Update konnectivity network proxy server to run as non-root, by default in kube-up.

cluster/gce/gci/configure-helper.sh

@@ -1935,6 +1935,26 @@ function prepare-konnectivity-server-manifest {
   sed -i -e "s@{{ *health_port *}}@$2@g" "${temp_file}"
   sed -i -e "s@{{ *admin_port *}}@$3@g" "${temp_file}"
   sed -i -e "s@{{ *liveness_probe_initial_delay *}}@30@g" "${temp_file}"
+  if [[ -n "${KONNECTIVITY_SERVER_RUNASUSER:-}" && -n "${KONNECTIVITY_SERVER_RUNASGROUP:-}" && -n "${KONNECTIVITY_SERVER_SOCKET_WRITER_GROUP:-}" ]]; then
+    sed -i -e "s@{{ *run_as_user *}}@runAsUser: ${KONNECTIVITY_SERVER_RUNASUSER}@g" "${temp_file}"
+    sed -i -e "s@{{ *run_as_group *}}@runAsGroup: ${KONNECTIVITY_SERVER_RUNASGROUP}@g" "${temp_file}"
+    sed -i -e "s@{{ *supplemental_groups *}}@supplementalGroups: [${KUBE_PKI_READERS_GROUP}]@g" "${temp_file}"
+    sed -i -e "s@{{ *container_security_context *}}@securityContext:@g" "${temp_file}"
+    sed -i -e "s@{{ *capabilities *}}@capabilities:@g" "${temp_file}"
+    sed -i -e "s@{{ *drop_capabilities *}}@drop: [ ALL ]@g" "${temp_file}"
+    sed -i -e "s@{{ *disallow_privilege_escalation *}}@allowPrivilegeEscalation: false@g" "${temp_file}"
+    mkdir -p /etc/srv/kubernetes/konnectivity-server/
+    chown -R "${KONNECTIVITY_SERVER_RUNASUSER}":"${KONNECTIVITY_SERVER_RUNASGROUP}" /etc/srv/kubernetes/konnectivity-server
+    chmod g+w /etc/srv/kubernetes/konnectivity-server
+  else
+    sed -i -e "s@{{ *run_as_user *}}@@g" "${temp_file}"
+    sed -i -e "s@{{ *run_as_group *}}@@g" "${temp_file}"
+    sed -i -e "s@{{ *supplemental_groups *}}@@g" "${temp_file}"
+    sed -i -e "s@{{ *container_security_context *}}@@g" "${temp_file}"
+    sed -i -e "s@{{ *capabilities *}}@@g" "${temp_file}"
+    sed -i -e "s@{{ *drop_capabilities *}}@@g" "${temp_file}"
+    sed -i -e "s@{{ *disallow_privilege_escalation *}}@@g" "${temp_file}"
+  fi
   mv "${temp_file}" /etc/kubernetes/manifests
 }
 
@@ -1943,7 +1963,7 @@ function prepare-konnectivity-server-manifest {
 # in the manifests, and copies them to /etc/kubernetes/manifests.
 function start-konnectivity-server {
   echo "Start konnectivity server pods"
-  prepare-log-file /var/log/konnectivity-server.log
+  prepare-log-file /var/log/konnectivity-server.log "${KONNECTIVITY_SERVER_RUNASUSER:-0}"
   prepare-konnectivity-server-manifest "8132" "8133" "8134"
 }
 

cluster/gce/manifests/konnectivity-server.yaml

@@ -6,6 +6,9 @@ metadata:
   component: konnectivity-server
 spec:
   securityContext:
+    {{ run_as_user }}
+    {{ run_as_group }}
+    {{ supplemental_groups }}
     seccompProfile:
       type: RuntimeDefault
   priorityClassName: system-node-critical
@@ -13,6 +16,10 @@ spec:
   hostNetwork: true
   containers:
   - name: konnectivity-server-container
+    {{ container_security_context }}:
+      {{ disallow_privilege_escalation}}
+      {{ capabilities }}
+        {{ drop_capabilities }}
     image: k8s.gcr.io/kas-network-proxy/proxy-server:v0.0.15
     resources:
       requests:

cluster/gce/util.sh

@@ -1367,6 +1367,9 @@ KUBE_PKI_READERS_GROUP: 2005
 ETCD_RUNASUSER: 2006
 ETCD_RUNASGROUP: 2006
 KUBE_POD_LOG_READERS_GROUP: 2007
+KONNECTIVITY_SERVER_RUNASUSER: 2008
+KONNECTIVITY_SERVER_RUNASGROUP: 2008
+KONNECTIVITY_SERVER_SOCKET_WRITER_GROUP: 2008
 EOF
     # KUBE_APISERVER_REQUEST_TIMEOUT_SEC (if set) controls the --request-timeout
     # flag