mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-25 04:33:26 +00:00
Merge pull request #82347 from pjbgf/non-root
Harden kube-dns to run with less privileges.
This commit is contained in:
commit
129a13af98
@ -105,7 +105,7 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
k8s-app: kube-dns
|
k8s-app: kube-dns
|
||||||
annotations:
|
annotations:
|
||||||
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
|
||||||
spec:
|
spec:
|
||||||
priorityClassName: system-cluster-critical
|
priorityClassName: system-cluster-critical
|
||||||
serviceAccountName: coredns
|
serviceAccountName: coredns
|
||||||
|
@ -105,7 +105,7 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
k8s-app: kube-dns
|
k8s-app: kube-dns
|
||||||
annotations:
|
annotations:
|
||||||
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
|
||||||
spec:
|
spec:
|
||||||
priorityClassName: system-cluster-critical
|
priorityClassName: system-cluster-critical
|
||||||
serviceAccountName: coredns
|
serviceAccountName: coredns
|
||||||
|
@ -105,7 +105,7 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
k8s-app: kube-dns
|
k8s-app: kube-dns
|
||||||
annotations:
|
annotations:
|
||||||
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
|
||||||
spec:
|
spec:
|
||||||
priorityClassName: system-cluster-critical
|
priorityClassName: system-cluster-critical
|
||||||
serviceAccountName: coredns
|
serviceAccountName: coredns
|
||||||
|
@ -82,7 +82,7 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
k8s-app: kube-dns
|
k8s-app: kube-dns
|
||||||
annotations:
|
annotations:
|
||||||
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
|
||||||
prometheus.io/port: "10054"
|
prometheus.io/port: "10054"
|
||||||
prometheus.io/scrape: "true"
|
prometheus.io/scrape: "true"
|
||||||
spec:
|
spec:
|
||||||
@ -150,6 +150,11 @@ spec:
|
|||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: kube-dns-config
|
- name: kube-dns-config
|
||||||
mountPath: /kube-dns-config
|
mountPath: /kube-dns-config
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsUser: 1001
|
||||||
|
runAsGroup: 1001
|
||||||
- name: dnsmasq
|
- name: dnsmasq
|
||||||
image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13
|
image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
@ -190,6 +195,13 @@ spec:
|
|||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: kube-dns-config
|
- name: kube-dns-config
|
||||||
mountPath: /etc/k8s/dns/dnsmasq-nanny
|
mountPath: /etc/k8s/dns/dnsmasq-nanny
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- all
|
||||||
|
add:
|
||||||
|
- NET_BIND_SERVICE
|
||||||
|
- SETGID
|
||||||
- name: sidecar
|
- name: sidecar
|
||||||
image: k8s.gcr.io/k8s-dns-sidecar:1.14.13
|
image: k8s.gcr.io/k8s-dns-sidecar:1.14.13
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
@ -214,5 +226,10 @@ spec:
|
|||||||
requests:
|
requests:
|
||||||
memory: 20Mi
|
memory: 20Mi
|
||||||
cpu: 10m
|
cpu: 10m
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsUser: 1001
|
||||||
|
runAsGroup: 1001
|
||||||
dnsPolicy: Default # Don't use cluster DNS.
|
dnsPolicy: Default # Don't use cluster DNS.
|
||||||
serviceAccountName: kube-dns
|
serviceAccountName: kube-dns
|
||||||
|
@ -82,7 +82,7 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
k8s-app: kube-dns
|
k8s-app: kube-dns
|
||||||
annotations:
|
annotations:
|
||||||
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
|
||||||
prometheus.io/port: "10054"
|
prometheus.io/port: "10054"
|
||||||
prometheus.io/scrape: "true"
|
prometheus.io/scrape: "true"
|
||||||
spec:
|
spec:
|
||||||
@ -150,6 +150,11 @@ spec:
|
|||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: kube-dns-config
|
- name: kube-dns-config
|
||||||
mountPath: /kube-dns-config
|
mountPath: /kube-dns-config
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsUser: 1001
|
||||||
|
runAsGroup: 1001
|
||||||
- name: dnsmasq
|
- name: dnsmasq
|
||||||
image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13
|
image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
@ -190,6 +195,13 @@ spec:
|
|||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: kube-dns-config
|
- name: kube-dns-config
|
||||||
mountPath: /etc/k8s/dns/dnsmasq-nanny
|
mountPath: /etc/k8s/dns/dnsmasq-nanny
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- all
|
||||||
|
add:
|
||||||
|
- NET_BIND_SERVICE
|
||||||
|
- SETGID
|
||||||
- name: sidecar
|
- name: sidecar
|
||||||
image: k8s.gcr.io/k8s-dns-sidecar:1.14.13
|
image: k8s.gcr.io/k8s-dns-sidecar:1.14.13
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
@ -214,5 +226,10 @@ spec:
|
|||||||
requests:
|
requests:
|
||||||
memory: 20Mi
|
memory: 20Mi
|
||||||
cpu: 10m
|
cpu: 10m
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsUser: 1001
|
||||||
|
runAsGroup: 1001
|
||||||
dnsPolicy: Default # Don't use cluster DNS.
|
dnsPolicy: Default # Don't use cluster DNS.
|
||||||
serviceAccountName: kube-dns
|
serviceAccountName: kube-dns
|
||||||
|
@ -82,7 +82,7 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
k8s-app: kube-dns
|
k8s-app: kube-dns
|
||||||
annotations:
|
annotations:
|
||||||
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
|
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
|
||||||
prometheus.io/port: "10054"
|
prometheus.io/port: "10054"
|
||||||
prometheus.io/scrape: "true"
|
prometheus.io/scrape: "true"
|
||||||
spec:
|
spec:
|
||||||
@ -150,6 +150,11 @@ spec:
|
|||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: kube-dns-config
|
- name: kube-dns-config
|
||||||
mountPath: /kube-dns-config
|
mountPath: /kube-dns-config
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsUser: 1001
|
||||||
|
runAsGroup: 1001
|
||||||
- name: dnsmasq
|
- name: dnsmasq
|
||||||
image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13
|
image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
@ -190,6 +195,13 @@ spec:
|
|||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: kube-dns-config
|
- name: kube-dns-config
|
||||||
mountPath: /etc/k8s/dns/dnsmasq-nanny
|
mountPath: /etc/k8s/dns/dnsmasq-nanny
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- all
|
||||||
|
add:
|
||||||
|
- NET_BIND_SERVICE
|
||||||
|
- SETGID
|
||||||
- name: sidecar
|
- name: sidecar
|
||||||
image: k8s.gcr.io/k8s-dns-sidecar:1.14.13
|
image: k8s.gcr.io/k8s-dns-sidecar:1.14.13
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
@ -214,5 +226,10 @@ spec:
|
|||||||
requests:
|
requests:
|
||||||
memory: 20Mi
|
memory: 20Mi
|
||||||
cpu: 10m
|
cpu: 10m
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsUser: 1001
|
||||||
|
runAsGroup: 1001
|
||||||
dnsPolicy: Default # Don't use cluster DNS.
|
dnsPolicy: Default # Don't use cluster DNS.
|
||||||
serviceAccountName: kube-dns
|
serviceAccountName: kube-dns
|
||||||
|
Loading…
Reference in New Issue
Block a user