mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 11:50:44 +00:00
Merge pull request #93095 from pjbgf/migrate-seccomp-usage-to-ga
Update yaml files to use seccomp GA syntax
This commit is contained in:
commit
b440ecc315
@ -17,9 +17,10 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
k8s-app: glbc
|
k8s-app: glbc
|
||||||
name: glbc
|
name: glbc
|
||||||
annotations:
|
|
||||||
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
|
|
||||||
spec:
|
spec:
|
||||||
|
securityContext:
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
containers:
|
containers:
|
||||||
- name: default-http-backend
|
- name: default-http-backend
|
||||||
# Any image is permissible as long as:
|
# Any image is permissible as long as:
|
||||||
|
@ -261,9 +261,10 @@ spec:
|
|||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
k8s-app: dashboard-metrics-scraper
|
k8s-app: dashboard-metrics-scraper
|
||||||
annotations:
|
|
||||||
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
|
|
||||||
spec:
|
spec:
|
||||||
|
securityContext:
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
containers:
|
containers:
|
||||||
- name: dashboard-metrics-scraper
|
- name: dashboard-metrics-scraper
|
||||||
image: kubernetesui/metrics-scraper:v1.0.4
|
image: kubernetesui/metrics-scraper:v1.0.4
|
||||||
|
@ -75,11 +75,11 @@ spec:
|
|||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
k8s-app: kube-dns-autoscaler
|
k8s-app: kube-dns-autoscaler
|
||||||
annotations:
|
|
||||||
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
|
|
||||||
spec:
|
spec:
|
||||||
priorityClassName: system-cluster-critical
|
priorityClassName: system-cluster-critical
|
||||||
securityContext:
|
securityContext:
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
supplementalGroups: [ 65534 ]
|
supplementalGroups: [ 65534 ]
|
||||||
fsGroup: 65534
|
fsGroup: 65534
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
|
@ -108,9 +108,10 @@ spec:
|
|||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
k8s-app: kube-dns
|
k8s-app: kube-dns
|
||||||
annotations:
|
|
||||||
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
|
|
||||||
spec:
|
spec:
|
||||||
|
securityContext:
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
priorityClassName: system-cluster-critical
|
priorityClassName: system-cluster-critical
|
||||||
serviceAccountName: coredns
|
serviceAccountName: coredns
|
||||||
affinity:
|
affinity:
|
||||||
|
@ -108,9 +108,10 @@ spec:
|
|||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
k8s-app: kube-dns
|
k8s-app: kube-dns
|
||||||
annotations:
|
|
||||||
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
|
|
||||||
spec:
|
spec:
|
||||||
|
securityContext:
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
priorityClassName: system-cluster-critical
|
priorityClassName: system-cluster-critical
|
||||||
serviceAccountName: coredns
|
serviceAccountName: coredns
|
||||||
affinity:
|
affinity:
|
||||||
|
@ -108,9 +108,10 @@ spec:
|
|||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
k8s-app: kube-dns
|
k8s-app: kube-dns
|
||||||
annotations:
|
|
||||||
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
|
|
||||||
spec:
|
spec:
|
||||||
|
securityContext:
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
priorityClassName: system-cluster-critical
|
priorityClassName: system-cluster-critical
|
||||||
serviceAccountName: coredns
|
serviceAccountName: coredns
|
||||||
affinity:
|
affinity:
|
||||||
|
@ -82,12 +82,13 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
k8s-app: kube-dns
|
k8s-app: kube-dns
|
||||||
annotations:
|
annotations:
|
||||||
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
|
|
