| # This is the system spec that must be satisfied by the images running on GKE. |
| |
| os: Linux |
| |
| kernelSpec: |
| versions: |
| # GKE requires kernel version 4.4+. |
| - '4\.[4-9].*' |
| - '4\.[1-9][0-9].*' |
| - '[5-9].*' |
| |
| # Required kernel configurations -- the configuration must be set to "y" or |
| # "m". |
| required: |
| # The configurations required by virtual machine or cloud provider. |
| |
| - name: BOOTPARAM_HARDLOCKUP_PANIC |
| description: 'Enable the kernel to panic on "hard lockups".' |
| - name: BOOTPARAM_SOFTLOCKUP_PANIC |
| description: 'Enable the kernel to panic on "soft lockups".' |
| - name: PANIC_ON_OOPS |
| description: 'Enable the kernel to panic when it oops.' |
| - name: PVPANIC |
| description: 'Enable the VM (guest) to communicate panic events with the |
| host.' |
| - name: DMIID |
| description: 'Make sure /sys/class/dmi is exported - cAdvisor currently |
| uses this to determine which the cloud provider it is: aws, azure, or |
| gce, etc' |
| - name: ACPI_BUTTON |
| description: 'Enable the software-controlled power management, and required |
| by reset or stop button of GCE console.' |
| |
| # The configurations required by network. |
| |
| - name: INET |
| description: 'Enable TCP/IP networking.' |
| - name: VXLAN |
| description: 'Required by the overlay networking in Kubernetes.' |
| - name: IP_SET |
| description: 'Required by Kubernetes network policy.' |
| - name: IP_SET_HASH_IP |
| description: 'This introduces hash:ip set type support, which is required |
| by Kubernetes Calico networking.' |
| - name: IPVLAN |
| description: 'Required by IPVLAN feature.' |
| - name: IPV6 |
| description: 'Required by IPVLAN feature.' |
| - name: IP6_NF_IPTABLES |
| description: 'Required by kube-proxy.' |
| - name: IP_NF_TARGET_REDIRECT |
| alias: |
| - NETFILTER_XT_TARGET_REDIRECT |
| description: 'Enabled REDIRECT: all incoming connections are mapped onto |
| the incoming interface''s address, causing the packets to come to the |
| local machine instead of passing through. This is required by |
| kube-proxy.' |
| - name: NETFILTER_XT_MATCH_COMMENT |
| description: 'This option adds a "comment" dummy-match, which allows you to |
| put comments in your iptables ruleset. Today''s kube-proxy implementation |
| depends on this feature.' |
| # This is not critical, but debian-based container-vm kernel module study |
| # shows that many customers' nodes have loaded those kernel modules. We |
| # suspect sysdig module depends on these set of kernel modules for |
| # monitoring. |
| - name: PACKET_DIAG |
| description: 'Required by ss (similar to netstat) tools to display Linux |
| TCP / UDP network and socket information.' |
| - name: UNIX_DIAG |
| description: 'Required by ss (similar to netstat) tools to display Linux |
| TCP / UDP network and socket information.' |
| - name: INET_DIAG |
| description: 'Required by ss (similar to netstat) tools to display Linux |
| TCP / UDP network and socket information.' |
| - name: INET_TCP_DIAG |
| description: 'Required by ss (similar to netstat) tools to display Linux |
| TCP / UDP network and socket information.' |
| - name: INET_UDP_DIAG |
| description: 'Required by ss (similar to netstat) tools to display Linux |
| TCP / UDP network and socket information.' |
| - name: NETLINK_DIAG |
| description: 'Required by ss (similar to netstat) tools to display Linux |
| TCP / UDP network and socket information.' |
| |
| # The configurations are required by filesystem. |
| |
| - name: EXT4_FS |
| - name: DEBUG_FS |
| - name: PROC_FS |
| - name: XFS_FS |
| - name: SCSI_PROC_FS |
| # Currently Kubelet supports three docker graph drivers: overlay, aufs, and |
| # devicemapper due to the legacy reason. But for GKE, we plan to only support |
| # overlayfs. |
| - name: OVERLAY_FS |
| description: 'Enable OverlayFS, which will be the only docker graph driver |
| supported on GKE.' |
| - name: NFS_FS |
| description: 'Required by NFS support.' |
| - name: AUTOFS4_FS |
| description: 'Required by NFS support.' |
| - name: NFS_FSCACHE |
| description: 'Required by NFS support.' |
| - name: FSCACHE |
| description: 'Required by NFS support.' |
| - name: CACHEFILES |
| description: 'Required by NFS support.' |
| - name: FUSE_FS |
| description: 'Required by GlusterFS support.' |
| - name: BCACHE |
| # TODO(yguo0905): Add a description for BCACHE. |
| |
| # The configuration required by the resource isolation, accounting, and |
| # management. |
| |
| - name: NAMESPACES |
| description: 'Required by kubelet and docker. Enabling it allows the |
| processes within a pod or a container to have their own view of the |
| system.' |
| - name: IPC_NS |
| description: 'Required by kubelet and docker. Enabling it allows the |
| processes within a pod or a container to have their own view of the |
| system.' |
| - name: NET_NS |
| description: 'Required by kubelet and docker. Enabling it allows the |
| processes within a pod or a container to have their own view of the |
| system.' |
| - name: PID_NS |
| description: 'Required by kubelet and docker. Enabling it allows the |
