Merge pull request #77792 from neolit123/kubeadm-psp-upgrade-fix

kubeadm: prevent PSP blocking of upgrade image prepull
This commit is contained in:
Kubernetes Prow Robot 2019-07-02 04:01:08 -07:00 committed by GitHub
commit 003c4e5155
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 1 deletions

View File

@ -45,6 +45,7 @@ go_library(
"//staging/src/k8s.io/client-go/kubernetes:go_default_library",
"//staging/src/k8s.io/client-go/pkg/version:go_default_library",
"//vendor/github.com/pkg/errors:go_default_library",
"//vendor/k8s.io/utils/pointer:go_default_library",
],
)

View File

@ -22,13 +22,14 @@ import (
"github.com/pkg/errors"
apps "k8s.io/api/apps/v1"
"k8s.io/api/core/v1"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
clientset "k8s.io/client-go/kubernetes"
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
"k8s.io/kubernetes/cmd/kubeadm/app/constants"
"k8s.io/kubernetes/cmd/kubeadm/app/images"
"k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient"
utilpointer "k8s.io/utils/pointer"
)
const (
@ -183,6 +184,11 @@ func buildPrePullDaemonSet(component, image string) *apps.DaemonSet {
},
Tolerations: []v1.Toleration{constants.ControlPlaneToleration},
TerminationGracePeriodSeconds: &gracePeriodSecs,
// Explicitly add a PodSecurityContext to allow these Pods to run as non-root.
// This prevents restrictive PSPs from blocking the Pod creation.
SecurityContext: &v1.PodSecurityContext{
RunAsUser: utilpointer.Int64Ptr(999),
},
},
},
},