diff --git a/cluster/addons/dns/coredns/coredns.yaml.base b/cluster/addons/dns/coredns/coredns.yaml.base index e4aecf85acd..8f7a8753d73 100644 --- a/cluster/addons/dns/coredns/coredns.yaml.base +++ b/cluster/addons/dns/coredns/coredns.yaml.base @@ -105,7 +105,7 @@ spec: labels: k8s-app: kube-dns annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' + seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' spec: priorityClassName: system-cluster-critical serviceAccountName: coredns diff --git a/cluster/addons/dns/coredns/coredns.yaml.in b/cluster/addons/dns/coredns/coredns.yaml.in index 1367336efe1..fbcd41e2d22 100644 --- a/cluster/addons/dns/coredns/coredns.yaml.in +++ b/cluster/addons/dns/coredns/coredns.yaml.in @@ -105,7 +105,7 @@ spec: labels: k8s-app: kube-dns annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' + seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' spec: priorityClassName: system-cluster-critical serviceAccountName: coredns diff --git a/cluster/addons/dns/coredns/coredns.yaml.sed b/cluster/addons/dns/coredns/coredns.yaml.sed index ca061bb1c00..72245ecccf4 100644 --- a/cluster/addons/dns/coredns/coredns.yaml.sed +++ b/cluster/addons/dns/coredns/coredns.yaml.sed @@ -105,7 +105,7 @@ spec: labels: k8s-app: kube-dns annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' + seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' spec: priorityClassName: system-cluster-critical serviceAccountName: coredns diff --git a/cluster/addons/dns/kube-dns/kube-dns.yaml.base b/cluster/addons/dns/kube-dns/kube-dns.yaml.base index 6a827ce89a0..e4fc5d7a78d 100644 --- a/cluster/addons/dns/kube-dns/kube-dns.yaml.base +++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.base @@ -82,7 +82,7 @@ spec: labels: k8s-app: kube-dns annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' + seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' prometheus.io/port: "10054" prometheus.io/scrape: "true" spec: @@ -150,6 +150,11 @@ spec: volumeMounts: - name: kube-dns-config mountPath: /kube-dns-config + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 1001 - name: dnsmasq image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13 livenessProbe: @@ -190,6 +195,13 @@ spec: volumeMounts: - name: kube-dns-config mountPath: /etc/k8s/dns/dnsmasq-nanny + securityContext: + capabilities: + drop: + - all + add: + - NET_BIND_SERVICE + - SETGID - name: sidecar image: k8s.gcr.io/k8s-dns-sidecar:1.14.13 livenessProbe: @@ -214,5 +226,10 @@ spec: requests: memory: 20Mi cpu: 10m + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 1001 dnsPolicy: Default # Don't use cluster DNS. serviceAccountName: kube-dns diff --git a/cluster/addons/dns/kube-dns/kube-dns.yaml.in b/cluster/addons/dns/kube-dns/kube-dns.yaml.in index b677a232d3c..51b8bbddb66 100644 --- a/cluster/addons/dns/kube-dns/kube-dns.yaml.in +++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.in @@ -82,7 +82,7 @@ spec: labels: k8s-app: kube-dns annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' + seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' prometheus.io/port: "10054" prometheus.io/scrape: "true" spec: @@ -150,6 +150,11 @@ spec: volumeMounts: - name: kube-dns-config mountPath: /kube-dns-config + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 1001 - name: dnsmasq image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13 livenessProbe: @@ -190,6 +195,13 @@ spec: volumeMounts: - name: kube-dns-config mountPath: /etc/k8s/dns/dnsmasq-nanny + securityContext: + capabilities: + drop: + - all + add: + - NET_BIND_SERVICE + - SETGID - name: sidecar image: k8s.gcr.io/k8s-dns-sidecar:1.14.13 livenessProbe: @@ -214,5 +226,10 @@ spec: requests: memory: 20Mi cpu: 10m + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 1001 dnsPolicy: Default # Don't use cluster DNS. serviceAccountName: kube-dns diff --git a/cluster/addons/dns/kube-dns/kube-dns.yaml.sed b/cluster/addons/dns/kube-dns/kube-dns.yaml.sed index ea5e6bae54a..484c0a211ca 100644 --- a/cluster/addons/dns/kube-dns/kube-dns.yaml.sed +++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.sed @@ -82,7 +82,7 @@ spec: labels: k8s-app: kube-dns annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' + seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' prometheus.io/port: "10054" prometheus.io/scrape: "true" spec: @@ -150,6 +150,11 @@ spec: volumeMounts: - name: kube-dns-config mountPath: /kube-dns-config + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 1001 - name: dnsmasq image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13 livenessProbe: @@ -190,6 +195,13 @@ spec: volumeMounts: - name: kube-dns-config mountPath: /etc/k8s/dns/dnsmasq-nanny + securityContext: + capabilities: + drop: + - all + add: + - NET_BIND_SERVICE + - SETGID - name: sidecar image: k8s.gcr.io/k8s-dns-sidecar:1.14.13 livenessProbe: @@ -214,5 +226,10 @@ spec: requests: memory: 20Mi cpu: 10m + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 1001 dnsPolicy: Default # Don't use cluster DNS. serviceAccountName: kube-dns