| processes within a pod or a container to have their own view of the |
| system.' |
| - name: UTS_NS |
| description: 'Required by kubelet and docker. Enabling it allows the |
| processes within a pod or a container to have their own view of the |
| system.' |
| - name: CGROUPS |
| description: 'Required by kubelet and docker. The resource usage of the |
| processes within a pod or a container can be monitored, accounted, and |
| controlled.' |
| - name: CGROUP_CPUACCT |
| description: 'Required by kubelet and docker. The resource usage of the |
| processes within a pod or a container can be monitored, accounted, and |
| controlled.' |
| - name: CGROUP_DEVICE |
| description: 'Required by kubelet and docker. The resource usage of the |
| processes within a pod or a container can be monitored, accounted, and |
| controlled.' |
| - name: CGROUP_SCHED |
| description: 'Required by kubelet and docker. The resource usage of the |
| processes within a pod or a container can be monitored, accounted, and |
| controlled.' |
| - name: CPUSETS |
| description: 'Required by kubelet and docker. The resource usage of the |
| processes within a pod or a container can be monitored, accounted, and |
| controlled.' |
| - name: MEMCG |
| description: 'Required by kubelet and docker. The resource usage of the |
| processes within a pod or a container can be monitored, accounted, and |
| controlled.' |
| - name: QUOTA |
| description: 'Required by kubelet to have an accurate and efficient disk |
| space and inode accounting, and eventually to limit the usage.' |
| |
| # The security-related configurations |
| |
| - name: SECCOMP |
| description: 'Enabled the SECCOMP application API.' |
| - name: SECURITY_APPARMOR |
| description: 'Enable for AppArmor support.' |
| - name: CC_STACKPROTECTOR_STRONG |
| alias: |
| - CONFIG_CC_STACKPROTECTOR_REGULAR |
| CONFIG_CC_STACKPROTECTOR_ALL |
| description: 'Add the stack buffer overflow protections.' |
| - name: STRICT_DEVMEM |
| description: 'Required for blocking the direct physical memory access.' |
| - name: IMA |
| description: 'Required for security-related logging and auditing.' |
| - name: AUDIT |
| description: 'Required for security-related logging and auditing.' |
| - name: AUDITSYSCALL |
| description: 'Required for security-related logging and auditing.' |
| |
| # Misc. configurations |
| |
| - name: MODULES |
| description: 'Required for loadable module support.' |
| - name: PRINTK |
| description: 'Required for kernel logging message.' |
| - name: MMU |
| description: 'Required for memory management hardware and mmap() system |
| call.' |
| |
| packageSpecs: |
| - name: apparmor |
| versionRange: '>=2.10.1' |
| - name: apparmor-profiles |
| versionRange: '>=2.10.1' |
| - name: audit |
| versionRange: '>=2.5.0' |
| - name: autofs |
| versionRange: '>=5.0.7' |
| - name: bash |
| versionRange: '>=4.3' |
| - name: bridge-utils |
| versionRange: '>=1.5' |
| - name: cloud-init |
| versionRange: '>=0.7.6' |
| - name: coreutils |
| versionRange: '>=8.24' |
| - name: dbus |
| versionRange: '>=1.6.8' |
| - name: e2fsprogs |
| versionRange: '>=1.4.3' |
| - name: ebtables |
| versionRange: '>=2.0.10' |
| - name: ethtool |
| versionRange: '>=3.18' |
| - name: iproute2 |
| versionRange: '>=4.2.0' |
| - name: less |
| versionRange: '>=481' |
| - name: netcat-openbsd |
| versionRange: '>=1.10' |
| - name: python |
| versionRange: '>=2.7.10' |
| - name: pv |
| versionRange: '>=1.3.4' |
| - name: sudo |
| versionRange: '>=1.8.12' |
| - name: systemd |
| versionRange: '>=225' |
| - name: tar |
| versionRange: '>=1.28' |
| - name: util-linux |
| versionRange: '>=2.27.1' |
| - name: wget |
| versionRange: '>=1.18' |
| - name: gce-compute-image-packages |
| versionRange: '>=20170227' |
| # TODO(yguo0905): Figure out whether watchdog is required. |
| |
| # packageSpecOverrides contains the OS distro specific package requirements. |
| packageSpecOverrides: |
| # The following overrides apply to all Ubuntu images. |
| - osDistro: ubuntu |
| subtractions: |
| - name: apparmor-profiles |
| description: 'On Ubuntu the apparmor profiles are shipped with individual |
| application package, so the "apparmor-profiles" package is not required.' |
| - name: audit |
| description: 'On Ubuntu the equivalent package is called "auditd", so the |
| "audit" package is not required and "auditd" exists in the additions.' |
| - name: wget |
| description: 'The Ubuntu 1604-xenial image includes wget 1.17.1, which does |
| not satisfy the spec (>=1.18), but meets the functionality requirements. |
| Therefore, it is removed from the base spec. See wget in the additions.' |
| additions: |
| - name: auditd |
| versionRange: '>=2.4.5' |
| description: 'auditd 2.4.5 currently satisfies the requirements because the |
| GKE features that require auditd 2.5 are not yet available.' |
| - name: grub-common |
| versionRange: '>=2.2' |
| description: 'grub is the bootloader on Ubuntu.' |
| - name: wget |
| versionRange: '>=1.17.1' |
| description: 'wget 1.17.1 satisfies the functionality requirements but does |
| not meet the spec, which is fine' |