal audit[6522]: AVC avc: denied { read } for pid=6522 comm="node_exporter" name="file-nr" dev="proc" ino=138907216 scontext=system_u:system_r:svirt_lxc_net_t:s0:c320,c823 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1 | |
Feb 23 19:28:08 ip-172-31-11-231.us-west-2.compute.internal audit[6522]: AVC avc: denied { open } for pid=6522 comm="node_exporter" path="/proc/sys/fs/file-nr" dev="proc" ino=138907216 scontext=system_u:system_r:svirt_lxc_net_t:s0:c320,c823 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1 | |
Feb 23 19:28:49 ip-172-31-11-231.us-west-2.compute.internal audit[15640]: AVC avc: denied { read } for pid=15640 comm="node" name="etc-hosts" dev="xvda9" ino=541994 scontext=system_u:system_r:svirt_lxc_net_t:s0:c345,c400 tcontext=system_u:object_r:svirt_lxc_file_t:s0:c0,c138 tclass=file permissive=1 | |
Feb 23 19:29:45 ip-172-31-11-231.us-west-2.compute.internal audit[15691]: AVC avc: denied { open } for pid=15691 comm="dashboard" path="/public/en/index.html" dev="overlay" ino=48298053 scontext=system_u:system_r:svirt_lxc_net_t:s0:c370,c736 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 19:29:45 ip-172-31-11-231.us-west-2.compute.internal audit[15690]: AVC avc: denied { read } for pid=15690 comm="dashboard" name="index.html" dev="xvdb" ino=3157475 scontext=system_u:system_r:svirt_lxc_net_t:s0:c370,c736 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 19:29:45 ip-172-31-11-231.us-west-2.compute.internal audit[14723]: AVC avc: denied { execute } for pid=14723 comm="exechealthz" name="ionice" dev="xvdb" ino=2490773 scontext=system_u:system_r:svirt_lxc_net_t:s0:c399,c912 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 19:29:45 ip-172-31-11-231.us-west-2.compute.internal audit[14723]: AVC avc: denied { read open } for pid=14723 comm="exechealthz" path="/bin/sh" dev="overlay" ino=139871428 scontext=system_u:system_r:svirt_lxc_net_t:s0:c399,c912 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 19:29:45 ip-172-31-11-231.us-west-2.compute.internal audit[14723]: AVC avc: denied { execute_no_trans } for pid=14723 comm="exechealthz" path="/bin/sh" dev="overlay" ino=139871428 scontext=system_u:system_r:svirt_lxc_net_t:s0:c399,c912 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 19:29:49 ip-172-31-11-231.us-west-2.compute.internal audit[15641]: AVC avc: denied { read } for pid=15641 comm="node" name="etc-hosts" dev="xvda9" ino=541994 scontext=system_u:system_r:svirt_lxc_net_t:s0:c345,c400 tcontext=system_u:object_r:svirt_lxc_file_t:s0:c0,c138 tclass=file permissive=1 | |
Feb 23 19:29:54 ip-172-31-11-231.us-west-2.compute.internal audit[6491]: AVC avc: denied { read } for pid=6491 comm="node_exporter" name="file-nr" dev="proc" ino=139873131 scontext=system_u:system_r:svirt_lxc_net_t:s0:c320,c823 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1 | |
Feb 23 19:29:54 ip-172-31-11-231.us-west-2.compute.internal audit[6491]: AVC avc: denied { open } for pid=6491 comm="node_exporter" path="/proc/sys/fs/file-nr" dev="proc" ino=139873131 scontext=system_u:system_r:svirt_lxc_net_t:s0:c320,c823 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1 | |
Feb 23 19:31:04 ip-172-31-11-231.us-west-2.compute.internal audit[15691]: AVC avc: denied { read } for pid=15691 comm="dashboard" name="index.html" dev="xvdb" ino=3157475 scontext=system_u:system_r:svirt_lxc_net_t:s0:c370,c736 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 19:31:04 ip-172-31-11-231.us-west-2.compute.internal audit[32555]: AVC avc: denied { open } for pid=32555 comm="dashboard" path="/public/en/index.html" dev="overlay" ino=48298053 scontext=system_u:system_r:svirt_lxc_net_t:s0:c370,c736 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 19:31:09 ip-172-31-11-231.us-west-2.compute.internal audit[1212]: AVC avc: denied { read } for pid=1212 comm="node_exporter" name="file-nr" dev="proc" ino=139888142 scontext=system_u:system_r:svirt_lxc_net_t:s0:c320,c823 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1 | |
