Merge pull request #90156 from vinayakankugoyal/nonroot

Run kube-scheduler and kube-addon-manager as non root
This commit is contained in:
Kubernetes Prow Robot 2020-04-22 19:21:46 -07:00 committed by GitHub
commit 1bcd49d5cd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 26 additions and 1 deletions

View File

@ -1911,7 +1911,7 @@ function start-kube-controller-manager {
function start-kube-scheduler {
echo "Start kubernetes scheduler"
create-kubeconfig "kube-scheduler" ${KUBE_SCHEDULER_TOKEN}
prepare-log-file /var/log/kube-scheduler.log
prepare-log-file /var/log/kube-scheduler.log ${KUBE_SCHEDULER_RUNASUSER:-2001} ${KUBE_SCHEDULER_RUNASGROUP:-2001}
# Calculate variables and set them in the manifest.
params="${SCHEDULER_TEST_LOG_LEVEL:-"--v=2"} ${SCHEDULER_TEST_ARGS:-}"
@ -1936,6 +1936,8 @@ function start-kube-scheduler {
sed -i -e "s@{{pillar\['kube_docker_registry'\]}}@${DOCKER_REGISTRY}@g" "${src_file}"
sed -i -e "s@{{pillar\['kube-scheduler_docker_tag'\]}}@${kube_scheduler_docker_tag}@g" "${src_file}"
sed -i -e "s@{{cpurequest}}@${KUBE_SCHEDULER_CPU_REQUEST}@g" "${src_file}"
sed -i -e "s@{{runAsUser}}@${KUBE_SCHEDULER_RUNASUSER:-2001}@g" "${src_file}"
sed -i -e "s@{{runAsGroup}}@${KUBE_SCHEDULER_RUNASGROUP:-2001}@g" "${src_file}"
cp "${src_file}" /etc/kubernetes/manifests
}
@ -2336,6 +2338,7 @@ function start-kube-addons {
local -r dst_dir="/etc/kubernetes/addons"
create-kubeconfig "addon-manager" ${ADDON_MANAGER_TOKEN}
prepare-log-file /var/log/kube-addon-manager.log ${KUBE_ADDON_MANAGER_RUNASUSER:-2002} ${KUBE_ADDON_MANAGER_RUNASGROUP:-2002}
# prep addition kube-up specific rbac objects
setup-addon-manifests "addons" "rbac/kubelet-api-auth"
@ -2503,6 +2506,8 @@ EOF
# Place addon manager pod manifest.
src_file="${src_dir}/kube-addon-manager.yaml"
sed -i -e "s@{{kubectl_extra_prune_whitelist}}@${ADDON_MANAGER_PRUNE_WHITELIST:-}@g" "${src_file}"
sed -i -e "s@{{runAsUser}}@${KUBE_ADDON_MANAGER_RUNASUSER:-2002}@g" "${src_file}"
sed -i -e "s@{{runAsGroup}}@${KUBE_ADDON_MANAGER_RUNASGROUP:-2002}@g" "${src_file}"
cp "${src_file}" /etc/kubernetes/manifests
}

View File

@ -8,11 +8,19 @@ metadata:
labels:
component: kube-addon-manager
spec:
securityContext:
runAsUser: {{runAsUser}}
runAsGroup: {{runAsGroup}}
priorityClassName: system-node-critical
priority: 2000001000
hostNetwork: true
containers:
- name: kube-addon-manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
# When updating version also bump it in:
# - test/kubemark/resources/manifests/kube-addon-manager.yaml
image: k8s.gcr.io/kube-addon-manager:v9.0.2

View File

@ -13,12 +13,24 @@
}
},
"spec":{
"securityContext": {
"runAsUser": {{runAsUser}},
"runAsGroup": {{runAsGroup}}
},
"priorityClassName": "system-node-critical",
"priority": 2000001000,
"hostNetwork": true,
"containers":[
{
"name": "kube-scheduler",
"securityContext": {
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": [
"all"
]
}
},
"image": "{{pillar['kube_docker_registry']}}/kube-scheduler-amd64:{{pillar['kube-scheduler_docker_tag']}}",
"resources": {
"requests": {