||||||
prometheus.io/port: "10054"
|
prometheus.io/port: "10054"
|
||||||
prometheus.io/scrape: "true"
|
prometheus.io/scrape: "true"
|
||||||
spec:
|
spec:
|
||||||
priorityClassName: system-cluster-critical
|
priorityClassName: system-cluster-critical
|
||||||
securityContext:
|
securityContext:
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
supplementalGroups: [ 65534 ]
|
supplementalGroups: [ 65534 ]
|
||||||
fsGroup: 65534
|
fsGroup: 65534
|
||||||
affinity:
|
affinity:
|
||||||
|
@ -82,12 +82,13 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
k8s-app: kube-dns
|
k8s-app: kube-dns
|
||||||
annotations:
|
annotations:
|
||||||
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
|
|
||||||
prometheus.io/port: "10054"
|
prometheus.io/port: "10054"
|
||||||
prometheus.io/scrape: "true"
|
prometheus.io/scrape: "true"
|
||||||
spec:
|
spec:
|
||||||
priorityClassName: system-cluster-critical
|
priorityClassName: system-cluster-critical
|
||||||
securityContext:
|
securityContext:
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
supplementalGroups: [ 65534 ]
|
supplementalGroups: [ 65534 ]
|
||||||
fsGroup: 65534
|
fsGroup: 65534
|
||||||
affinity:
|
affinity:
|
||||||
|
@ -82,12 +82,13 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
k8s-app: kube-dns
|
k8s-app: kube-dns
|
||||||
annotations:
|
annotations:
|
||||||
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
|
|
||||||
prometheus.io/port: "10054"
|
prometheus.io/port: "10054"
|
||||||
prometheus.io/scrape: "true"
|
prometheus.io/scrape: "true"
|
||||||
spec:
|
spec:
|
||||||
priorityClassName: system-cluster-critical
|
priorityClassName: system-cluster-critical
|
||||||
securityContext:
|
securityContext:
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
supplementalGroups: [ 65534 ]
|
supplementalGroups: [ 65534 ]
|
||||||
fsGroup: 65534
|
fsGroup: 65534
|
||||||
affinity:
|
affinity:
|
||||||
|
@ -61,12 +61,10 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
k8s-app: fluentd-es
|
k8s-app: fluentd-es
|
||||||
version: v3.0.2
|
version: v3.0.2
|
||||||
# This annotation ensures that fluentd does not get evicted if the node
|
|
||||||
# supports critical pod annotation based priority scheme.
|
|
||||||
# Note that this does not guarantee admission on the nodes (#40573).
|
|
||||||
annotations:
|
|
||||||
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
|
|
||||||
spec:
|
spec:
|
||||||
|
securityContext:
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
priorityClassName: system-node-critical
|
priorityClassName: system-node-critical
|
||||||
serviceAccountName: fluentd-es
|
serviceAccountName: fluentd-es
|
||||||
containers:
|
containers:
|
||||||
|
@ -15,9 +15,10 @@ spec:
|
|||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
k8s-app: kibana-logging
|
k8s-app: kibana-logging
|
||||||
annotations:
|
|
||||||
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
|
|
||||||
spec:
|
spec:
|
||||||
|
securityContext:
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
containers:
|
containers:
|
||||||
- name: kibana-logging
|
- name: kibana-logging
|
||||||
image: docker.elastic.co/kibana/kibana-oss:7.2.0
|
image: docker.elastic.co/kibana/kibana-oss:7.2.0
|
||||||
|
@ -24,9 +24,10 @@ spec:
|
|||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
app: metadata-agent
|
app: metadata-agent
|
||||||
annotations:
|
|
||||||
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
|
|
||||||
spec:
|
spec:
|
||||||
|
securityContext:
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
serviceAccountName: metadata-agent
|
serviceAccountName: metadata-agent
|
||||||
priorityClassName: system-node-critical
|
