From 8f8f1bad7219a952d32ba6f33cd2639872859f10 Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Thu, 13 Aug 2020 08:45:36 +0100 Subject: [PATCH] Update yaml files to use seccomp GA syntax --- .../glbc/default-svc-controller.yaml | 5 +++-- cluster/addons/dashboard/dashboard.yaml | 5 +++-- .../dns-horizontal-autoscaler.yaml | 4 ++-- cluster/addons/dns/coredns/coredns.yaml.base | 5 +++-- cluster/addons/dns/coredns/coredns.yaml.in | 5 +++-- cluster/addons/dns/coredns/coredns.yaml.sed | 5 +++-- cluster/addons/dns/kube-dns/kube-dns.yaml.base | 3 ++- cluster/addons/dns/kube-dns/kube-dns.yaml.in | 3 ++- cluster/addons/dns/kube-dns/kube-dns.yaml.sed | 3 ++- .../addons/fluentd-elasticsearch/fluentd-es-ds.yaml | 8 +++----- .../fluentd-elasticsearch/kibana-deployment.yaml | 5 +++-- .../metadata-agent/stackdriver/metadata-agent.yaml | 10 ++++++---- .../metrics-server/metrics-server-deployment.yaml | 5 +++-- cluster/gce/manifests/cluster-autoscaler.manifest | 8 +++++--- cluster/gce/manifests/etcd.manifest | 10 ++++++---- cluster/gce/manifests/glbc.manifest | 4 +++- cluster/gce/manifests/konnectivity-server.yaml | 5 +++-- cluster/gce/manifests/kube-addon-manager.yaml | 4 ++-- cluster/gce/manifests/kube-apiserver.manifest | 8 +++++--- cluster/gce/manifests/kube-controller-manager.manifest | 6 +++--- cluster/gce/manifests/kube-scheduler.manifest | 6 +++--- 21 files changed, 68 insertions(+), 49 deletions(-) diff --git a/cluster/addons/cluster-loadbalancing/glbc/default-svc-controller.yaml b/cluster/addons/cluster-loadbalancing/glbc/default-svc-controller.yaml index 27a5fc1f783..64d0a798a41 100644 --- a/cluster/addons/cluster-loadbalancing/glbc/default-svc-controller.yaml +++ b/cluster/addons/cluster-loadbalancing/glbc/default-svc-controller.yaml @@ -17,9 +17,10 @@ spec: labels: k8s-app: glbc name: glbc - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: default-http-backend # Any image is permissible as long as: diff --git a/cluster/addons/dashboard/dashboard.yaml b/cluster/addons/dashboard/dashboard.yaml index ca92e6bd689..d13af3172f9 100644 --- a/cluster/addons/dashboard/dashboard.yaml +++ b/cluster/addons/dashboard/dashboard.yaml @@ -261,9 +261,10 @@ spec: metadata: labels: k8s-app: dashboard-metrics-scraper - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: dashboard-metrics-scraper image: kubernetesui/metrics-scraper:v1.0.4 diff --git a/cluster/addons/dns-horizontal-autoscaler/dns-horizontal-autoscaler.yaml b/cluster/addons/dns-horizontal-autoscaler/dns-horizontal-autoscaler.yaml index e12d4063018..1474bca9883 100644 --- a/cluster/addons/dns-horizontal-autoscaler/dns-horizontal-autoscaler.yaml +++ b/cluster/addons/dns-horizontal-autoscaler/dns-horizontal-autoscaler.yaml @@ -75,11 +75,11 @@ spec: metadata: labels: k8s-app: kube-dns-autoscaler - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: priorityClassName: system-cluster-critical securityContext: + seccompProfile: + type: RuntimeDefault supplementalGroups: [ 65534 ] fsGroup: 65534 nodeSelector: diff --git a/cluster/addons/dns/coredns/coredns.yaml.base b/cluster/addons/dns/coredns/coredns.yaml.base index 23ddd0c06a8..b04f8fb9cc2 100644 --- a/cluster/addons/dns/coredns/coredns.yaml.base +++ b/cluster/addons/dns/coredns/coredns.yaml.base @@ -108,9 +108,10 @@ spec: metadata: labels: k8s-app: kube-dns - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' spec: + securityContext: + seccompProfile: + type: RuntimeDefault priorityClassName: