A lightweight solution for configuration of baremetal nodes.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

281 lines
6.2 KiB

# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for divingbell.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
images:
divingbell: 'ubuntu:16.04'
pull_policy: IfNotPresent
conf:
chroot_mnt_path: '/mnt'
log_colors: False
apt:
upgrade: false
allow_downgrade: false
strict: false
blacklistpkgs:
- telnetd
- inetutils-telnetd
- telnetd-ssl
- nis
- ntpdate
# perm:
# rerun_policy: always
# 86400 = 1 day
# rerun_interval: 86400
# paths:
# -
# path: '/boot/System.map-*'
# owner: 'root'
# group: 'root'
# permissions: '0640'
# -
# path: '/etc/shadow'
# owner: 'root'
# group: 'shadow'
# permissions: '0640'
# -
# path: '/etc/gshadow'
# owner: 'root'
# group: 'shadow'
# permissions: '0640'
# -
# path: '/etc/passwd'
# owner: 'root'
# group: 'root'
# permissions: '0644'
# -
# path: '/etc/group'
# owner: 'root'
# group: 'root'
# permissions: '0644'
# -
# path: '/var/log/kern.log'
# owner: 'syslog'
# group: 'adm'
# permissions: '0640'
# -
# path: '/var/log/auth.log'
# owner: 'syslog'
# group: 'adm'
# permissions: '0640'
# -
# path: '/var/log/syslog'
# owner: 'syslog'
# group: 'adm'
# permissions: '0640'
## data.values.conf.sysctl
# sysctl:
# fs.suid_dumpable: '0'
## data.values.conf.limits
# limits:
# nofile:
# domain: 'root'
# type: 'soft'
# item: 'nofile'
# value: '101'
# core_dump:
# domain: '0:'
# type: 'hard'
# item: 'core'
# value: 0
pod:
mandatory_access_control:
type: apparmor
divingbell-apparmor:
apparmor: runtime/default
divingbell-apt:
apt: runtime/default
divingbell-ethtool:
ethtool: runtime/default
divingbell-exec:
exec: runtime/default
divingbell-limits:
limits: runtime/default
divingbell-mounts:
mounts: runtime/default
divingbell-perm:
perm: runtime/default
divingbell-sysctl:
sysctl: runtime/default
divingbell-uamlite:
uamlite: runtime/default
security_context:
divingbell:
pod:
runAsUser: 65534
container:
apt:
readOnlyRootFilesystem: true
runAsUser: 0
privileged: true
apparmor:
capabilities:
add:
- 'MAC_ADMIN'
readOnlyRootFilesystem: true
runAsUser : 0
ethtool:
capabilities:
add:
- 'NET_ADMIN'
readOnlyRootFilesystem: true
runAsUser : 0
exec:
readOnlyRootFilesystem: true
runAsUser: 0
privileged: true
limits:
readOnlyRootFilesystem: true
runAsUser: 0
mounts:
readOnlyRootFilesystem: true
runAsUser: 0
perm:
readOnlyRootFilesystem: true
runAsUser: 0
sysctl:
capabilities:
add:
- 'SYS_PTRACE'
- 'SYS_ADMIN'
- 'SYS_RAWIO'
readOnlyRootFilesystem: true
runAsUser: 0
lifecycle:
upgrades:
daemonsets:
pod_replacement_strategy: RollingUpdate
ethtool:
enabled: true
min_ready_seconds: 0
max_unavailable: 100%
mounts:
enabled: true
min_ready_seconds: 0
max_unavailable: 100%
uamlite:
enabled: true
min_ready_seconds: 0
max_unavailable: 100%
sysctl:
enabled: true
min_ready_seconds: 0
max_unavailable: 100%
apt:
enabled: true
min_ready_seconds: 0
max_unavailable: 100%
limits:
enabled: true
min_ready_seconds: 0
max_unavailable: 100%
perm:
enabled: true
min_ready_seconds: 0
max_unavailable: 100%
exec:
enabled: true
min_ready_seconds: 0
max_unavailable: 100%
resources:
enabled: false
apparmor:
limits:
memory: "128Mi"
cpu: "100m"
requests:
memory: "128Mi"
cpu: "100m"
ethtool:
limits:
memory: "128Mi"
cpu: "100m"
requests:
memory: "128Mi"
cpu: "100m"
mounts:
limits:
memory: "128Mi"
cpu: "100m"
requests:
memory: "128Mi"
cpu: "100m"
uamlite:
limits:
memory: "128Mi"
cpu: "100m"
requests:
memory: "128Mi"
cpu: "100m"
sysctl:
limits:
memory: "128Mi"
cpu: "100m"
requests:
memory: "128Mi"
cpu: "100m"
limits:
limits:
memory: "128Mi"
cpu: "100m"
requests:
memory: "128Mi"
cpu: "100m"
perm:
limits:
memory: "128Mi"
cpu: "100m"
requests:
memory: "128Mi"
cpu: "100m"
apt:
limits:
memory: "128Mi"
cpu: "100m"
requests:
memory: "128Mi"
cpu: "100m"
exec:
limits:
memory: "128Mi"
cpu: "100m"
requests:
memory: "128Mi"
cpu: "100m"
network_policy:
divingbell:
ingress:
- {}
egress:
- {}
manifests:
daemonset_ethtool: true
daemonset_mounts: true
daemonset_uamlite: true
daemonset_sysctl: true
daemonset_limits: true
daemonset_apt: true
daemonset_apt_remove_old_pkgs: true
daemonset_perm: true
daemonset_exec: true
daemonset_apparmor: true
network_policy: false