Merge pull request #82347 from pjbgf/non-root

Harden kube-dns to run with less privileges.
2025-07-23 03:41:45 +00:00 · 2019-09-25 11:04:59 -07:00 · 2019-09-25 11:04:59 -07:00 · 129a13af98
commit 129a13af98
parent df271a1799 9997dfd72d
6 changed files with 57 additions and 6 deletions
--- a/cluster/addons/dns/coredns/coredns.yaml.base
+++ b/cluster/addons/dns/coredns/coredns.yaml.base
@ -105,7 +105,7 @@ spec:
      labels:
        k8s-app: kube-dns
      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
+        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
    spec:
      priorityClassName: system-cluster-critical
      serviceAccountName: coredns
--- a/cluster/addons/dns/coredns/coredns.yaml.in
+++ b/cluster/addons/dns/coredns/coredns.yaml.in
@ -105,7 +105,7 @@ spec:
      labels:
        k8s-app: kube-dns
      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
+        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
    spec:
      priorityClassName: system-cluster-critical
      serviceAccountName: coredns
--- a/cluster/addons/dns/coredns/coredns.yaml.sed
+++ b/cluster/addons/dns/coredns/coredns.yaml.sed
@ -105,7 +105,7 @@ spec:
      labels:
        k8s-app: kube-dns
      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
+        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
    spec:
      priorityClassName: system-cluster-critical
      serviceAccountName: coredns
--- a/cluster/addons/dns/kube-dns/kube-dns.yaml.base
+++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.base
@ -82,7 +82,7 @@ spec:
      labels:
        k8s-app: kube-dns
      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
+        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
        prometheus.io/port: "10054"
        prometheus.io/scrape: "true"
    spec:
@ -150,6 +150,11 @@ spec:
        volumeMounts:
        - name: kube-dns-config
          mountPath: /kube-dns-config
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsUser: 1001
+          runAsGroup: 1001
      - name: dnsmasq
        image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13
        livenessProbe:
@ -190,6 +195,13 @@ spec:
        volumeMounts:
        - name: kube-dns-config
          mountPath: /etc/k8s/dns/dnsmasq-nanny
+        securityContext:
+          capabilities:
+            drop:
+              - all
+            add:
+              - NET_BIND_SERVICE
+              - SETGID
      - name: sidecar
        image: k8s.gcr.io/k8s-dns-sidecar:1.14.13
        livenessProbe:
@ -214,5 +226,10 @@ spec:
          requests:
            memory: 20Mi
            cpu: 10m
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsUser: 1001
+          runAsGroup: 1001
      dnsPolicy: Default  # Don't use cluster DNS.
      serviceAccountName: kube-dns
--- a/cluster/addons/dns/kube-dns/kube-dns.yaml.in
+++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.in
@ -82,7 +82,7 @@ spec:
      labels:
        k8s-app: kube-dns
      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
+        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
        prometheus.io/port: "10054"
        prometheus.io/scrape: "true"
    spec:
@ -150,6 +150,11 @@ spec:
        volumeMounts:
        - name: kube-dns-config
          mountPath: /kube-dns-config
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsUser: 1001
+          runAsGroup: 1001
      - name: dnsmasq
        image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13
        livenessProbe:
@ -190,6 +195,13 @@ spec:
        volumeMounts:
        - name: kube-dns-config
          mountPath: /etc/k8s/dns/dnsmasq-nanny
+        securityContext:
+          capabilities:
+            drop:
+              - all
+            add:
+              - NET_BIND_SERVICE
+              - SETGID
      - name: sidecar
        image: k8s.gcr.io/k8s-dns-sidecar:1.14.13
        livenessProbe:
@ -214,5 +226,10 @@ spec:
          requests:
            memory: 20Mi
            cpu: 10m
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsUser: 1001
+          runAsGroup: 1001
      dnsPolicy: Default  # Don't use cluster DNS.
      serviceAccountName: kube-dns
--- a/cluster/addons/dns/kube-dns/kube-dns.yaml.sed
+++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.sed
@ -82,7 +82,7 @@ spec:
      labels:
        k8s-app: kube-dns
      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
+        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
        prometheus.io/port: "10054"
        prometheus.io/scrape: "true"
    spec:
@ -150,6 +150,11 @@ spec:
        volumeMounts:
        - name: kube-dns-config
          mountPath: /kube-dns-config
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsUser: 1001
+          runAsGroup: 1001
      - name: dnsmasq
        image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13
        livenessProbe:
@ -190,6 +195,13 @@ spec:
        volumeMounts:
        - name: kube-dns-config
          mountPath: /etc/k8s/dns/dnsmasq-nanny
+        securityContext:
+          capabilities:
+            drop:
+              - all
+            add:
+              - NET_BIND_SERVICE
+              - SETGID
      - name: sidecar
        image: k8s.gcr.io/k8s-dns-sidecar:1.14.13
        livenessProbe:
@ -214,5 +226,10 @@ spec:
          requests:
            memory: 20Mi
            cpu: 10m
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsUser: 1001
+          runAsGroup: 1001
      dnsPolicy: Default  # Don't use cluster DNS.
      serviceAccountName: kube-dns