system-cluster-critical serviceAccountName: coredns affinity: diff --git a/cluster/addons/dns/coredns/coredns.yaml.in b/cluster/addons/dns/coredns/coredns.yaml.in index 55e6f33bd44..dd76ff33f8e 100644 --- a/cluster/addons/dns/coredns/coredns.yaml.in +++ b/cluster/addons/dns/coredns/coredns.yaml.in @@ -108,9 +108,10 @@ spec: metadata: labels: k8s-app: kube-dns - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' spec: + securityContext: + seccompProfile: + type: RuntimeDefault priorityClassName: system-cluster-critical serviceAccountName: coredns affinity: diff --git a/cluster/addons/dns/coredns/coredns.yaml.sed b/cluster/addons/dns/coredns/coredns.yaml.sed index aad2a143635..ebe0c7182e8 100644 --- a/cluster/addons/dns/coredns/coredns.yaml.sed +++ b/cluster/addons/dns/coredns/coredns.yaml.sed @@ -108,9 +108,10 @@ spec: metadata: labels: k8s-app: kube-dns - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' spec: + securityContext: + seccompProfile: + type: RuntimeDefault priorityClassName: system-cluster-critical serviceAccountName: coredns affinity: diff --git a/cluster/addons/dns/kube-dns/kube-dns.yaml.base b/cluster/addons/dns/kube-dns/kube-dns.yaml.base index 2c4cc54c957..b6b288447a4 100644 --- a/cluster/addons/dns/kube-dns/kube-dns.yaml.base +++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.base @@ -82,12 +82,13 @@ spec: labels: k8s-app: kube-dns annotations: - seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' prometheus.io/port: "10054" prometheus.io/scrape: "true" spec: priorityClassName: system-cluster-critical securityContext: + seccompProfile: + type: RuntimeDefault supplementalGroups: [ 65534 ] fsGroup: 65534 affinity: diff --git a/cluster/addons/dns/kube-dns/kube-dns.yaml.in b/cluster/addons/dns/kube-dns/kube-dns.yaml.in index 0f2a61bd79b..7a539d34e56 100644 --- a/cluster/addons/dns/kube-dns/kube-dns.yaml.in +++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.in @@ -82,12 +82,13 @@ spec: labels: k8s-app: kube-dns annotations: - seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' prometheus.io/port: "10054" prometheus.io/scrape: "true" spec: priorityClassName: system-cluster-critical securityContext: + seccompProfile: + type: RuntimeDefault supplementalGroups: [ 65534 ] fsGroup: 65534 affinity: diff --git a/cluster/addons/dns/kube-dns/kube-dns.yaml.sed b/cluster/addons/dns/kube-dns/kube-dns.yaml.sed index 3a87e0575c7..40a3e84e683 100644 --- a/cluster/addons/dns/kube-dns/kube-dns.yaml.sed +++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.sed @@ -82,12 +82,13 @@ spec: labels: k8s-app: kube-dns annotations: - seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' prometheus.io/port: "10054" prometheus.io/scrape: "true" spec: priorityClassName: system-cluster-critical securityContext: + seccompProfile: + type: RuntimeDefault supplementalGroups: [ 65534 ] fsGroup: 65534 affinity: diff --git a/cluster/addons/fluentd-elasticsearch/fluentd-es-ds.yaml b/cluster/addons/fluentd-elasticsearch/fluentd-es-ds.yaml index 1ed3494f5e5..2a031a68d30 100644 --- a/cluster/addons/fluentd-elasticsearch/fluentd-es-ds.yaml +++ b/cluster/addons/fluentd-elasticsearch/fluentd-es-ds.yaml @@ -61,12 +61,10 @@ spec: labels: k8s-app: fluentd-es version: v3.0.2 - # This annotation ensures that fluentd does not get evicted if the node - # supports critical pod annotation based priority scheme. - # Note that this does not guarantee admission on the nodes (#40573). - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: + securityContext: + seccompProfile: + type: RuntimeDefault priorityClassName: system-node-critical serviceAccountName: fluentd-es containers: diff --git a/cluster/addons/fluentd-elasticsearch/kibana-deployment.yaml b/cluster/addons/fluentd-elasticsearch/kibana-deployment.yaml index f087f7427da..9b6b387dde2 100644 --- a/cluster/addons/fluentd-elasticsearch/kibana-deployment.yaml +++ b/cluster/addons/fluentd-elasticsearch/kibana-deployment.yaml @@ -15,9 +15,10 @@ spec: metadata: labels: k8s-app: kibana-logging - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: kibana-logging image: docker.elastic.co/kibana/kibana-oss:7.2.0 diff --git a/cluster/addons/metadata-agent/stackdriver/metadata-agent.yaml b/cluster/addons/metadata-agent/stackdriver/metadata-agent.yaml index 196e8ac10f7..e688c594d24 100644 --- a/cluster/addons/metadata-agent/stackdriver/metadata-agent.yaml +++ b/cluster/addons/metadata-agent/stackdriver/metadata-agent.yaml @@ -24,9 +24,10 @@ spec: metadata: labels: app: metadata-agent - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: metadata-agent priorityClassName: system-node-critical nodeSelector: @@ -88,9 +89,10 @@ spec: metadata: labels: app: metadata-agent-cluster-level - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: metadata-agent priorityClassName: system-cluster-critical nodeSelector: diff --git a/cluster/addons/metrics-server/metrics-server-deployment.yaml b/cluster/addons/metrics-server/metrics-server-deployment.yaml index 987543ebaeb..cb5f2dbb3b0 100644 --- a/cluster/addons/metrics-server/metrics-server-deployment.yaml +++ b/cluster/addons/metrics-server/metrics-server-deployment.yaml @@ -41,9 +41,10 @@ spec: labels: k8s-app: metrics-server version: v0.3.6 - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: + securityContext: + seccompProfile: + type: RuntimeDefault priorityClassName: system-cluster-critical serviceAccountName: metrics-server nodeSelector: diff --git a/cluster/gce/manifests/cluster-autoscaler.manifest b/cluster/gce/manifests/cluster-autoscaler.manifest index 4fe711e4c9c..209b4bcb10a 100644 --- a/cluster/gce/manifests/cluster-autoscaler.manifest +++ b/cluster/gce/manifests/cluster-autoscaler.manifest @@ -7,12 +7,14 @@ "labels": { "tier": "cluster-management", "component": "cluster-autoscaler" - }, - "annotations": { - "seccomp.security.alpha.kubernetes.io/pod": "docker/default" } }, "spec": { + "securityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + } + }, "hostNetwork": true, "containers": [ { diff --git a/cluster/gce/manifests/etcd.manifest b/cluster/gce/manifests/etcd.manifest index 29f5783820c..de32212d154 100644 --- a/cluster/gce/manifests/etcd.manifest +++ b/cluster/gce/manifests/etcd.manifest @@ -3,12 +3,14 @@ "kind": "Pod", "metadata": { "name":"etcd-server{{ suffix }}", - "namespace": "kube-system", - "annotations": { - "seccomp.security.alpha.kubernetes.io/pod": "docker/default" - } + "namespace": "kube-system" }, "spec":{ +"securityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + } +}, "priorityClassName": "system-node-critical", "priority": 2000001000, "hostNetwork": true, diff --git a/cluster/gce/manifests/glbc.manifest b/cluster/gce/manifests/glbc.manifest index 68654412e49..05f0b93cc6f 100644 --- a/cluster/gce/manifests/glbc.manifest +++ b/cluster/gce/manifests/glbc.manifest @@ -5,11 +5,13 @@ metadata: namespace: kube-system annotations: scheduler.alpha.kubernetes.io/critical-pod: '' - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' labels: k8s-app: gcp-lb-controller kubernetes.io/name: "GLBC" spec: + securityContext: + seccompProfile: + type: RuntimeDefault priorityClassName: system-node-critical priority: 2000001000 terminationGracePeriodSeconds: 600 diff --git a/cluster/gce/manifests/konnectivity-server.yaml b/cluster/gce/manifests/konnectivity-server.yaml index d762c0d498c..88f7f3f22a8 100644 --- a/cluster/gce/manifests/konnectivity-server.yaml +++ b/cluster/gce/manifests/konnectivity-server.yaml @@ -3,10 +3,11 @@ kind: Pod metadata: name: konnectivity-server namespace: kube-system - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' component: konnectivity-server spec: + securityContext: + seccompProfile: + type: RuntimeDefault priorityClassName: system-node-critical priority: 2000001000 hostNetwork: true diff --git a/cluster/gce/manifests/kube-addon-manager.yaml b/cluster/gce/manifests/kube-addon-manager.yaml index bce6a3a34ec..5597e0e31dc 100644 --- a/cluster/gce/manifests/kube-addon-manager.yaml +++ b/cluster/gce/manifests/kube-addon-manager.yaml @@ -3,12 +3,12 @@ kind: Pod metadata: name: kube-addon-manager namespace: kube-system - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' labels: component: kube-addon-manager spec: securityContext: + seccompProfile: + type: RuntimeDefault runAsUser: {{runAsUser}} runAsGroup: {{runAsGroup}} priorityClassName: system-node-critical diff --git a/cluster/gce/manifests/kube-apiserver.manifest b/cluster/gce/manifests/kube-apiserver.manifest index 04f400797ba..b79ffbe2650 100644 --- a/cluster/gce/manifests/kube-apiserver.manifest +++ b/cluster/gce/manifests/kube-apiserver.manifest @@ -4,15 +4,17 @@ "metadata": { "name":"kube-apiserver", "namespace": "kube-system", - "annotations": { - "seccomp.security.alpha.kubernetes.io/pod": "docker/default" - }, "labels": { "tier": "control-plane", "component": "kube-apiserver" } }, "spec":{ +"securityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + } +}, "priorityClassName": "system-node-critical", "priority": 2000001000, "hostNetwork": true, diff --git a/cluster/gce/manifests/kube-controller-manager.manifest b/cluster/gce/manifests/kube-controller-manager.manifest index ce436ff61b8..09754285822 100644 --- a/cluster/gce/manifests/kube-controller-manager.manifest +++ b/cluster/gce/manifests/kube-controller-manager.manifest @@ -4,9 +4,6 @@ "metadata": { "name":"kube-controller-manager", "namespace": "kube-system", - "annotations": { - "seccomp.security.alpha.kubernetes.io/pod": "docker/default" - }, "labels": { "tier": "control-plane", "component": "kube-controller-manager" @@ -14,6 +11,9 @@ }, "spec":{ "securityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + }, "runAsUser": {{runAsUser}}, "runAsGroup": {{runAsGroup}} }, diff --git a/cluster/gce/manifests/kube-scheduler.manifest b/cluster/gce/manifests/kube-scheduler.manifest index 616d8457635..b4f6bf8184f 100644 --- a/cluster/gce/manifests/kube-scheduler.manifest +++ b/cluster/gce/manifests/kube-scheduler.manifest @@ -4,9 +4,6 @@ "metadata": { "name":"kube-scheduler", "namespace": "kube-system", - "annotations": { - "seccomp.security.alpha.kubernetes.io/pod": "docker/default" - }, "labels": { "tier": "control-plane", "component": "kube-scheduler" @@ -14,6 +11,9 @@ }, "spec":{ "securityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + }, "runAsUser": {{runAsUser}}, "runAsGroup": {{runAsGroup}} },