priorityClassName: system-node-critical
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
@ -88,9 +89,10 @@ spec:
|
|||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
app: metadata-agent-cluster-level
|
app: metadata-agent-cluster-level
|
||||||
annotations:
|
|
||||||
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
|
|
||||||
spec:
|
spec:
|
||||||
|
securityContext:
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
serviceAccountName: metadata-agent
|
serviceAccountName: metadata-agent
|
||||||
priorityClassName: system-cluster-critical
|
priorityClassName: system-cluster-critical
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
|
@ -41,9 +41,10 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
k8s-app: metrics-server
|
k8s-app: metrics-server
|
||||||
version: v0.3.6
|
version: v0.3.6
|
||||||
annotations:
|
|
||||||
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
|
|
||||||
spec:
|
spec:
|
||||||
|
securityContext:
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
priorityClassName: system-cluster-critical
|
priorityClassName: system-cluster-critical
|
||||||
serviceAccountName: metrics-server
|
serviceAccountName: metrics-server
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
|
@ -7,12 +7,14 @@
|
|||||||
"labels": {
|
"labels": {
|
||||||
"tier": "cluster-management",
|
"tier": "cluster-management",
|
||||||
"component": "cluster-autoscaler"
|
"component": "cluster-autoscaler"
|
||||||
},
|
|
||||||
"annotations": {
|
|
||||||
"seccomp.security.alpha.kubernetes.io/pod": "docker/default"
|
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"spec": {
|
"spec": {
|
||||||
|
"securityContext": {
|
||||||
|
"seccompProfile": {
|
||||||
|
"type": "RuntimeDefault"
|
||||||
|
}
|
||||||
|
},
|
||||||
"hostNetwork": true,
|
"hostNetwork": true,
|
||||||
"containers": [
|
"containers": [
|
||||||
{
|
{
|
||||||
|
@ -3,12 +3,14 @@
|
|||||||
"kind": "Pod",
|
"kind": "Pod",
|
||||||
"metadata": {
|
"metadata": {
|
||||||
"name":"etcd-server{{ suffix }}",
|
"name":"etcd-server{{ suffix }}",
|
||||||
"namespace": "kube-system",
|
"namespace": "kube-system"
|
||||||
"annotations": {
|
|
||||||
"seccomp.security.alpha.kubernetes.io/pod": "docker/default"
|
|
||||||
}
|
|
||||||
},
|
},
|
||||||
"spec":{
|
"spec":{
|
||||||
|
"securityContext": {
|
||||||
|
"seccompProfile": {
|
||||||
|
"type": "RuntimeDefault"
|
||||||
|
}
|
||||||
|
},
|
||||||
"priorityClassName": "system-node-critical",
|
"priorityClassName": "system-node-critical",
|
||||||
"priority": 2000001000,
|
"priority": 2000001000,
|
||||||
"hostNetwork": true,
|
"hostNetwork": true,
|
||||||
|
@ -5,11 +5,13 @@ metadata:
|
|||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
annotations:
|
annotations:
|
||||||
scheduler.alpha.kubernetes.io/critical-pod: ''
|
scheduler.alpha.kubernetes.io/critical-pod: ''
|
||||||
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
|
|
||||||
labels:
|
labels:
|
||||||
k8s-app: gcp-lb-controller
|
k8s-app: gcp-lb-controller
|
||||||
kubernetes.io/name: "GLBC"
|
kubernetes.io/name: "GLBC"
|
||||||
spec:
|
spec:
|
||||||
|
securityContext:
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
priorityClassName: system-node-critical
|
priorityClassName: system-node-critical
|
||||||
priority: 2000001000
|
priority: 2000001000
|
||||||
terminationGracePeriodSeconds: 600
|
terminationGracePeriodSeconds: 600
|
||||||
|
@ -3,10 +3,11 @@ kind: Pod
|
|||||||
metadata:
|
metadata:
|
||||||
name: konnectivity-server
|
name: konnectivity-server
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
annotations:
|
|
||||||
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
|
|
||||||
