From 594b18a1194a969e07782f7a4a896051a895bf7e Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Wed, 4 Sep 2019 19:39:03 +0100 Subject: [PATCH 1/7] Harden kube-dns to run with less privileges. --- .../addons/dns/kube-dns/kube-dns.yaml.base | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/cluster/addons/dns/kube-dns/kube-dns.yaml.base b/cluster/addons/dns/kube-dns/kube-dns.yaml.base index 6a827ce89a0..adf059dfce6 100644 --- a/cluster/addons/dns/kube-dns/kube-dns.yaml.base +++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.base @@ -88,6 +88,7 @@ spec: spec: priorityClassName: system-cluster-critical securityContext: + runAsNonRoot: true supplementalGroups: [ 65534 ] fsGroup: 65534 tolerations: @@ -150,6 +151,11 @@ spec: volumeMounts: - name: kube-dns-config mountPath: /kube-dns-config + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 2001 - name: dnsmasq image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13 livenessProbe: @@ -190,6 +196,16 @@ spec: volumeMounts: - name: kube-dns-config mountPath: /etc/k8s/dns/dnsmasq-nanny + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + runAsNonRoot: false + capabilities: + drop: + - all + add: + - NET_BIND_SERVICE + - SETGID - name: sidecar image: k8s.gcr.io/k8s-dns-sidecar:1.14.13 livenessProbe: @@ -214,5 +230,10 @@ spec: requests: memory: 20Mi cpu: 10m + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 2001 dnsPolicy: Default # Don't use cluster DNS. serviceAccountName: kube-dns From f12d1347b27568835c77ca0ab8a59428fa45ea2d Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Wed, 4 Sep 2019 21:49:31 +0100 Subject: [PATCH 2/7] Update .in and .sed files. --- cluster/addons/dns/kube-dns/kube-dns.yaml.in | 21 +++++++++++++++++++ cluster/addons/dns/kube-dns/kube-dns.yaml.sed | 21 +++++++++++++++++++ 2 files changed, 42 insertions(+) diff --git a/cluster/addons/dns/kube-dns/kube-dns.yaml.in b/cluster/addons/dns/kube-dns/kube-dns.yaml.in index b677a232d3c..dfc4ec6241b 100644 --- a/cluster/addons/dns/kube-dns/kube-dns.yaml.in +++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.in @@ -88,6 +88,7 @@ spec: spec: priorityClassName: system-cluster-critical securityContext: + runAsNonRoot: true supplementalGroups: [ 65534 ] fsGroup: 65534 tolerations: @@ -150,6 +151,11 @@ spec: volumeMounts: - name: kube-dns-config mountPath: /kube-dns-config + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 2001 - name: dnsmasq image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13 livenessProbe: @@ -190,6 +196,16 @@ spec: volumeMounts: - name: kube-dns-config mountPath: /etc/k8s/dns/dnsmasq-nanny + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + runAsNonRoot: false + capabilities: + drop: + - all + add: + - NET_BIND_SERVICE + - SETGID - name: sidecar image: k8s.gcr.io/k8s-dns-sidecar:1.14.13 livenessProbe: @@ -214,5 +230,10 @@ spec: requests: memory: 20Mi cpu: 10m + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 2001 dnsPolicy: Default # Don't use cluster DNS. serviceAccountName: kube-dns diff --git a/cluster/addons/dns/kube-dns/kube-dns.yaml.sed b/cluster/addons/dns/kube-dns/kube-dns.yaml.sed index ea5e6bae54a..97ef30e8de0 100644 --- a/cluster/addons/dns/kube-dns/kube-dns.yaml.sed +++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.sed @@ -88,6 +88,7 @@ spec: spec: priorityClassName: system-cluster-critical securityContext: + runAsNonRoot: true supplementalGroups: [ 65534 ] fsGroup: 65534 tolerations: @@ -150,6 +151,11 @@ spec: volumeMounts: - name: kube-dns-config mountPath: /kube-dns-config + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 2001 - name: dnsmasq image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13 livenessProbe: @@ -190,6 +196,16 @@ spec: volumeMounts: - name: kube-dns-config mountPath: /etc/k8s/dns/dnsmasq-nanny + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + runAsNonRoot: false + capabilities: + drop: + - all + add: + - NET_BIND_SERVICE + - SETGID - name: sidecar image: k8s.gcr.io/k8s-dns-sidecar:1.14.13 livenessProbe: @@ -214,5 +230,10 @@ spec: requests: memory: 20Mi cpu: 10m + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 2001 dnsPolicy: Default # Don't use cluster DNS. serviceAccountName: kube-dns From 8dcc976db377865f034fbe785ab31d53409b9ade Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Wed, 4 Sep 2019 23:02:01 +0100 Subject: [PATCH 3/7] Fix identation issue. --- cluster/addons/dns/kube-dns/kube-dns.yaml.base | 10 +++++----- cluster/addons/dns/kube-dns/kube-dns.yaml.in | 10 +++++----- cluster/addons/dns/kube-dns/kube-dns.yaml.sed | 10 +++++----- 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/cluster/addons/dns/kube-dns/kube-dns.yaml.base b/cluster/addons/dns/kube-dns/kube-dns.yaml.base index adf059dfce6..0a85f9ca8c0 100644 --- a/cluster/addons/dns/kube-dns/kube-dns.yaml.base +++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.base @@ -230,10 +230,10 @@ spec: requests: memory: 20Mi cpu: 10m - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 1001 - runAsGroup: 2001 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 2001 dnsPolicy: Default # Don't use cluster DNS. serviceAccountName: kube-dns diff --git a/cluster/addons/dns/kube-dns/kube-dns.yaml.in b/cluster/addons/dns/kube-dns/kube-dns.yaml.in index dfc4ec6241b..4c10cfc50af 100644 --- a/cluster/addons/dns/kube-dns/kube-dns.yaml.in +++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.in @@ -230,10 +230,10 @@ spec: requests: memory: 20Mi cpu: 10m - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 1001 - runAsGroup: 2001 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 2001 dnsPolicy: Default # Don't use cluster DNS. serviceAccountName: kube-dns diff --git a/cluster/addons/dns/kube-dns/kube-dns.yaml.sed b/cluster/addons/dns/kube-dns/kube-dns.yaml.sed index 97ef30e8de0..6c3c96140c4 100644 --- a/cluster/addons/dns/kube-dns/kube-dns.yaml.sed +++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.sed @@ -230,10 +230,10 @@ spec: requests: memory: 20Mi cpu: 10m - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 1001 - runAsGroup: 2001 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 2001 dnsPolicy: Default # Don't use cluster DNS. serviceAccountName: kube-dns From 72ee17c5ca01e6218ed867d0795d49a142b9cfc9 Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Wed, 11 Sep 2019 19:30:32 +0100 Subject: [PATCH 4/7] Adding recommendations from tallclair. --- cluster/addons/dns/kube-dns/kube-dns.yaml.base | 5 +---- cluster/addons/dns/kube-dns/kube-dns.yaml.in | 5 +---- cluster/addons/dns/kube-dns/kube-dns.yaml.sed | 5 +---- 3 files changed, 3 insertions(+), 12 deletions(-) diff --git a/cluster/addons/dns/kube-dns/kube-dns.yaml.base b/cluster/addons/dns/kube-dns/kube-dns.yaml.base index 0a85f9ca8c0..90a700eceff 100644 --- a/cluster/addons/dns/kube-dns/kube-dns.yaml.base +++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.base @@ -82,13 +82,12 @@ spec: labels: k8s-app: kube-dns annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' + seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' prometheus.io/port: "10054" prometheus.io/scrape: "true" spec: priorityClassName: system-cluster-critical securityContext: - runAsNonRoot: true supplementalGroups: [ 65534 ] fsGroup: 65534 tolerations: @@ -198,8 +197,6 @@ spec: mountPath: /etc/k8s/dns/dnsmasq-nanny securityContext: allowPrivilegeEscalation: false - readOnlyRootFilesystem: false - runAsNonRoot: false capabilities: drop: - all diff --git