Feb 23 19:31:09 ip-172-31-11-231.us-west-2.compute.internal audit[1212]: AVC avc: denied { open } for pid=1212 comm="node_exporter" path="/proc/sys/fs/file-nr" dev="proc" ino=139888142 scontext=system_u:system_r:svirt_lxc_net_t:s0:c320,c823 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1 | |
Feb 23 19:31:25 ip-172-31-11-231.us-west-2.compute.internal audit[16162]: AVC avc: denied { execute } for pid=16162 comm="exechealthz" name="ionice" dev="xvdb" ino=2490773 scontext=system_u:system_r:svirt_lxc_net_t:s0:c399,c912 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 19:31:25 ip-172-31-11-231.us-west-2.compute.internal audit[16162]: AVC avc: denied { read open } for pid=16162 comm="exechealthz" path="/bin/sh" dev="overlay" ino=140378608 scontext=system_u:system_r:svirt_lxc_net_t:s0:c399,c912 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 19:31:25 ip-172-31-11-231.us-west-2.compute.internal audit[16162]: AVC avc: denied { execute_no_trans } for pid=16162 comm="exechealthz" path="/bin/sh" dev="overlay" ino=140378608 scontext=system_u:system_r:svirt_lxc_net_t:s0:c399,c912 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 19:31:49 ip-172-31-11-231.us-west-2.compute.internal audit[15639]: AVC avc: denied { read } for pid=15639 comm="node" name="etc-hosts" dev="xvda9" ino=541994 scontext=system_u:system_r:svirt_lxc_net_t:s0:c345,c400 tcontext=system_u:object_r:svirt_lxc_file_t:s0:c0,c138 tclass=file permissive=1 | |
Feb 23 19:33:14 ip-172-31-11-231.us-west-2.compute.internal audit[7367]: AVC avc: denied { read } for pid=7367 comm="kube2sky" name="etc-hosts" dev="xvda9" ino=541800 scontext=system_u:system_r:svirt_lxc_net_t:s0:c596,c908 tcontext=system_u:object_r:svirt_lxc_file_t:s0:c399,c912 tclass=file permissive=1 | |
Feb 23 19:54:24 ip-172-31-11-231.us-west-2.compute.internal audit[6491]: AVC avc: denied { read } for pid=6491 comm="node_exporter" name="file-nr" dev="proc" ino=139888142 scontext=system_u:system_r:svirt_lxc_net_t:s0:c320,c823 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1 | |
Feb 23 19:54:24 ip-172-31-11-231.us-west-2.compute.internal audit[6491]: AVC avc: denied { open } for pid=6491 comm="node_exporter" path="/proc/sys/fs/file-nr" dev="proc" ino=139888142 scontext=system_u:system_r:svirt_lxc_net_t:s0:c320,c823 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1 | |
Feb 23 19:54:55 ip-172-31-11-231.us-west-2.compute.internal audit[5339]: AVC avc: denied { read } for pid=5339 comm="kube2sky" name="etc-hosts" dev="xvda9" ino=541800 scontext=system_u:system_r:svirt_lxc_net_t:s0:c596,c908 tcontext=system_u:object_r:svirt_lxc_file_t:s0:c399,c912 tclass=file permissive=1 | |
Feb 23 19:58:14 ip-172-31-11-231.us-west-2.compute.internal audit[15684]: AVC avc: denied { read } for pid=15684 comm="dashboard" name="index.html" dev="xvdb" ino=3157475 scontext=system_u:system_r:svirt_lxc_net_t:s0:c370,c736 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 19:58:14 ip-172-31-11-231.us-west-2.compute.internal audit[15684]: AVC avc: denied { open } for pid=15684 comm="dashboard" path="/public/en/index.html" dev="overlay" ino=48298053 scontext=system_u:system_r:svirt_lxc_net_t:s0:c370,c736 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 20:04:49 ip-172-31-11-231.us-west-2.compute.internal audit[15641]: AVC avc: denied { read } for pid=15641 comm="node" name="etc-hosts" dev="xvda9" ino=541994 scontext=system_u:system_r:svirt_lxc_net_t:s0:c345,c400 tcontext=system_u:object_r:svirt_lxc_file_t:s0:c0,c138 tclass=file permissive=1 | |
