From 7a5f4c47de4224b3dbcab0c3713c55b510f7f1a9 Mon Sep 17 00:00:00 2001 From: Vinayak Goyal Date: Tue, 14 Apr 2020 18:22:37 -0700 Subject: [PATCH] Run kube-scheduler and kube-addon-manager as non root --- cluster/gce/gci/configure-helper.sh | 7 ++++++- cluster/gce/manifests/kube-addon-manager.yaml | 8 ++++++++ cluster/gce/manifests/kube-scheduler.manifest | 12 ++++++++++++ 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index 125f5f038ab..2d9a6d45492 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -1911,7 +1911,7 @@ function start-kube-controller-manager { function start-kube-scheduler { echo "Start kubernetes scheduler" create-kubeconfig "kube-scheduler" ${KUBE_SCHEDULER_TOKEN} - prepare-log-file /var/log/kube-scheduler.log + prepare-log-file /var/log/kube-scheduler.log ${KUBE_SCHEDULER_RUNASUSER:-2001} ${KUBE_SCHEDULER_RUNASGROUP:-2001} # Calculate variables and set them in the manifest. params="${SCHEDULER_TEST_LOG_LEVEL:-"--v=2"} ${SCHEDULER_TEST_ARGS:-}" @@ -1936,6 +1936,8 @@ function start-kube-scheduler { sed -i -e "s@{{pillar\['kube_docker_registry'\]}}@${DOCKER_REGISTRY}@g" "${src_file}" sed -i -e "s@{{pillar\['kube-scheduler_docker_tag'\]}}@${kube_scheduler_docker_tag}@g" "${src_file}" sed -i -e "s@{{cpurequest}}@${KUBE_SCHEDULER_CPU_REQUEST}@g" "${src_file}" + sed -i -e "s@{{runAsUser}}@${KUBE_SCHEDULER_RUNASUSER:-2001}@g" "${src_file}" + sed -i -e "s@{{runAsGroup}}@${KUBE_SCHEDULER_RUNASGROUP:-2001}@g" "${src_file}" cp "${src_file}" /etc/kubernetes/manifests } @@ -2336,6 +2338,7 @@ function start-kube-addons { local -r dst_dir="/etc/kubernetes/addons" create-kubeconfig "addon-manager" ${ADDON_MANAGER_TOKEN} + prepare-log-file /var/log/kube-addon-manager.log ${KUBE_ADDON_MANAGER_RUNASUSER:-2002} ${KUBE_ADDON_MANAGER_RUNASGROUP:-2002} # prep addition kube-up specific rbac objects setup-addon-manifests "addons" "rbac/kubelet-api-auth" @@ -2503,6 +2506,8 @@ EOF # Place addon manager pod manifest. src_file="${src_dir}/kube-addon-manager.yaml" sed -i -e "s@{{kubectl_extra_prune_whitelist}}@${ADDON_MANAGER_PRUNE_WHITELIST:-}@g" "${src_file}" + sed -i -e "s@{{runAsUser}}@${KUBE_ADDON_MANAGER_RUNASUSER:-2002}@g" "${src_file}" + sed -i -e "s@{{runAsGroup}}@${KUBE_ADDON_MANAGER_RUNASGROUP:-2002}@g" "${src_file}" cp "${src_file}" /etc/kubernetes/manifests } diff --git a/cluster/gce/manifests/kube-addon-manager.yaml b/cluster/gce/manifests/kube-addon-manager.yaml index 547d4c0621a..92216140c46 100644 --- a/cluster/gce/manifests/kube-addon-manager.yaml +++ b/cluster/gce/manifests/kube-addon-manager.yaml @@ -8,11 +8,19 @@ metadata: labels: component: kube-addon-manager spec: + securityContext: + runAsUser: {{runAsUser}} + runAsGroup: {{runAsGroup}} priorityClassName: system-node-critical priority: 2000001000 hostNetwork: true containers: - name: kube-addon-manager + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all # When updating version also bump it in: # - test/kubemark/resources/manifests/kube-addon-manager.yaml image: k8s.gcr.io/kube-addon-manager:v9.0.2 diff --git a/cluster/gce/manifests/kube-scheduler.manifest b/cluster/gce/manifests/kube-scheduler.manifest index fe733df27fd..6b75c7a412a 100644 --- a/cluster/gce/manifests/kube-scheduler.manifest +++ b/cluster/gce/manifests/kube-scheduler.manifest @@ -13,12 +13,24 @@ } }, "spec":{ +"securityContext": { + "runAsUser": {{runAsUser}}, + "runAsGroup": {{runAsGroup}} +}, "priorityClassName": "system-node-critical", "priority": 2000001000, "hostNetwork": true, "containers":[ { "name": "kube-scheduler", + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "all" + ] + } + }, "image": "{{pillar['kube_docker_registry']}}/kube-scheduler-amd64:{{pillar['kube-scheduler_docker_tag']}}", "resources": { "requests": {