github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-13 21:25:09 +00:00
Code Issues Projects Releases Wiki Activity

Run CoreDNS container only with CAP_NET_BIND_SERVICE, drop all other (root) privileges.

Browse Source 
Run filesystem of container and config in read-only mode.
This commit is contained in:
Nico Berlee
2018-05-29 21:40:21 +02:00
parent d373eaa4f3
commit 7ee5729eba
4 changed files with 36 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
cluster/addons/dns/coredns/coredns.yaml.base
View File

@@ -118,6 +118,7 @@ spec:
volumeMounts:
- name: config-volume
mountPath: /etc/coredns
readOnly: true
ports:
- containerPort: 53
name: dns
@@ -137,6 +138,14 @@ spec:
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- all
readOnlyRootFilesystem: true
dnsPolicy: Default
volumes:
- name: config-volume

9
cluster/addons/dns/coredns/coredns.yaml.in
View File

@@ -118,6 +118,7 @@ spec:
volumeMounts:
- name: config-volume
mountPath: /etc/coredns
readOnly: true
ports:
- containerPort: 53
name: dns
@@ -137,6 +138,14 @@ spec:
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- all
readOnlyRootFilesystem: true
dnsPolicy: Default
volumes:
- name: config-volume

9
cluster/addons/dns/coredns/coredns.yaml.sed
View File

@@ -118,6 +118,7 @@ spec:
volumeMounts:
- name: config-volume
mountPath: /etc/coredns
readOnly: true
ports:
- containerPort: 53
name: dns
@@ -137,6 +138,14 @@ spec:
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- all
readOnlyRootFilesystem: true
dnsPolicy: Default
volumes:
- name: config-volume