Feb 23 20:04:53 ip-172-31-11-231.us-west-2.compute.internal audit[9213]: AVC avc: denied { read } for pid=9213 comm="sh" name="ionice" dev="xvdb" ino=2490773 scontext=system_u:system_r:svirt_lxc_net_t:s0:c399,c912 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 20:04:53 ip-172-31-11-231.us-west-2.compute.internal audit[9213]: AVC avc: denied { execute } for pid=9213 comm="sh" path="/bin/sh" dev="overlay" ino=140382737 scontext=system_u:system_r:svirt_lxc_net_t:s0:c399,c912 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 20:04:55 ip-172-31-11-231.us-west-2.compute.internal audit[9246]: AVC avc: denied { open } for pid=9246 comm="sh" path="/bin/nslookup" dev="overlay" ino=140383698 scontext=system_u:system_r:svirt_lxc_net_t:s0:c399,c912 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 20:04:55 ip-172-31-11-231.us-west-2.compute.internal audit[9246]: AVC avc: denied { execute_no_trans } for pid=9246 comm="sh" path="/bin/nslookup" dev="overlay" ino=140383698 scontext=system_u:system_r:svirt_lxc_net_t:s0:c399,c912 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 20:18:54 ip-172-31-11-231.us-west-2.compute.internal audit[1212]: AVC avc: denied { read } for pid=1212 comm="node_exporter" name="file-nr" dev="proc" ino=139888142 scontext=system_u:system_r:svirt_lxc_net_t:s0:c320,c823 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1 | |
Feb 23 20:18:54 ip-172-31-11-231.us-west-2.compute.internal audit[1212]: AVC avc: denied { open } for pid=1212 comm="node_exporter" path="/proc/sys/fs/file-nr" dev="proc" ino=139888142 scontext=system_u:system_r:svirt_lxc_net_t:s0:c320,c823 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1 | |
Feb 23 20:19:04 ip-172-31-11-231.us-west-2.compute.internal audit[15690]: AVC avc: denied { read } for pid=15690 comm="dashboard" name="index.html" dev="xvdb" ino=3157475 scontext=system_u:system_r:svirt_lxc_net_t:s0:c370,c736 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 20:19:04 ip-172-31-11-231.us-west-2.compute.internal audit[32554]: AVC avc: denied { open } for pid=32554 comm="dashboard" path="/public/en/index.html" dev="overlay" ino=48298053 scontext=system_u:system_r:svirt_lxc_net_t:s0:c370,c736 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 20:19:39 ip-172-31-11-231.us-west-2.compute.internal audit[20780]: AVC avc: denied { execute } for pid=20780 comm="exechealthz" name="ionice" dev="xvdb" ino=2490773 scontext=system_u:system_r:svirt_lxc_net_t:s0:c399,c912 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 20:19:39 ip-172-31-11-231.us-west-2.compute.internal audit[20780]: AVC avc: denied { read open } for pid=20780 comm="exechealthz" path="/bin/sh" dev="overlay" ino=140382737 scontext=system_u:system_r:svirt_lxc_net_t:s0:c399,c912 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 20:19:39 ip-172-31-11-231.us-west-2.compute.internal audit[20780]: AVC avc: denied { execute_no_trans } for pid=20780 comm="exechealthz" path="/bin/sh" dev="overlay" ino=140382737 scontext=system_u:system_r:svirt_lxc_net_t:s0:c399,c912 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 | |
Feb 23 20:19:49 ip-172-31-11-231.us-west-2.compute.internal audit[15642]: AVC avc: denied { read } for pid=15642 comm="node" name="etc-hosts" dev="xvda9" ino=541994 scontext=system_u:system_r:svirt_lxc_net_t:s0:c345,c400 tcontext=system_u:object_r:svirt_lxc_file_t:s0:c0,c138 tclass=file permissive=1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ docker inspect f4db8daebc3a | jq .[0].Mounts[5] | |
