shift priviledge escalation away from the execution environment

This commit is contained in:
Ibrahim Mkusa 2024-11-18 19:06:38 -05:00
parent 4fcb767d1f
commit ae2ce25e24

View File

@ -1,11 +1,11 @@
--- ---
- name: adds the kubernetes repo and installs kubectl - name: adds the kubernetes repo and installs kubectl
hosts: localhost hosts: all
become: true
tasks: tasks:
- name: update apt cache - name: update apt cache
ansible.builtin.apt: ansible.builtin.apt:
update_cache: true update_cache: true
become: true
- name: install core pre-reqs - name: install core pre-reqs
ansible.builtin.apt: ansible.builtin.apt:
@ -14,28 +14,33 @@
- ca-certificates - ca-certificates
- curl - curl
- gnupg - gnupg
become: true
- name: check to see if gpg key exists - name: check to see if gpg key exists
ansible.builtin.stat: ansible.builtin.stat:
path: /etc/apt/keyrings/kubernetes-apt-keyring.gpg path: /etc/apt/keyrings/kubernetes-apt-keyring.gpg
register: st register: st
become: true
- name: download the key and install it - name: download the key and install it
ansible.builtin.shell: | ansible.builtin.shell: |
curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.31/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.31/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
sudo chmod 644 /etc/apt/keyrings/kubernetes-apt-keyring.gpg # allow unprivileged APT programs to read this keyring sudo chmod 644 /etc/apt/keyrings/kubernetes-apt-keyring.gpg # allow unprivileged APT programs to read this keyring
when: st.stat.exists != true when: st.stat.exists != true
become: true
- name: add the kubernetes apt repository - name: add the kubernetes apt repository
ansible.builtin.apt_repository: ansible.builtin.apt_repository:
repo: "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.31/deb/ /" repo: "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.31/deb/ /"
state: present state: present
filename: kubernetes.list filename: kubernetes.list
become: true
- name: update apt cache and install kubectl - name: update apt cache and install kubectl
ansible.builtin.apt: ansible.builtin.apt:
name: kubectl name: kubectl
update_cache: true update_cache: true
become: true
- name: does argocd exists - name: does argocd exists
@ -49,4 +54,4 @@
sudo install -m 555 argocd-linux-amd64 /usr/local/bin/argocd sudo install -m 555 argocd-linux-amd64 /usr/local/bin/argocd
rm argocd-linux-amd64 rm argocd-linux-amd64
when: st.stat.exists != true when: st.stat.exists != true
become: true