Merge pull request #82347 from pjbgf/non-root

Harden kube-dns to run with less privileges.
This commit is contained in:
Kubernetes Prow Robot 2019-09-25 11:04:59 -07:00 committed by GitHub
commit 129a13af98
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 57 additions and 6 deletions

View File

@ -105,7 +105,7 @@ spec:
labels: labels:
k8s-app: kube-dns k8s-app: kube-dns
annotations: annotations:
seccomp.security.alpha.kubernetes.io/pod: 'docker/default' seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
spec: spec:
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
serviceAccountName: coredns serviceAccountName: coredns

View File

@ -105,7 +105,7 @@ spec:
labels: labels:
k8s-app: kube-dns k8s-app: kube-dns
annotations: annotations:
seccomp.security.alpha.kubernetes.io/pod: 'docker/default' seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
spec: spec:
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
serviceAccountName: coredns serviceAccountName: coredns

View File

@ -105,7 +105,7 @@ spec:
labels: labels:
k8s-app: kube-dns k8s-app: kube-dns
annotations: annotations:
seccomp.security.alpha.kubernetes.io/pod: 'docker/default' seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
spec: spec:
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
serviceAccountName: coredns serviceAccountName: coredns

View File

@ -82,7 +82,7 @@ spec:
labels: labels:
k8s-app: kube-dns k8s-app: kube-dns
annotations: annotations:
seccomp.security.alpha.kubernetes.io/pod: 'docker/default' seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
prometheus.io/port: "10054" prometheus.io/port: "10054"
prometheus.io/scrape: "true" prometheus.io/scrape: "true"
spec: spec:
@ -150,6 +150,11 @@ spec:
volumeMounts: volumeMounts:
- name: kube-dns-config - name: kube-dns-config
mountPath: /kube-dns-config mountPath: /kube-dns-config
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 1001
- name: dnsmasq - name: dnsmasq
image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13 image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13
livenessProbe: livenessProbe:
@ -190,6 +195,13 @@ spec:
volumeMounts: volumeMounts:
- name: kube-dns-config - name: kube-dns-config
mountPath: /etc/k8s/dns/dnsmasq-nanny mountPath: /etc/k8s/dns/dnsmasq-nanny
securityContext:
capabilities:
drop:
- all
add:
- NET_BIND_SERVICE
- SETGID
- name: sidecar - name: sidecar
image: k8s.gcr.io/k8s-dns-sidecar:1.14.13 image: k8s.gcr.io/k8s-dns-sidecar:1.14.13
livenessProbe: livenessProbe:
@ -214,5 +226,10 @@ spec:
requests: requests:
memory: 20Mi memory: 20Mi
cpu: 10m cpu: 10m
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 1001
dnsPolicy: Default # Don't use cluster DNS. dnsPolicy: Default # Don't use cluster DNS.
serviceAccountName: kube-dns serviceAccountName: kube-dns

View File

@ -82,7 +82,7 @@ spec:
labels: labels:
k8s-app: kube-dns k8s-app: kube-dns
annotations: annotations:
seccomp.security.alpha.kubernetes.io/pod: 'docker/default' seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
prometheus.io/port: "10054" prometheus.io/port: "10054"
prometheus.io/scrape: "true" prometheus.io/scrape: "true"
spec: spec:
@ -150,6 +150,11 @@ spec:
volumeMounts: volumeMounts:
- name: kube-dns-config - name: kube-dns-config
mountPath: /kube-dns-config mountPath: /kube-dns-config
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 1001
- name: dnsmasq - name: dnsmasq
image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13 image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13
livenessProbe: livenessProbe:
@ -190,6 +195,13 @@ spec:
volumeMounts: volumeMounts:
- name: kube-dns-config - name: kube-dns-config
mountPath: /etc/k8s/dns/dnsmasq-nanny mountPath: /etc/k8s/dns/dnsmasq-nanny
securityContext:
capabilities:
drop:
- all
add:
- NET_BIND_SERVICE
- SETGID
- name: sidecar - name: sidecar
image: k8s.gcr.io/k8s-dns-sidecar:1.14.13 image: k8s.gcr.io/k8s-dns-sidecar:1.14.13
livenessProbe: livenessProbe:
@ -214,5 +226,10 @@ spec:
requests: requests:
memory: 20Mi memory: 20Mi
cpu: 10m cpu: 10m
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 1001
dnsPolicy: Default # Don't use cluster DNS. dnsPolicy: Default # Don't use cluster DNS.
serviceAccountName: kube-dns serviceAccountName: kube-dns

View File

@ -82,7 +82,7 @@ spec:
labels: labels:
k8s-app: kube-dns k8s-app: kube-dns
annotations: annotations:
seccomp.security.alpha.kubernetes.io/pod: 'docker/default' seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
prometheus.io/port: "10054" prometheus.io/port: "10054"
prometheus.io/scrape: "true" prometheus.io/scrape: "true"
spec: spec:
@ -150,6 +150,11 @@ spec:
volumeMounts: volumeMounts:
- name: kube-dns-config - name: kube-dns-config
mountPath: /kube-dns-config mountPath: /kube-dns-config
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 1001
- name: dnsmasq - name: dnsmasq
image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13 image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13
livenessProbe: livenessProbe:
@ -190,6 +195,13 @@ spec:
volumeMounts: volumeMounts:
- name: kube-dns-config - name: kube-dns-config
mountPath: /etc/k8s/dns/dnsmasq-nanny mountPath: /etc/k8s/dns/dnsmasq-nanny
securityContext:
capabilities:
drop:
- all
add:
- NET_BIND_SERVICE
- SETGID
- name: sidecar - name: sidecar
image: k8s.gcr.io/k8s-dns-sidecar:1.14.13 image: k8s.gcr.io/k8s-dns-sidecar:1.14.13
livenessProbe: livenessProbe:
@ -214,5 +226,10 @@ spec:
requests: requests:
memory: 20Mi memory: 20Mi
cpu: 10m cpu: 10m
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 1001
dnsPolicy: Default # Don't use cluster DNS. dnsPolicy: Default # Don't use cluster DNS.
serviceAccountName: kube-dns serviceAccountName: kube-dns