packet: disable syncing allowed SSH keys on nodes

This commit disables syncing authorized SSH keys for core user on nodes from Packet's user's keys and project's keys, so only keys which are specified in the Lokomotive configuration are actually authorized, as having more keys allowed than specified in the configuration might be a potential security threat. Closes #465 Signed-off-by: Mateusz Gozdek <mateusz@kinvolk.io>
kinvolk · May 28, 2020 · 3f5fc1e · 3f5fc1e
1 parent 833ee49
commit 3f5fc1e
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 4 deletions.
diff --git a/assets/lokomotive-kubernetes/packet/flatcar-linux/kubernetes/cl/controller.yaml.tmpl b/assets/lokomotive-kubernetes/packet/flatcar-linux/kubernetes/cl/controller.yaml.tmpl
@@ -34,6 +34,8 @@ systemd:
       enable: true
     - name: locksmithd.service
       mask: true
+    - name: coreos-metadata-sshkeys@core.service
+      mask: true
     - name: wait-for-dns.service
       enable: true
       contents: |

diff --git a/assets/lokomotive-kubernetes/packet/flatcar-linux/kubernetes/workers/cl/worker.yaml.tmpl b/assets/lokomotive-kubernetes/packet/flatcar-linux/kubernetes/workers/cl/worker.yaml.tmpl
@@ -19,6 +19,8 @@ systemd:
       enable: true
     - name: locksmithd.service
       mask: true
+    - name: coreos-metadata-sshkeys@core.service
+      mask: true
     - name: wait-for-dns.service
       enable: true
       contents: |