Smart Edge Open provides a possibility to install all required files on a Kubernetes control plane and nodes with or without root user. From security perspective it is advised to use non-root user installation of the Smart Edge Open platform where all tasks are executed with non-root user’s permissions. Tasks that require root privileges use privilege escalation property “become”.
-name:Run a command as rootcommand:whoamibecome:yes
NOTE: For more about privileges escalation in Ansible please refer to https://docs.ansible.com/ansible/latest/user_guide/become.html#
Steps on K8s nodes
Before Ansible installation is started a non-root user needs to be created on the machines defined in inventory.yml. To create a user openness execute command:
A password for the given user is required.
As some tasks require root privileges the non-root user needs to have a possibility to become a root. For the user openness the following command must be performed:
echo"openness ALL=(ALL) NOPASSWD:ALL" | sudo tee /etc/sudoers.d/openness
To run Ansible as a non-root user a modification in inventory.yml is required. Setting a user in variable ansible_user to already created non-root user will cause an execution of all tasks as non-root user specified.