mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 11:50:44 +00:00
Merge pull request #100436 from vinayakankugoyal/apiservernonroot
Fix kube-apiserver manifest.
This commit is contained in:
commit
99301e672b
@ -412,8 +412,7 @@ function start-kube-apiserver {
|
|||||||
if [[ -n "${KUBE_API_SERVER_RUNASUSER:-}" && -n "${KUBE_API_SERVER_RUNASGROUP:-}" && -n "${KUBE_PKI_READERS_GROUP:-}" ]]; then
|
if [[ -n "${KUBE_API_SERVER_RUNASUSER:-}" && -n "${KUBE_API_SERVER_RUNASGROUP:-}" && -n "${KUBE_PKI_READERS_GROUP:-}" ]]; then
|
||||||
sed -i -e "s@{{runAsUser}}@\"runAsUser\": ${KUBE_API_SERVER_RUNASUSER},@g" "${src_file}"
|
sed -i -e "s@{{runAsUser}}@\"runAsUser\": ${KUBE_API_SERVER_RUNASUSER},@g" "${src_file}"
|
||||||
sed -i -e "s@{{runAsGroup}}@\"runAsGroup\": ${KUBE_API_SERVER_RUNASGROUP},@g" "${src_file}"
|
sed -i -e "s@{{runAsGroup}}@\"runAsGroup\": ${KUBE_API_SERVER_RUNASGROUP},@g" "${src_file}"
|
||||||
sed -i -e "s@{{capabilities}}@\"capabilities\": { \"drop\": [\"all\"], \"add\": [\"NET_BIND_SERVICE\"]},@g" "${src_file}"
|
sed -i -e "s@{{containerSecurityContext}}@\"securityContext\": { \"capabilities\": { \"drop\": [\"all\"], \"add\": [\"NET_BIND_SERVICE\"] } },@g" "${src_file}"
|
||||||
sed -i -e "s@{{allowPrivilegeEscalation}}@\"allowPrivilegeEscalation\": false,@g" "${src_file}"
|
|
||||||
local supplementalGroups="${KUBE_PKI_READERS_GROUP}"
|
local supplementalGroups="${KUBE_PKI_READERS_GROUP}"
|
||||||
if [[ -n "${KMS_PLUGIN_SOCKET_WRITER_GROUP:-}" ]]; then
|
if [[ -n "${KMS_PLUGIN_SOCKET_WRITER_GROUP:-}" ]]; then
|
||||||
supplementalGroups+=",${KMS_PLUGIN_SOCKET_WRITER_GROUP}"
|
supplementalGroups+=",${KMS_PLUGIN_SOCKET_WRITER_GROUP}"
|
||||||
@ -425,8 +424,7 @@ function start-kube-apiserver {
|
|||||||
else
|
else
|
||||||
sed -i -e "s@{{runAsUser}}@@g" "${src_file}"
|
sed -i -e "s@{{runAsUser}}@@g" "${src_file}"
|
||||||
sed -i -e "s@{{runAsGroup}}@@g" "${src_file}"
|
sed -i -e "s@{{runAsGroup}}@@g" "${src_file}"
|
||||||
sed -i -e "s@{{capabilities}}@@g" "${src_file}"
|
sed -i -e "s@{{containerSecurityContext}}@@g" "${src_file}"
|
||||||
sed -i -e "s@{{allowPrivilegeEscalation}}@@g" "${src_file}"
|
|
||||||
sed -i -e "s@{{supplementalGroups}}@@g" "${src_file}"
|
sed -i -e "s@{{supplementalGroups}}@@g" "${src_file}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -13,8 +13,6 @@
|
|||||||
"securityContext": {
|
"securityContext": {
|
||||||
{{runAsUser}}
|
{{runAsUser}}
|
||||||
{{runAsGroup}}
|
{{runAsGroup}}
|
||||||
{{capabilities}}
|
|
||||||
{{allowPrivilegeEscalation}}
|
|
||||||
{{supplementalGroups}}
|
{{supplementalGroups}}
|
||||||
"seccompProfile": {
|
"seccompProfile": {
|
||||||
"type": "RuntimeDefault"
|
"type": "RuntimeDefault"
|
||||||
@ -26,6 +24,7 @@
|
|||||||
"containers":[
|
"containers":[
|
||||||
{
|
{
|
||||||
"name": "kube-apiserver",
|
"name": "kube-apiserver",
|
||||||
|
{{containerSecurityContext}}
|
||||||
"image": "{{pillar['kube_docker_registry']}}/kube-apiserver-amd64:{{pillar['kube-apiserver_docker_tag']}}",
|
"image": "{{pillar['kube_docker_registry']}}/kube-apiserver-amd64:{{pillar['kube-apiserver_docker_tag']}}",
|
||||||
"resources": {
|
"resources": {
|
||||||
"requests": {
|
"requests": {
|
||||||
|
Loading…
Reference in New Issue
Block a user