{ | |
"Source": "/var/lib/kubelet/pods/b54ab8ce-edbc-11e6-b0bb-02b3de8fefb3/etc-hosts", | |
"Destination": "/etc/hosts", | |
"Mode": "Z", | |
"RW": true, | |
"Propagation": "rprivate" | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: ReplicationController | |
metadata: | |
labels: | |
app: kube-dns | |
k8s-app: kube-dns | |
kubernetes.io/cluster-service: "true" | |
name: kube-dns | |
namespace: kube-system | |
spec: | |
replicas: 3 | |
selector: | |
k8s-app: kube-dns | |
template: | |
metadata: | |
labels: | |
k8s-app: kube-dns | |
kubernetes.io/cluster-service: "true" | |
spec: | |
containers: | |
- command: | |
- /usr/local/bin/etcd | |
- -data-dir | |
- /var/etcd/data | |
- -listen-client-urls | |
- http://127.0.0.1:2379,http://127.0.0.1:4001 | |
- -advertise-client-urls | |
- http://127.0.0.1:2379,http://127.0.0.1:4001 | |
- -initial-cluster-token | |
- skydns-etcd | |
image: gcr.io/google_containers/etcd-amd64:2.2.1 | |
name: etcd | |
resources: | |
limits: | |
cpu: 100m | |
memory: 500Mi | |
requests: | |
cpu: 100m | |
memory: 50Mi | |
volumeMounts: | |
- mountPath: /etc/ssl/certs | |
name: ssl-certs | |
- args: | |
- --kubecfg-file=/etc/kubernetes/worker-kubeconfig.yaml | |
- --domain=cluster.local | |
image: gcr.io/google_containers/kube2sky:1.14 | |
livenessProbe: | |
failureThreshold: 5 | |
httpGet: | |
path: /healthz | |
port: 8080 | |
scheme: HTTP | |
initialDelaySeconds: 60 | |
periodSeconds: 10 | |
successThreshold: 1 | |
timeoutSeconds: 5 | |
name: kube2sky | |
readinessProbe: | |
failureThreshold: 3 | |
httpGet: | |
path: /readiness | |
port: 8081 | |
scheme: HTTP | |
initialDelaySeconds: 30 | |
periodSeconds: 10 | |
successThreshold: 1 | |
timeoutSeconds: 5 | |
resources: | |
limits: | |
cpu: 100m | |
memory: 200Mi | |
requests: | |
cpu: 100m | |
memory: 50Mi | |
volumeMounts: | |
- mountPath: /etc/ssl/certs | |
name: ssl-certs | |
- mountPath: /etc/kubernetes/worker-kubeconfig.yaml | |
name: kubeconfig | |
readOnly: true | |
- mountPath: /etc/kubernetes/ssl | |
name: etc-kube-ssl | |
readOnly: true | |
- args: | |
- -machines=http://127.0.0.1:4001 | |
- -addr=0.0.0.0:53 | |
- -ns-rotate=false | |
- -domain=cluster.local. | |
image: gcr.io/google_containers/skydns:2015-10-13-8c72f8c | |
name: skydns | |
ports: | |
- containerPort: 53 | |
name: dns | |
protocol: UDP | |
- containerPort: 53 | |
name: dns-tcp | |
protocol: TCP | |
resources: | |
limits: | |
cpu: 100m | |
memory: 200Mi | |
requests: | |
cpu: 100m | |
memory: 50Mi | |
volumeMounts: | |
- mountPath: /etc/ssl/certs | |
name: ssl-certs | |
- args: | |
- -cmd=nslookup kubernetes.default.svc.cluster.local 127.0.0.1 >/dev/null | |
- -port=8080 | |
image: gcr.io/google_containers/exechealthz:1.0 | |
name: healthz | |
ports: | |
- containerPort: 8080 | |
protocol: TCP | |
resources: | |
limits: | |
cpu: 10m | |
memory: 20Mi | |
requests: | |
cpu: 10m | |
memory: 20Mi | |
volumeMounts: | |
- mountPath: /etc/ssl/certs | |
name: ssl-certs | |
dnsPolicy: Default | |
restartPolicy: Always | |
securityContext: {} | |
terminationGracePeriodSeconds: 30 | |
volumes: | |
- hostPath: | |
path: /usr/share/ca-certificates | |
name: ssl-certs | |
- hostPath: | |
path: /etc/kubernetes/worker-kubeconfig.yaml | |
name: kubeconfig | |
- hostPath: | |
path: /etc/kubernetes/ssl | |
name: etc-kube-ssl | |
- emptyDir: {} | |
name: etcd-storage |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# /run/systemd/system/kubelet.service | |
[Unit] | |
Description=Kubernetes Kubelet | |
