Merge pull request #93095 from pjbgf/migrate-seccomp-usage-to-ga

Update yaml files to use seccomp GA syntax
This commit is contained in:
Kubernetes Prow Robot 2020-08-28 12:35:49 -07:00 committed by GitHub
commit b440ecc315
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
21 changed files with 68 additions and 49 deletions

View File

@ -17,9 +17,10 @@ spec:
labels: labels:
k8s-app: glbc k8s-app: glbc
name: glbc name: glbc
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: default-http-backend - name: default-http-backend
# Any image is permissible as long as: # Any image is permissible as long as:

View File

@ -261,9 +261,10 @@ spec:
metadata: metadata:
labels: labels:
k8s-app: dashboard-metrics-scraper k8s-app: dashboard-metrics-scraper
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: dashboard-metrics-scraper - name: dashboard-metrics-scraper
image: kubernetesui/metrics-scraper:v1.0.4 image: kubernetesui/metrics-scraper:v1.0.4

View File

@ -75,11 +75,11 @@ spec:
metadata: metadata:
labels: labels:
k8s-app: kube-dns-autoscaler k8s-app: kube-dns-autoscaler
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
spec: spec:
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
securityContext: securityContext:
seccompProfile:
type: RuntimeDefault
supplementalGroups: [ 65534 ] supplementalGroups: [ 65534 ]
fsGroup: 65534 fsGroup: 65534
nodeSelector: nodeSelector:

View File

@ -108,9 +108,10 @@ spec:
metadata: metadata:
labels: labels:
k8s-app: kube-dns k8s-app: kube-dns
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
serviceAccountName: coredns serviceAccountName: coredns
affinity: affinity:

View File

@ -108,9 +108,10 @@ spec:
metadata: metadata:
labels: labels:
k8s-app: kube-dns k8s-app: kube-dns
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
serviceAccountName: coredns serviceAccountName: coredns
affinity: affinity:

View File

@ -108,9 +108,10 @@ spec:
metadata: metadata:
labels: labels:
k8s-app: kube-dns k8s-app: kube-dns
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
serviceAccountName: coredns serviceAccountName: coredns
affinity: affinity:

View File

@ -82,12 +82,13 @@ spec:
labels: labels:
k8s-app: kube-dns k8s-app: kube-dns
annotations: annotations:
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
prometheus.io/port: "10054" prometheus.io/port: "10054"
prometheus.io/scrape: "true" prometheus.io/scrape: "true"
spec: spec:
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
securityContext: securityContext:
seccompProfile:
type: RuntimeDefault
supplementalGroups: [ 65534 ] supplementalGroups: [ 65534 ]
fsGroup: 65534 fsGroup: 65534
affinity: affinity:

View File

@ -82,12 +82,13 @@ spec:
labels: labels:
k8s-app: kube-dns k8s-app: kube-dns
annotations: annotations:
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
prometheus.io/port: "10054" prometheus.io/port: "10054"
prometheus.io/scrape: "true" prometheus.io/scrape: "true"
spec: spec:
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
securityContext: securityContext:
seccompProfile:
type: RuntimeDefault
supplementalGroups: [ 65534 ] supplementalGroups: [ 65534 ]
fsGroup: 65534 fsGroup: 65534
affinity: affinity:

View File

@ -82,12 +82,13 @@ spec:
labels: labels:
k8s-app: kube-dns k8s-app: kube-dns
annotations: annotations:
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
prometheus.io/port: "10054" prometheus.io/port: "10054"
prometheus.io/scrape: "true" prometheus.io/scrape: "true"
spec: spec:
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
securityContext: securityContext:
seccompProfile:
type: RuntimeDefault
supplementalGroups: [ 65534 ] supplementalGroups: [ 65534 ]
fsGroup: 65534 fsGroup: 65534
affinity: affinity:

View File

@ -61,12 +61,10 @@ spec:
labels: labels:
k8s-app: fluentd-es k8s-app: fluentd-es
version: v3.0.2 version: v3.0.2
# This annotation ensures that fluentd does not get evicted if the node
# supports critical pod annotation based priority scheme.
# Note that this does not guarantee admission on the nodes (#40573).
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
priorityClassName: system-node-critical priorityClassName: system-node-critical
serviceAccountName: fluentd-es serviceAccountName: fluentd-es
containers: containers:

View File

@ -15,9 +15,10 @@ spec:
metadata: metadata:
labels: labels:
k8s-app: kibana-logging k8s-app: kibana-logging
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: kibana-logging - name: kibana-logging
image: docker.elastic.co/kibana/kibana-oss:7.2.0 image: docker.elastic.co/kibana/kibana-oss:7.2.0

View File

@ -24,9 +24,10 @@ spec:
metadata: metadata:
labels: labels:
app: metadata-agent app: metadata-agent
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
serviceAccountName: metadata-agent serviceAccountName: metadata-agent
priorityClassName: system-node-critical priorityClassName: system-node-critical
nodeSelector: nodeSelector:
@ -88,9 +89,10 @@ spec:
metadata: metadata:
labels: labels:
app: metadata-agent-cluster-level app: metadata-agent-cluster-level
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
serviceAccountName: metadata-agent serviceAccountName: metadata-agent
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
nodeSelector: nodeSelector:

View File

@ -41,9 +41,10 @@ spec:
labels: labels:
k8s-app: metrics-server k8s-app: metrics-server
version: v0.3.6 version: v0.3.6
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
serviceAccountName: metrics-server serviceAccountName: metrics-server
nodeSelector: nodeSelector:

