-
Notifications
You must be signed in to change notification settings - Fork 14
Expand file tree
/
Copy pathaks-flex-node-agent.service
More file actions
51 lines (47 loc) · 1.49 KB
/
aks-flex-node-agent.service
File metadata and controls
51 lines (47 loc) · 1.49 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
[Unit]
Description=AKS Flex Node Agent
After=network-online.target
Wants=network-online.target
# Restart on failure to enable auto-recovery
StartLimitIntervalSec=300
StartLimitBurst=5
[Service]
Type=simple
RemainAfterExit=no
ExecStart=/usr/local/bin/aks-flex-node agent --config /etc/aks-flex-node/config.json
TimeoutStartSec=300
TimeoutStopSec=60
# Restart configuration for daemon resilience
Restart=on-failure
RestartSec=30
# TODO: review the settings and permission here
User=root
Group=root
SupplementaryGroups=PLACEHOLDER_USER_GROUP
Environment=AZURE_CONFIG_DIR=PLACEHOLDER_AZURE_CONFIG_DIR
RuntimeDirectory=aks-flex-node
RuntimeDirectoryMode=0755
StandardOutput=journal
StandardError=journal
# Security hardening (runs as root for system-level Kubernetes node operations)
NoNewPrivileges=false
ProtectSystem=false
ProtectHome=false
PrivateTmp=false
PrivateDevices=false
ProtectHostname=false
ProtectClock=false
ProtectKernelTunables=false
ProtectKernelModules=false
ProtectKernelLogs=false
ProtectControlGroups=false
RestrictNamespaces=false
LockPersonality=false
MemoryDenyWriteExecute=false
RestrictRealtime=false
RestrictSUIDSGID=false
RemoveIPC=false
# Allow access to specific paths that need modification (- prefix makes paths optional)
ReadWritePaths=-/etc/kubernetes -/var/lib/kubelet -/var/lib/containerd -/etc/containerd -/opt/cni -/etc/cni -/etc/systemd/system -/etc/sysctl.d -/etc/modules-load.d -/var/log/aks-flex-node -/tmp -/etc/aks-flex-node -/run/aks-flex-node
[Install]
WantedBy=multi-user.target