component: konnectivity-server
|
component: konnectivity-server
|
||||||
spec:
|
spec:
|
||||||
|
securityContext:
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
priorityClassName: system-node-critical
|
priorityClassName: system-node-critical
|
||||||
priority: 2000001000
|
priority: 2000001000
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
|
@ -3,12 +3,12 @@ kind: Pod
|
|||||||
metadata:
|
metadata:
|
||||||
name: kube-addon-manager
|
name: kube-addon-manager
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
annotations:
|
|
||||||
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
|
|
||||||
labels:
|
labels:
|
||||||
component: kube-addon-manager
|
component: kube-addon-manager
|
||||||
spec:
|
spec:
|
||||||
securityContext:
|
securityContext:
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
runAsUser: {{runAsUser}}
|
runAsUser: {{runAsUser}}
|
||||||
runAsGroup: {{runAsGroup}}
|
runAsGroup: {{runAsGroup}}
|
||||||
priorityClassName: system-node-critical
|
priorityClassName: system-node-critical
|
||||||
|
@ -4,15 +4,17 @@
|
|||||||
"metadata": {
|
"metadata": {
|
||||||
"name":"kube-apiserver",
|
"name":"kube-apiserver",
|
||||||
"namespace": "kube-system",
|
"namespace": "kube-system",
|
||||||
"annotations": {
|
|
||||||
"seccomp.security.alpha.kubernetes.io/pod": "docker/default"
|
|
||||||
},
|
|
||||||
"labels": {
|
"labels": {
|
||||||
"tier": "control-plane",
|
"tier": "control-plane",
|
||||||
"component": "kube-apiserver"
|
"component": "kube-apiserver"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"spec":{
|
"spec":{
|
||||||
|
"securityContext": {
|
||||||
|
"seccompProfile": {
|
||||||
|
"type": "RuntimeDefault"
|
||||||
|
}
|
||||||
|
},
|
||||||
"priorityClassName": "system-node-critical",
|
"priorityClassName": "system-node-critical",
|
||||||
"priority": 2000001000,
|
"priority": 2000001000,
|
||||||
"hostNetwork": true,
|
"hostNetwork": true,
|
||||||
|
@ -4,9 +4,6 @@
|
|||||||
"metadata": {
|
"metadata": {
|
||||||
"name":"kube-controller-manager",
|
"name":"kube-controller-manager",
|
||||||
"namespace": "kube-system",
|
"namespace": "kube-system",
|
||||||
"annotations": {
|
|
||||||
"seccomp.security.alpha.kubernetes.io/pod": "docker/default"
|
|
||||||
},
|
|
||||||
"labels": {
|
"labels": {
|
||||||
"tier": "control-plane",
|
"tier": "control-plane",
|
||||||
"component": "kube-controller-manager"
|
"component": "kube-controller-manager"
|
||||||
@ -14,6 +11,9 @@
|
|||||||
},
|
},
|
||||||
"spec":{
|
"spec":{
|
||||||
"securityContext": {
|
"securityContext": {
|
||||||
|
"seccompProfile": {
|
||||||
|
"type": "RuntimeDefault"
|
||||||
|
},
|
||||||
"runAsUser": {{runAsUser}},
|
"runAsUser": {{runAsUser}},
|
||||||
"runAsGroup": {{runAsGroup}}
|
"runAsGroup": {{runAsGroup}}
|
||||||
},
|
},
|
||||||
|
@ -4,9 +4,6 @@
|
|||||||
"metadata": {
|
"metadata": {
|
||||||
"name":"kube-scheduler",
|
"name":"kube-scheduler",
|
||||||
"namespace": "kube-system",
|
"namespace": "kube-system",
|
||||||
"annotations": {
|
|
||||||
"seccomp.security.alpha.kubernetes.io/pod": "docker/default"
|
|
||||||
},
|
|
||||||
"labels": {
|
"labels": {
|
||||||
"tier": "control-plane",
|
"tier": "control-plane",
|
||||||
"component": "kube-scheduler"
|
"component": "kube-scheduler"
|
||||||
@ -14,6 +11,9 @@
|
|||||||
},
|
},
|
||||||
"spec":{
|
"spec":{
|
||||||
"securityContext": {
|
"securityContext": {
|
||||||
|
"seccompProfile": {
|
||||||
|
"type": "RuntimeDefault"
|
||||||
|
},
|
||||||
"runAsUser": {{runAsUser}},
|
"runAsUser": {{runAsUser}},
|
||||||
"runAsGroup": {{runAsGroup}}
|
"runAsGroup": {{runAsGroup}}
|
||||||
},
|
},
|
||||||
|
Loading…
Reference in New Issue
Block a user