diff --git a/cluster/addons/dns/coredns/coredns.yaml.base b/cluster/addons/dns/coredns/coredns.yaml.base index 9510a759ff0..a2763b99e34 100644 --- a/cluster/addons/dns/coredns/coredns.yaml.base +++ b/cluster/addons/dns/coredns/coredns.yaml.base @@ -118,6 +118,7 @@ spec: volumeMounts: - name: config-volume mountPath: /etc/coredns + readOnly: true ports: - containerPort: 53 name: dns @@ -137,6 +138,14 @@ spec: timeoutSeconds: 5 successThreshold: 1 failureThreshold: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - all + readOnlyRootFilesystem: true dnsPolicy: Default volumes: - name: config-volume diff --git a/cluster/addons/dns/coredns/coredns.yaml.in b/cluster/addons/dns/coredns/coredns.yaml.in index 19e1e8b1ad7..cfaaec8951a 100644 --- a/cluster/addons/dns/coredns/coredns.yaml.in +++ b/cluster/addons/dns/coredns/coredns.yaml.in @@ -118,6 +118,7 @@ spec: volumeMounts: - name: config-volume mountPath: /etc/coredns + readOnly: true ports: - containerPort: 53 name: dns @@ -137,6 +138,14 @@ spec: timeoutSeconds: 5 successThreshold: 1 failureThreshold: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - all + readOnlyRootFilesystem: true dnsPolicy: Default volumes: - name: config-volume diff --git a/cluster/addons/dns/coredns/coredns.yaml.sed b/cluster/addons/dns/coredns/coredns.yaml.sed index 5d051934675..3901da2052a 100644 --- a/cluster/addons/dns/coredns/coredns.yaml.sed +++ b/cluster/addons/dns/coredns/coredns.yaml.sed @@ -118,6 +118,7 @@ spec: volumeMounts: - name: config-volume mountPath: /etc/coredns + readOnly: true ports: - containerPort: 53 name: dns @@ -137,6 +138,14 @@ spec: timeoutSeconds: 5 successThreshold: 1 failureThreshold: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - all + readOnlyRootFilesystem: true dnsPolicy: Default volumes: - name: config-volume diff --git a/cmd/kubeadm/app/phases/addons/dns/manifests.go b/cmd/kubeadm/app/phases/addons/dns/manifests.go index 2a765f634ec..a73d3867b1e 100644 --- a/cmd/kubeadm/app/phases/addons/dns/manifests.go +++ b/cmd/kubeadm/app/phases/addons/dns/manifests.go @@ -259,6 +259,7 @@ spec: volumeMounts: - name: config-volume mountPath: /etc/coredns + readOnly: true ports: - containerPort: 53 name: dns @@ -278,6 +279,14 @@ spec: timeoutSeconds: 5 successThreshold: 1 failureThreshold: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - all + readOnlyRootFilesystem: true dnsPolicy: Default volumes: - name: config-volume