mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 19:56:01 +00:00
Merge pull request #90156 from vinayakankugoyal/nonroot
Run kube-scheduler and kube-addon-manager as non root
This commit is contained in:
commit
1bcd49d5cd
@ -1911,7 +1911,7 @@ function start-kube-controller-manager {
|
||||
function start-kube-scheduler {
|
||||
echo "Start kubernetes scheduler"
|
||||
create-kubeconfig "kube-scheduler" ${KUBE_SCHEDULER_TOKEN}
|
||||
prepare-log-file /var/log/kube-scheduler.log
|
||||
prepare-log-file /var/log/kube-scheduler.log ${KUBE_SCHEDULER_RUNASUSER:-2001} ${KUBE_SCHEDULER_RUNASGROUP:-2001}
|
||||
|
||||
# Calculate variables and set them in the manifest.
|
||||
params="${SCHEDULER_TEST_LOG_LEVEL:-"--v=2"} ${SCHEDULER_TEST_ARGS:-}"
|
||||
@ -1936,6 +1936,8 @@ function start-kube-scheduler {
|
||||
sed -i -e "s@{{pillar\['kube_docker_registry'\]}}@${DOCKER_REGISTRY}@g" "${src_file}"
|
||||
sed -i -e "s@{{pillar\['kube-scheduler_docker_tag'\]}}@${kube_scheduler_docker_tag}@g" "${src_file}"
|
||||
sed -i -e "s@{{cpurequest}}@${KUBE_SCHEDULER_CPU_REQUEST}@g" "${src_file}"
|
||||
sed -i -e "s@{{runAsUser}}@${KUBE_SCHEDULER_RUNASUSER:-2001}@g" "${src_file}"
|
||||
sed -i -e "s@{{runAsGroup}}@${KUBE_SCHEDULER_RUNASGROUP:-2001}@g" "${src_file}"
|
||||
cp "${src_file}" /etc/kubernetes/manifests
|
||||
}
|
||||
|
||||
@ -2336,6 +2338,7 @@ function start-kube-addons {
|
||||
local -r dst_dir="/etc/kubernetes/addons"
|
||||
|
||||
create-kubeconfig "addon-manager" ${ADDON_MANAGER_TOKEN}
|
||||
prepare-log-file /var/log/kube-addon-manager.log ${KUBE_ADDON_MANAGER_RUNASUSER:-2002} ${KUBE_ADDON_MANAGER_RUNASGROUP:-2002}
|
||||
|
||||
# prep addition kube-up specific rbac objects
|
||||
setup-addon-manifests "addons" "rbac/kubelet-api-auth"
|
||||
@ -2503,6 +2506,8 @@ EOF
|
||||
# Place addon manager pod manifest.
|
||||
src_file="${src_dir}/kube-addon-manager.yaml"
|
||||
sed -i -e "s@{{kubectl_extra_prune_whitelist}}@${ADDON_MANAGER_PRUNE_WHITELIST:-}@g" "${src_file}"
|
||||
sed -i -e "s@{{runAsUser}}@${KUBE_ADDON_MANAGER_RUNASUSER:-2002}@g" "${src_file}"
|
||||
sed -i -e "s@{{runAsGroup}}@${KUBE_ADDON_MANAGER_RUNASGROUP:-2002}@g" "${src_file}"
|
||||
cp "${src_file}" /etc/kubernetes/manifests
|
||||
}
|
||||
|
||||
|
@ -8,11 +8,19 @@ metadata:
|
||||
labels:
|
||||
component: kube-addon-manager
|
||||
spec:
|
||||
securityContext:
|
||||
runAsUser: {{runAsUser}}
|
||||
runAsGroup: {{runAsGroup}}
|
||||
priorityClassName: system-node-critical
|
||||
priority: 2000001000
|
||||
hostNetwork: true
|
||||
containers:
|
||||
- name: kube-addon-manager
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- all
|
||||
# When updating version also bump it in:
|
||||
# - test/kubemark/resources/manifests/kube-addon-manager.yaml
|
||||
image: k8s.gcr.io/kube-addon-manager:v9.0.2
|
||||
|
@ -13,12 +13,24 @@
|
||||
}
|
||||
},
|
||||
"spec":{
|
||||
"securityContext": {
|
||||
"runAsUser": {{runAsUser}},
|
||||
"runAsGroup": {{runAsGroup}}
|
||||
},
|
||||
"priorityClassName": "system-node-critical",
|
||||
"priority": 2000001000,
|
||||
"hostNetwork": true,
|
||||
"containers":[
|
||||
{
|
||||
"name": "kube-scheduler",
|
||||
"securityContext": {
|
||||
"allowPrivilegeEscalation": false,
|
||||
"capabilities": {
|
||||
"drop": [
|
||||
"all"
|
||||
]
|
||||
}
|
||||
},
|
||||
"image": "{{pillar['kube_docker_registry']}}/kube-scheduler-amd64:{{pillar['kube-scheduler_docker_tag']}}",
|
||||
"resources": {
|
||||
"requests": {
|
||||
|
Loading…
Reference in New Issue
Block a user