Documentation=https://github.com/kubernetes/kubernetes | |
After=docker.service | |
Requires=docker.service | |
[Service] | |
ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/manifests /etc/cni/net.d /opt/cni/bin/ /var/log/containers/ | |
ExecStartPre=/usr/bin/wget --progress dot:mega -N -P /opt/cni/bin https://github.com/projectcalico/calico-cni/releases/download/v1.5.5/calico | |
ExecStartPre=/usr/bin/chmod +x /opt/cni/bin/calico | |
ExecStartPre=/usr/bin/wget --progress dot:mega -N -P /opt/bin https://github.com/projectcalico/calico-containers/releases/download/v1.0.0/calicoctl | |
ExecStartPre=/usr/bin/chmod +x /opt/bin/calicoctl | |
ExecStartPre=/usr/bin/wget --progress dot:mega -N -P /tmp/ https://github.com/containernetworking/cni/releases/download/v0.4.0/cni-v0.4.0.tgz | |
ExecStartPre=/usr/bin/tar xfz /tmp/cni-v0.4.0.tgz -C /opt/cni/bin/ | |
Environment="RKT_OPTS=--volume=resolv,kind=host,source=/etc/resolv.conf --mount volume=resolv,target=/etc/resolv.conf \ | |
--volume=cni,kind=host,source=/etc/cni/ --mount volume=cni,target=/etc/cni/ \ | |
--volume var-log,kind=host,source=/var/log/ --mount volume=var-log,target=/var/log/ \ | |
--volume=cnibin,kind=host,source=/opt/cni/bin/ --mount volume=cnibin,target=/opt/cni/bin/" | |
Environment=KUBELET_VERSION=v1.5.2_coreos.0 | |
ExecStart=/usr/lib/coreos/kubelet-wrapper \ | |
--address=0.0.0.0 \ | |
--allow-privileged=true \ | |
--api-servers=https://kubernetes.example.com \ | |
--cloud-provider=aws \ | |
--cluster-dns=10.100.0.10 \ | |
--cluster-domain=cluster.local \ | |
--config=/etc/kubernetes/manifests \ | |
--container-runtime="docker" \ | |
--enable-server=true \ | |
--eviction-soft="imagefs.inodesFree<10%,imagefs.available<10%" \ | |
--eviction-soft-grace-period="imagefs.inodesFree=1m,imagefs.available=1m" \ | |
--eviction-max-pod-grace-period="30" \ | |
--kubeconfig=/etc/kubernetes/worker-kubeconfig.yaml \ | |
--logtostderr=true \ | |
--network-plugin-dir=/etc/cni/net.d \ | |
--network-plugin=cni \ | |
--node-labels=skuid.com/node-type=worker \ | |
--port=10250 | |
Restart=always | |
RestartSec=10 | |
[Install] | |
WantedBy=multi-user.target |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ ps auxZ |grep dockerd | |
system_u:system_r:kernel_t:s0 root 3972 6.4 1.2 2416004 200472 ? Ssl Feb08 1428:04 dockerd --host=fd:// --containerd=/var/run/docker/libcontainerd/docker-containerd.sock --bip=192.168.114.1/24 --mtu=8951 --ip-masq=false --selinux-enabled | |
$ uname -a | |
Linux ip-172-31-11-231.us-west-2.compute.internal 4.7.3-coreos-r2 #1 SMP Thu Feb 2 02:26:10 UTC 2017 x86_64 Intel(R) Xeon(R) CPU E5-2686 v4 @ 2.30GHz GenuineIntel GNU/Linux | |
$ cat /etc/os-release | grep VERSION | |
VERSION=1235.9.0 | |
$ docker version | |
Client: | |
Version: 1.12.6 | |
API version: 1.24 | |
Go version: go1.6.3 | |
Git commit: d5236f0 | |
Built: Thu Feb 2 02:27:34 2017 | |
OS/Arch: linux/amd64 | |
Server: | |
Version: 1.12.6 | |
API version: 1.24 | |
Go version: go1.6.3 | |
Git commit: d5236f0 | |
Built: Thu Feb 2 02:27:34 2017 | |
OS/Arch: linux/amd64 | |
$ kubectl version | |
Client Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.3", GitCommit:"029c3a408176b55c30846f0faedf56aae5992e9b", GitTreeState:"clean", BuildDate:"2017-02-17T20:49:14Z", GoVersion:"go1.8", Compiler:"gc", Platform:"darwin/amd64"} | |
Server Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.2", GitCommit:"08e099554f3c31f6e6f07b448ab3ed78d0520507", GitTreeState:"clean", BuildDate:"2017-01-12T04:52:34Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"linux/amd64"} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment