run etcd as nonroot

Co-authored-by: Vinayak Goyal <vinayakankugoyal@gmail.com>
2025-07-23 11:50:44 +00:00 · 2021-03-29 17:45:20 +00:00 · 2021-03-29 17:45:20 +00:00 · 9f058079d2
commit 9f058079d2
parent 931516a87b
2 changed files with 24 additions and 2 deletions
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@ -1858,6 +1858,18 @@ function prepare-etcd-manifest {
  fi
  # Replace the volume host path.
  sed -i -e "s@/mnt/master-pd/var/etcd@/mnt/disks/master-pd/var/etcd@g" "${temp_file}"
+  # Replace the run as user and run as group
+  pod_run_as_user=""
+  pod_run_as_group=""
+  container_security_context=""
+  if [[ -n "${ETCD_RUNASUSER:-}" && -n "${ETCD_RUNASGROUP:-}" ]]; then
+    pod_run_as_user="\"runAsUser\": ${ETCD_RUNASUSER},"
+    pod_run_as_group="\"runAsGroup\": ${ETCD_RUNASGROUP},"
+    container_security_context="\"securityContext\": {\"allowPrivilegeEscalation\": false, \"capabilities\": {\"drop\": [\"all\"]}},"
+  fi
+  sed -i -e "s@{{ run_as_user }}@${pod_run_as_user}@g" "${temp_file}"
+  sed -i -e "s@{{ run_as_group }}@${pod_run_as_group}@g" "${temp_file}"
+  sed -i -e "s@{{security_context}}@${container_security_context}@g" "${temp_file}"
  mv "${temp_file}" /etc/kubernetes/manifests
 }

@ -1878,10 +1890,13 @@ function start-etcd-servers {
  if [[ -e /etc/init.d/etcd ]]; then
    rm -f /etc/init.d/etcd
  fi
-  prepare-log-file /var/log/etcd.log
+  if [[ -n "${ETCD_RUNASUSER:-}" && -n "${ETCD_RUNASGROUP:-}" ]]; then
+    chown -R "${ETCD_RUNASUSER}":"${ETCD_RUNASGROUP}" /var/etcd/
+  fi
+  prepare-log-file /var/log/etcd.log "${ETCD_RUNASUSER:-0}"
  prepare-etcd-manifest "" "2379" "2380" "200m" "etcd.manifest"

-  prepare-log-file /var/log/etcd-events.log
+  prepare-log-file /var/log/etcd-events.log "${ETCD_RUNASUSER:-0}"
  prepare-etcd-manifest "-events" "4002" "2381" "100m" "etcd-events.manifest"
 }

--- a/cluster/gce/manifests/etcd.manifest
+++ b/cluster/gce/manifests/etcd.manifest
@ -7,6 +7,8 @@
 },
 "spec":{
 "securityContext": {
+    {{ run_as_user }}
+    {{ run_as_group }}
    "seccompProfile": {
        "type": "RuntimeDefault"
    }
@ -17,6 +19,7 @@
 "containers":[
    {
    "name": "etcd-container",
+    {{security_context}}
    "image": "{{ pillar.get('etcd_docker_repository', 'k8s.gcr.io/etcd') }}:{{ pillar.get('etcd_docker_tag', '3.4.13-0') }}",
    "resources": {
      "requests": {
@ -35,6 +38,10 @@
      { "name": "TARGET_VERSION",
        "value": "{{ pillar.get('etcd_version', '3.4.13') }}"
      },
+      {
+        "name": "DO_NOT_MOVE_BINARIES",
+        "value": "true"
+      },
      { "name": "DATA_DIRECTORY",
        "value": "/var/etcd/data{{ suffix }}"
      },