View File

@ -7,12 +7,14 @@
"labels": { "labels": {
"tier": "cluster-management", "tier": "cluster-management",
"component": "cluster-autoscaler" "component": "cluster-autoscaler"
},
"annotations": {
"seccomp.security.alpha.kubernetes.io/pod": "docker/default"
} }
}, },
"spec": { "spec": {
"securityContext": {
"seccompProfile": {
"type": "RuntimeDefault"
}
},
"hostNetwork": true, "hostNetwork": true,
"containers": [ "containers": [
{ {

View File

@ -3,12 +3,14 @@
"kind": "Pod", "kind": "Pod",
"metadata": { "metadata": {
"name":"etcd-server{{ suffix }}", "name":"etcd-server{{ suffix }}",
"namespace": "kube-system", "namespace": "kube-system"
"annotations": {
"seccomp.security.alpha.kubernetes.io/pod": "docker/default"
}
}, },
"spec":{ "spec":{
"securityContext": {
"seccompProfile": {
"type": "RuntimeDefault"
}
},
"priorityClassName": "system-node-critical", "priorityClassName": "system-node-critical",
"priority": 2000001000, "priority": 2000001000,
"hostNetwork": true, "hostNetwork": true,

View File

@ -5,11 +5,13 @@ metadata:
namespace: kube-system namespace: kube-system
annotations: annotations:
scheduler.alpha.kubernetes.io/critical-pod: '' scheduler.alpha.kubernetes.io/critical-pod: ''
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
labels: labels:
k8s-app: gcp-lb-controller k8s-app: gcp-lb-controller
kubernetes.io/name: "GLBC" kubernetes.io/name: "GLBC"
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
priorityClassName: system-node-critical priorityClassName: system-node-critical
priority: 2000001000 priority: 2000001000
terminationGracePeriodSeconds: 600 terminationGracePeriodSeconds: 600

View File

@ -3,10 +3,11 @@ kind: Pod
metadata: metadata:
name: konnectivity-server name: konnectivity-server
namespace: kube-system namespace: kube-system
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
component: konnectivity-server component: konnectivity-server
spec: spec:
securityContext:
seccompProfile:
type: RuntimeDefault
priorityClassName: system-node-critical priorityClassName: system-node-critical
priority: 2000001000 priority: 2000001000
hostNetwork: true hostNetwork: true

View File

@ -3,12 +3,12 @@ kind: Pod
metadata: metadata:
name: kube-addon-manager name: kube-addon-manager
namespace: kube-system namespace: kube-system
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
labels: labels:
component: kube-addon-manager component: kube-addon-manager
spec: spec:
securityContext: securityContext:
seccompProfile:
type: RuntimeDefault
runAsUser: {{runAsUser}} runAsUser: {{runAsUser}}
runAsGroup: {{runAsGroup}} runAsGroup: {{runAsGroup}}
priorityClassName: system-node-critical priorityClassName: system-node-critical

View File

@ -4,15 +4,17 @@
"metadata": { "metadata": {
"name":"kube-apiserver", "name":"kube-apiserver",
"namespace": "kube-system", "namespace": "kube-system",
"annotations": {
"seccomp.security.alpha.kubernetes.io/pod": "docker/default"
},
"labels": { "labels": {
"tier": "control-plane", "tier": "control-plane",
"component": "kube-apiserver" "component": "kube-apiserver"
} }
}, },
"spec":{ "spec":{
"securityContext": {
"seccompProfile": {
"type": "RuntimeDefault"
}
},
"priorityClassName": "system-node-critical", "priorityClassName": "system-node-critical",
"priority": 2000001000, "priority": 2000001000,
"hostNetwork": true, "hostNetwork": true,

View File

@ -4,9 +4,6 @@
"metadata": { "metadata": {
"name":"kube-controller-manager", "name":"kube-controller-manager",
"namespace": "kube-system", "namespace": "kube-system",
"annotations": {
"seccomp.security.alpha.kubernetes.io/pod": "docker/default"
},
"labels": { "labels": {
"tier": "control-plane", "tier": "control-plane",
"component": "kube-controller-manager" "component": "kube-controller-manager"
@ -14,6 +11,9 @@
}, },
"spec":{ "spec":{
"securityContext": { "securityContext": {
"seccompProfile": {
"type": "RuntimeDefault"
},
"runAsUser": {{runAsUser}}, "runAsUser": {{runAsUser}},
"runAsGroup": {{runAsGroup}} "runAsGroup": {{runAsGroup}}
}, },

View File

@ -4,9 +4,6 @@
"metadata": { "metadata": {
"name":"kube-scheduler", "name":"kube-scheduler",
"namespace": "kube-system", "namespace": "kube-system",
"annotations": {
"seccomp.security.alpha.kubernetes.io/pod": "docker/default"
},
"labels": { "labels": {
"tier": "control-plane", "tier": "control-plane",
"component": "kube-scheduler" "component": "kube-scheduler"
@ -14,6 +11,9 @@
}, },
"spec":{ "spec":{
"securityContext": { "securityContext": {
"seccompProfile": {
"type": "RuntimeDefault"
},
"runAsUser": {{runAsUser}}, "runAsUser": {{runAsUser}},
"runAsGroup": {{runAsGroup}} "runAsGroup": {{runAsGroup}}
}, },