a/cluster/addons/dns/kube-dns/kube-dns.yaml.in b/cluster/addons/dns/kube-dns/kube-dns.yaml.in index 4c10cfc50af..2b6f7bf5f81 100644 --- a/cluster/addons/dns/kube-dns/kube-dns.yaml.in +++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.in @@ -82,13 +82,12 @@ spec: labels: k8s-app: kube-dns annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' + seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' prometheus.io/port: "10054" prometheus.io/scrape: "true" spec: priorityClassName: system-cluster-critical securityContext: - runAsNonRoot: true supplementalGroups: [ 65534 ] fsGroup: 65534 tolerations: @@ -198,8 +197,6 @@ spec: mountPath: /etc/k8s/dns/dnsmasq-nanny securityContext: allowPrivilegeEscalation: false - readOnlyRootFilesystem: false - runAsNonRoot: false capabilities: drop: - all diff --git a/cluster/addons/dns/kube-dns/kube-dns.yaml.sed b/cluster/addons/dns/kube-dns/kube-dns.yaml.sed index 6c3c96140c4..86e740ec79c 100644 --- a/cluster/addons/dns/kube-dns/kube-dns.yaml.sed +++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.sed @@ -82,13 +82,12 @@ spec: labels: k8s-app: kube-dns annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' + seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' prometheus.io/port: "10054" prometheus.io/scrape: "true" spec: priorityClassName: system-cluster-critical securityContext: - runAsNonRoot: true supplementalGroups: [ 65534 ] fsGroup: 65534 tolerations: @@ -198,8 +197,6 @@ spec: mountPath: /etc/k8s/dns/dnsmasq-nanny securityContext: allowPrivilegeEscalation: false - readOnlyRootFilesystem: false - runAsNonRoot: false capabilities: drop: - all From 2545cbafd9b8e776a84c76dfb94f99fba9e5b6f1 Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Wed, 11 Sep 2019 20:45:35 +0100 Subject: [PATCH 5/7] Replacing deprecated seccomp. --- cluster/addons/dns/coredns/coredns.yaml.base | 2 +- cluster/addons/dns/coredns/coredns.yaml.in | 2 +- cluster/addons/dns/coredns/coredns.yaml.sed | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cluster/addons/dns/coredns/coredns.yaml.base b/cluster/addons/dns/coredns/coredns.yaml.base index e4aecf85acd..8f7a8753d73 100644 --- a/cluster/addons/dns/coredns/coredns.yaml.base +++ b/cluster/addons/dns/coredns/coredns.yaml.base @@ -105,7 +105,7 @@ spec: labels: k8s-app: kube-dns annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' + seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' spec: priorityClassName: system-cluster-critical serviceAccountName: coredns diff --git a/cluster/addons/dns/coredns/coredns.yaml.in b/cluster/addons/dns/coredns/coredns.yaml.in index 1367336efe1..fbcd41e2d22 100644 --- a/cluster/addons/dns/coredns/coredns.yaml.in +++ b/cluster/addons/dns/coredns/coredns.yaml.in @@ -105,7 +105,7 @@ spec: labels: k8s-app: kube-dns annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' + seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' spec: priorityClassName: system-cluster-critical serviceAccountName: coredns diff --git a/cluster/addons/dns/coredns/coredns.yaml.sed b/cluster/addons/dns/coredns/coredns.yaml.sed index ca061bb1c00..72245ecccf4 100644 --- a/cluster/addons/dns/coredns/coredns.yaml.sed +++ b/cluster/addons/dns/coredns/coredns.yaml.sed @@ -105,7 +105,7 @@ spec: labels: k8s-app: kube-dns annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' + seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' spec: priorityClassName: system-cluster-critical serviceAccountName: coredns From 66a852071a594102ed4dbcfeb4fd9212ce0b1231 Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Tue, 17 Sep 2019 19:05:46 +0100 Subject: [PATCH 6/7] Consolidate UID and GID --- cluster/addons/dns/kube-dns/kube-dns.yaml.base | 4 ++-- cluster/addons/dns/kube-dns/kube-dns.yaml.in | 4 ++-- cluster/addons/dns/kube-dns/kube-dns.yaml.sed | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/cluster/addons/dns/kube-dns/kube-dns.yaml.base b/cluster/addons/dns/kube-dns/kube-dns.yaml.base index 90a700eceff..c98dcafc1ed 100644 --- a/cluster/addons/dns/kube-dns/kube-dns.yaml.base +++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.base @@ -154,7 +154,7 @@ spec: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 1001 - runAsGroup: 2001 + runAsGroup: 1001 - name: dnsmasq image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13 livenessProbe: @@ -231,6 +231,6 @@ spec: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 1001 - runAsGroup: 2001 + runAsGroup: 1001 dnsPolicy: Default # Don't use cluster DNS. serviceAccountName: kube-dns diff --git a/cluster/addons/dns/kube-dns/kube-dns.yaml.in b/cluster/addons/dns/kube-dns/kube-dns.yaml.in index 2b6f7bf5f81..7699f8250df 100644 --- a/cluster/addons/dns/kube-dns/kube-dns.yaml.in +++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.in @@ -154,7 +154,7 @@ spec: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 1001 - runAsGroup: 2001 + runAsGroup: 1001 - name: dnsmasq image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13 livenessProbe: @@ -231,6 +231,6 @@ spec: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 1001 - runAsGroup: 2001 + runAsGroup: 1001 dnsPolicy: Default # Don't use cluster DNS. serviceAccountName: kube-dns diff --git a/cluster/addons/dns/kube-dns/kube-dns.yaml.sed b/cluster/addons/dns/kube-dns/kube-dns.yaml.sed index 86e740ec79c..5e64c5ef9cd 100644 --- a/cluster/addons/dns/kube-dns/kube-dns.yaml.sed +++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.sed @@ -154,7 +154,7 @@ spec: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 1001 - runAsGroup: 2001 + runAsGroup: 1001 - name: dnsmasq image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13 livenessProbe: @@ -231,6 +231,6 @@ spec: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 1001 - runAsGroup: 2001 + runAsGroup: 1001 dnsPolicy: Default # Don't use cluster DNS. serviceAccountName: kube-dns From 9997dfd72d853569fba66afd1bc5581c70a92027 Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Thu, 19 Sep 2019 08:15:02 +0100 Subject: [PATCH 7/7] Remove redundant setting. --- cluster/addons/dns/kube-dns/kube-dns.yaml.base | 1 - cluster/addons/dns/kube-dns/kube-dns.yaml.in | 1 - cluster/addons/dns/kube-dns/kube-dns.yaml.sed | 1 - 3 files changed, 3 deletions(-) diff --git a/cluster/addons/dns/kube-dns/kube-dns.yaml.base b/cluster/addons/dns/kube-dns/kube-dns.yaml.base index c98dcafc1ed..e4fc5d7a78d 100644 --- a/cluster/addons/dns/kube-dns/kube-dns.yaml.base +++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.base @@ -196,7 +196,6 @@ spec: - name: kube-dns-config mountPath: /etc/k8s/dns/dnsmasq-nanny securityContext: - allowPrivilegeEscalation: false capabilities: drop: - all diff --git a/cluster/addons/dns/kube-dns/kube-dns.yaml.in b/cluster/addons/dns/kube-dns/kube-dns.yaml.in index 7699f8250df..51b8bbddb66 100644 --- a/cluster/addons/dns/kube-dns/kube-dns.yaml.in +++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.in @@ -196,7 +196,6 @@ spec: - name: kube-dns-config mountPath: /etc/k8s/dns/dnsmasq-nanny securityContext: - allowPrivilegeEscalation: false capabilities: drop: - all diff --git a/cluster/addons/dns/kube-dns/kube-dns.yaml.sed b/cluster/addons/dns/kube-dns/kube-dns.yaml.sed index 5e64c5ef9cd..484c0a211ca 100644 --- a/cluster/addons/dns/kube-dns/kube-dns.yaml.sed +++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.sed @@ -196,7 +196,6 @@ spec: - name: kube-dns-config mountPath: /etc/k8s/dns/dnsmasq-nanny securityContext: - allowPrivilegeEscalation: false capabilities: drop: - all