Adding recommendations from tallclair.

2025-09-14 21:53:52 +00:00 · 2019-09-11 19:30:32 +01:00
parent 8dcc976db3
commit 72ee17c5ca
3 changed files with 3 additions and 12 deletions
--- a/cluster/addons/dns/kube-dns/kube-dns.yaml.base
+++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.base
@@ -82,13 +82,12 @@ spec:
      labels:
        k8s-app: kube-dns
      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
+        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
        prometheus.io/port: "10054"
        prometheus.io/scrape: "true"
    spec:
      priorityClassName: system-cluster-critical
      securityContext:
-        runAsNonRoot: true
        supplementalGroups: [ 65534 ]
        fsGroup: 65534
      tolerations:
@@ -198,8 +197,6 @@ spec:
          mountPath: /etc/k8s/dns/dnsmasq-nanny
        securityContext:
          allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: false
-          runAsNonRoot: false
          capabilities:
            drop:
              - all
--- a/cluster/addons/dns/kube-dns/kube-dns.yaml.in
+++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.in
@@ -82,13 +82,12 @@ spec:
      labels:
        k8s-app: kube-dns
      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
+        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
        prometheus.io/port: "10054"
        prometheus.io/scrape: "true"
    spec:
      priorityClassName: system-cluster-critical
      securityContext:
-        runAsNonRoot: true
        supplementalGroups: [ 65534 ]
        fsGroup: 65534
      tolerations:
@@ -198,8 +197,6 @@ spec:
          mountPath: /etc/k8s/dns/dnsmasq-nanny
        securityContext:
          allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: false
-          runAsNonRoot: false
          capabilities:
            drop:
              - all
--- a/cluster/addons/dns/kube-dns/kube-dns.yaml.sed
+++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.sed
@@ -82,13 +82,12 @@ spec:
      labels:
        k8s-app: kube-dns
      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
+        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
        prometheus.io/port: "10054"
        prometheus.io/scrape: "true"
    spec:
      priorityClassName: system-cluster-critical
      securityContext:
-        runAsNonRoot: true
        supplementalGroups: [ 65534 ]
        fsGroup: 65534
      tolerations:
@@ -198,8 +197,6 @@ spec:
          mountPath: /etc/k8s/dns/dnsmasq-nanny
        securityContext:
          allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: false
-          runAsNonRoot: false
          capabilities:
            drop:
              - all