From 4b3271a54201f8381c3d99ccd8f5cb8bf798a763 Mon Sep 17 00:00:00 2001
From: Vinayak Goyal <vinaygo@google.com>
Date: Sun, 21 Mar 2021 16:24:56 -0700
Subject: [PATCH] Fix kube-apiserver manifest.

---
 cluster/gce/gci/configure-kubeapiserver.sh    | 6 ++----
 cluster/gce/manifests/kube-apiserver.manifest | 3 +--
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/cluster/gce/gci/configure-kubeapiserver.sh b/cluster/gce/gci/configure-kubeapiserver.sh
index 603f00b8ba0..5946d98defc 100644
--- a/cluster/gce/gci/configure-kubeapiserver.sh
+++ b/cluster/gce/gci/configure-kubeapiserver.sh
@@ -412,8 +412,7 @@ function start-kube-apiserver {
   if [[ -n "${KUBE_API_SERVER_RUNASUSER:-}" && -n "${KUBE_API_SERVER_RUNASGROUP:-}" && -n "${KUBE_PKI_READERS_GROUP:-}" ]]; then
     sed -i -e "s@{{runAsUser}}@\"runAsUser\": ${KUBE_API_SERVER_RUNASUSER},@g" "${src_file}"
     sed -i -e "s@{{runAsGroup}}@\"runAsGroup\": ${KUBE_API_SERVER_RUNASGROUP},@g" "${src_file}"
-    sed -i -e "s@{{capabilities}}@\"capabilities\": { \"drop\": [\"all\"], \"add\": [\"NET_BIND_SERVICE\"]},@g" "${src_file}"
-    sed -i -e "s@{{allowPrivilegeEscalation}}@\"allowPrivilegeEscalation\": false,@g" "${src_file}"
+    sed -i -e "s@{{containerSecurityContext}}@\"securityContext\": { \"capabilities\": { \"drop\": [\"all\"], \"add\": [\"NET_BIND_SERVICE\"] } },@g" "${src_file}"
     local supplementalGroups="${KUBE_PKI_READERS_GROUP}"
     if [[ -n "${KMS_PLUGIN_SOCKET_WRITER_GROUP:-}" ]]; then
       supplementalGroups+=",${KMS_PLUGIN_SOCKET_WRITER_GROUP}"
@@ -425,8 +424,7 @@ function start-kube-apiserver {
   else
     sed -i -e "s@{{runAsUser}}@@g" "${src_file}"
     sed -i -e "s@{{runAsGroup}}@@g" "${src_file}"
-    sed -i -e "s@{{capabilities}}@@g" "${src_file}"
-    sed -i -e "s@{{allowPrivilegeEscalation}}@@g" "${src_file}"
+    sed -i -e "s@{{containerSecurityContext}}@@g" "${src_file}"
     sed -i -e "s@{{supplementalGroups}}@@g" "${src_file}"
   fi
 
diff --git a/cluster/gce/manifests/kube-apiserver.manifest b/cluster/gce/manifests/kube-apiserver.manifest
index c3f7b82e30f..10c3411e640 100644
--- a/cluster/gce/manifests/kube-apiserver.manifest
+++ b/cluster/gce/manifests/kube-apiserver.manifest
@@ -13,8 +13,6 @@
 "securityContext": {
     {{runAsUser}}
     {{runAsGroup}}
-    {{capabilities}}
-    {{allowPrivilegeEscalation}}
     {{supplementalGroups}}
     "seccompProfile": {
         "type": "RuntimeDefault"
@@ -26,6 +24,7 @@
 "containers":[
     {
     "name": "kube-apiserver",
+    {{containerSecurityContext}}
     "image": "{{pillar['kube_docker_registry']}}/kube-apiserver-amd64:{{pillar['kube-apiserver_docker_tag']}}",
     "resources": {
       "requests": {