github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 11:50:44 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #100436 from vinayakankugoyal/apiservernonroot

Browse Source 
Fix kube-apiserver manifest.
This commit is contained in:
Kubernetes Prow Robot 2021-04-10 20:29:35 -07:00 committed by GitHub
commit 99301e672b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 3 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
cluster/gce/gci/configure-kubeapiserver.sh
View File

@ -412,8 +412,7 @@ function start-kube-apiserver {
if [[ -n "${KUBE_API_SERVER_RUNASUSER:-}" && -n "${KUBE_API_SERVER_RUNASGROUP:-}" && -n "${KUBE_PKI_READERS_GROUP:-}" ]]; then if [[ -n "${KUBE_API_SERVER_RUNASUSER:-}" && -n "${KUBE_API_SERVER_RUNASGROUP:-}" && -n "${KUBE_PKI_READERS_GROUP:-}" ]]; then
sed -i -e "s@{{runAsUser}}@\"runAsUser\": ${KUBE_API_SERVER_RUNASUSER},@g" "${src_file}" sed -i -e "s@{{runAsUser}}@\"runAsUser\": ${KUBE_API_SERVER_RUNASUSER},@g" "${src_file}"
sed -i -e "s@{{runAsGroup}}@\"runAsGroup\": ${KUBE_API_SERVER_RUNASGROUP},@g" "${src_file}" sed -i -e "s@{{runAsGroup}}@\"runAsGroup\": ${KUBE_API_SERVER_RUNASGROUP},@g" "${src_file}"
sed -i -e "s@{{capabilities}}@\"capabilities\": { \"drop\": [\"all\"], \"add\": [\"NET_BIND_SERVICE\"]},@g" "${src_file}" sed -i -e "s@{{containerSecurityContext}}@\"securityContext\": { \"capabilities\": { \"drop\": [\"all\"], \"add\": [\"NET_BIND_SERVICE\"] } },@g" "${src_file}"
sed -i -e "s@{{allowPrivilegeEscalation}}@\"allowPrivilegeEscalation\": false,@g" "${src_file}"
local supplementalGroups="${KUBE_PKI_READERS_GROUP}" local supplementalGroups="${KUBE_PKI_READERS_GROUP}"
if [[ -n "${KMS_PLUGIN_SOCKET_WRITER_GROUP:-}" ]]; then if [[ -n "${KMS_PLUGIN_SOCKET_WRITER_GROUP:-}" ]]; then
supplementalGroups+=",${KMS_PLUGIN_SOCKET_WRITER_GROUP}" supplementalGroups+=",${KMS_PLUGIN_SOCKET_WRITER_GROUP}"
@ -425,8 +424,7 @@ function start-kube-apiserver {
else else
sed -i -e "s@{{runAsUser}}@@g" "${src_file}" sed -i -e "s@{{runAsUser}}@@g" "${src_file}"
sed -i -e "s@{{runAsGroup}}@@g" "${src_file}" sed -i -e "s@{{runAsGroup}}@@g" "${src_file}"
sed -i -e "s@{{capabilities}}@@g" "${src_file}" sed -i -e "s@{{containerSecurityContext}}@@g" "${src_file}"
sed -i -e "s@{{allowPrivilegeEscalation}}@@g" "${src_file}"
sed -i -e "s@{{supplementalGroups}}@@g" "${src_file}" sed -i -e "s@{{supplementalGroups}}@@g" "${src_file}"
fi fi

3
cluster/gce/manifests/kube-apiserver.manifest
View File

@ -13,8 +13,6 @@
"securityContext": { "securityContext": {
{{runAsUser}} {{runAsUser}}
{{runAsGroup}} {{runAsGroup}}
{{capabilities}}
{{allowPrivilegeEscalation}}
{{supplementalGroups}} {{supplementalGroups}}
"seccompProfile": { "seccompProfile": {
"type": "RuntimeDefault" "type": "RuntimeDefault"
@ -26,6 +24,7 @@
"containers":[ "containers":[
{ {
"name": "kube-apiserver", "name": "kube-apiserver",
{{containerSecurityContext}}
"image": "{{pillar['kube_docker_registry']}}/kube-apiserver-amd64:{{pillar['kube-apiserver_docker_tag']}}", "image": "{{pillar['kube_docker_registry']}}/kube-apiserver-amd64:{{pillar['kube-apiserver_docker_tag']}}",
"resources": { "resources": {
"requests": { "requests": {