AKSFlexNode/aks-flex-node-agent.service at main · weiliu2dev/AKSFlexNode · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
[Unit]
Description=AKS Flex Node Agent
After=network-online.target
Wants=network-online.target
# Restart on failure to enable auto-recovery
StartLimitIntervalSec=300
StartLimitBurst=5

[Service]
Type=simple
RemainAfterExit=no
ExecStart=/usr/local/bin/aks-flex-node agent --config /etc/aks-flex-node/config.json
TimeoutStartSec=300
TimeoutStopSec=60
# Restart configuration for daemon resilience
Restart=on-failure
RestartSec=30
User=aks-flex-node
Group=aks-flex-node
SupplementaryGroups=himds PLACEHOLDER_USER_GROUP
Environment=AZURE_CONFIG_DIR=PLACEHOLDER_AZURE_CONFIG_DIR
RuntimeDirectory=aks-flex-node
RuntimeDirectoryMode=0755
StandardOutput=journal
StandardError=journal

# Security hardening (runs as non-root user with sudo access for Arc installation)
# Disabled AmbientCapabilities to allow sudo execution
# AmbientCapabilities=CAP_SETUID CAP_SETGID CAP_DAC_OVERRIDE CAP_SYS_ADMIN
NoNewPrivileges=false
ProtectSystem=false
ProtectHome=false
PrivateTmp=false
PrivateDevices=false
ProtectHostname=false
ProtectClock=false
ProtectKernelTunables=false
ProtectKernelModules=false
ProtectKernelLogs=false
ProtectControlGroups=false
RestrictNamespaces=false
LockPersonality=false
MemoryDenyWriteExecute=false
RestrictRealtime=false
RestrictSUIDSGID=false
RemoveIPC=false

# Allow access to specific paths that need modification (- prefix makes paths optional)
ReadWritePaths=-/etc/kubernetes -/var/lib/kubelet -/var/lib/containerd -/etc/containerd -/opt/cni -/etc/cni -/etc/systemd/system -/etc/sysctl.d -/etc/modules-load.d -/var/log/aks-flex-node -/tmp -/etc/aks-flex-node -/run/aks-flex-node

[Install]
WantedBy=multi-user.target