github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-01 07:47:56 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #123490 from dims/run-auto-scaler-as-non-root-in-kube-up

Browse Source 
Run auto scaler as non root in kube up
This commit is contained in:
Kubernetes Prow Robot 2024-02-25 10:03:30 -08:00 committed by GitHub
commit 60e11e2c6a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
cluster/gce/gci/configure-helper.sh
View File

@ -2465,7 +2465,7 @@ function start-cluster-autoscaler {
echo "Start kubernetes cluster autoscaler"
setup-addon-manifests "addons" "rbac/cluster-autoscaler"
create-kubeconfig "cluster-autoscaler" "${KUBE_CLUSTER_AUTOSCALER_TOKEN}"
prepare-log-file /var/log/cluster-autoscaler.log
prepare-log-file /var/log/cluster-autoscaler.log "${CLUSTER_AUTOSCALER_RUNASUSER:-0}"
# Remove salt comments and replace variables with values
local -r src_file="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty/cluster-autoscaler.manifest"
@ -2485,6 +2485,17 @@ function start-cluster-autoscaler {
sed -i -e "s@{{cloud_config_volume}}@${CLOUD_CONFIG_VOLUME}@g" "${src_file}"
sed -i -e "s@{%.*%}@@g" "${src_file}"
if [[ -n "${CLUSTER_AUTOSCALER_RUNASUSER:-}" && -n "${CLUSTER_AUTOSCALER_RUNASGROUP:-}" ]]; then
#run-cluster-autoscaler-as-non-root
sed -i -e "s@{{runAsUser}}@\"runAsUser\": ${CLUSTER_AUTOSCALER_RUNASUSER},@g" "${src_file}"
sed -i -e "s@{{runAsGroup}}@\"runAsGroup\":${CLUSTER_AUTOSCALER_RUNASGROUP},@g" "${src_file}"
sed -i -e "s@{{supplementalGroups}}@\"supplementalGroups\": [ ${KUBE_PKI_READERS_GROUP} ],@g" "${src_file}"
else
sed -i -e "s@{{runAsUser}}@@g" "${src_file}"
sed -i -e "s@{{runAsGroup}}@@g" "${src_file}"
sed -i -e "s@{{supplementalGroups}}@@g" "${src_file}"
fi
cp "${src_file}" /etc/kubernetes/manifests
fi
}

3
cluster/gce/manifests/cluster-autoscaler.manifest
View File

@ -11,6 +11,9 @@
},
"spec": {
"securityContext": {
{{runAsUser}}
{{runAsGroup}}
{{supplementalGroups}}
"seccompProfile": {
"type": "RuntimeDefault"
}

2
cluster/gce/util.sh
View File

@ -1363,6 +1363,8 @@ KONNECTIVITY_SERVER_RUNASGROUP: 2008
KONNECTIVITY_SERVER_SOCKET_WRITER_GROUP: 2008
CLOUD_CONTROLLER_MANAGER_RUNASUSER: 2009
CLOUD_CONTROLLER_MANAGER_RUNASGROUP: 2009
CLUSTER_AUTOSCALER_RUNASUSER: 2010
CLUSTER_AUTOSCALER_RUNASGROUP: 2010
EOF
# KUBE_APISERVER_REQUEST_TIMEOUT_SEC (if set) controls the --request-timeout