github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-19 09:52:49 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #96134 from vinayakankugoyal/apiservernonroot

Browse Source 
Run kube-apiserver as non-root.
This commit is contained in:
Kubernetes Prow Robot 2021-02-23 18:26:51 -08:00 committed by GitHub
commit 9694e42099
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 33 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
cluster/gce/gci/configure-kubeapiserver.sh
View File

@ -62,8 +62,8 @@ function configure-etcd-params {
# INSECURE_PORT_MAPPING
function start-kube-apiserver {
echo "Start kubernetes api-server"
prepare-log-file "${KUBE_API_SERVER_LOG_PATH:-/var/log/kube-apiserver.log}"
prepare-log-file "${KUBE_API_SERVER_AUDIT_LOG_PATH:-/var/log/kube-apiserver-audit.log}"
prepare-log-file "${KUBE_API_SERVER_LOG_PATH:-/var/log/kube-apiserver.log}" "${KUBE_API_SERVER_RUNASUSER:-0}"
prepare-log-file "${KUBE_API_SERVER_AUDIT_LOG_PATH:-/var/log/kube-apiserver-audit.log}" "${KUBE_API_SERVER_RUNASUSER:-0}"
# Calculate variables and assemble the command line.
local params="${API_SERVER_TEST_LOG_LEVEL:-"--v=2"} ${APISERVER_TEST_ARGS:-} ${CLOUD_CONFIG_OPT}"
@ -113,7 +113,11 @@ function start-kube-apiserver {
if [[ -n "${SERVICEACCOUNT_CERT_PATH:-}" ]]; then
params+=" --service-account-key-file=${SERVICEACCOUNT_CERT_PATH}"
fi
params+=" --token-auth-file=/etc/srv/kubernetes/known_tokens.csv"
local known_tokens_file='/etc/srv/kubernetes/known_tokens.csv'
if [[ -f "${known_tokens_file}" ]]; then
chown "${KUBE_API_SERVER_RUNASUSER:-0}":"${KUBE_API_SERVER_RUNASGROUP:-0}" "${known_tokens_file}"
fi
params+=" --token-auth-file=${known_tokens_file}"
if [[ -n "${KUBE_APISERVER_REQUEST_TIMEOUT_SEC:-}" ]]; then
params+=" --request-timeout=${KUBE_APISERVER_REQUEST_TIMEOUT_SEC}s"
@ -405,6 +409,27 @@ function start-kube-apiserver {
sed -i -e "s@{{konnectivity_socket_volume}}@${default_konnectivity_socket_vol}@g" "${src_file}"
sed -i -e "s@{{healthcheck_ip}}@${healthcheck_ip}@g" "${src_file}"
if [[ -n "${KUBE_API_SERVER_RUNASUSER:-}" && -n "${KUBE_API_SERVER_RUNASGROUP:-}" && -n "${KUBE_PKI_READERS_GROUP:-}" ]]; then
sed -i -e "s@{{runAsUser}}@\"runAsUser\": ${KUBE_API_SERVER_RUNASUSER},@g" "${src_file}"
sed -i -e "s@{{runAsGroup}}@\"runAsGroup\": ${KUBE_API_SERVER_RUNASGROUP},@g" "${src_file}"
sed -i -e "s@{{capabilities}}@\"capabilities\": { \"drop\": [\"all\"], \"add\": [\"NET_BIND_SERVICE\"]},@g" "${src_file}"
sed -i -e "s@{{allowPrivilegeEscalation}}@\"allowPrivilegeEscalation\": false,@g" "${src_file}"
local supplementalGroups="${KUBE_PKI_READERS_GROUP}"
if [[ -n "${KMS_PLUGIN_SOCKET_WRITER_GROUP:-}" ]]; then
supplementalGroups+=",${KMS_PLUGIN_SOCKET_WRITER_GROUP}"
fi
if [[ -n "${KONNECTIVITY_SERVER_SOCKET_WRITER_GROUP:-}" ]]; then
supplementalGroups+=",${KONNECTIVITY_SERVER_SOCKET_WRITER_GROUP}"
fi
sed -i -e "s@{{supplementalGroups}}@\"supplementalGroups\": [ ${supplementalGroups} ],@g" "${src_file}"
else
sed -i -e "s@{{runAsUser}}@@g" "${src_file}"
sed -i -e "s@{{runAsGroup}}@@g" "${src_file}"
sed -i -e "s@{{capabilities}}@@g" "${src_file}"
sed -i -e "s@{{allowPrivilegeEscalation}}@@g" "${src_file}"
sed -i -e "s@{{supplementalGroups}}@@g" "${src_file}"
fi
cp "${src_file}" "${ETC_MANIFESTS:-/etc/kubernetes/manifests}"
}

5
cluster/gce/manifests/kube-apiserver.manifest
View File

@ -11,6 +11,11 @@
},
"spec":{
"securityContext": {
{{runAsUser}}
{{runAsGroup}}
{{capabilities}}
{{allowPrivilegeEscalation}}
{{supplementalGroups}}
"seccompProfile": {
"type": "RuntimeDefault"
}