mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 19:56:01 +00:00
Update konnectivity network proxy server to run as non-root, by default in kube-up.
This commit is contained in:
parent
1bd00776b5
commit
b951b9349f
@ -1935,6 +1935,26 @@ function prepare-konnectivity-server-manifest {
|
|||||||
sed -i -e "s@{{ *health_port *}}@$2@g" "${temp_file}"
|
sed -i -e "s@{{ *health_port *}}@$2@g" "${temp_file}"
|
||||||
sed -i -e "s@{{ *admin_port *}}@$3@g" "${temp_file}"
|
sed -i -e "s@{{ *admin_port *}}@$3@g" "${temp_file}"
|
||||||
sed -i -e "s@{{ *liveness_probe_initial_delay *}}@30@g" "${temp_file}"
|
sed -i -e "s@{{ *liveness_probe_initial_delay *}}@30@g" "${temp_file}"
|
||||||
|
if [[ -n "${KONNECTIVITY_SERVER_RUNASUSER:-}" && -n "${KONNECTIVITY_SERVER_RUNASGROUP:-}" && -n "${KONNECTIVITY_SERVER_SOCKET_WRITER_GROUP:-}" ]]; then
|
||||||
|
sed -i -e "s@{{ *run_as_user *}}@runAsUser: ${KONNECTIVITY_SERVER_RUNASUSER}@g" "${temp_file}"
|
||||||
|
sed -i -e "s@{{ *run_as_group *}}@runAsGroup: ${KONNECTIVITY_SERVER_RUNASGROUP}@g" "${temp_file}"
|
||||||
|
sed -i -e "s@{{ *supplemental_groups *}}@supplementalGroups: [${KUBE_PKI_READERS_GROUP}]@g" "${temp_file}"
|
||||||
|
sed -i -e "s@{{ *container_security_context *}}@securityContext:@g" "${temp_file}"
|
||||||
|
sed -i -e "s@{{ *capabilities *}}@capabilities:@g" "${temp_file}"
|
||||||
|
sed -i -e "s@{{ *drop_capabilities *}}@drop: [ ALL ]@g" "${temp_file}"
|
||||||
|
sed -i -e "s@{{ *disallow_privilege_escalation *}}@allowPrivilegeEscalation: false@g" "${temp_file}"
|
||||||
|
mkdir -p /etc/srv/kubernetes/konnectivity-server/
|
||||||
|
chown -R "${KONNECTIVITY_SERVER_RUNASUSER}":"${KONNECTIVITY_SERVER_RUNASGROUP}" /etc/srv/kubernetes/konnectivity-server
|
||||||
|
chmod g+w /etc/srv/kubernetes/konnectivity-server
|
||||||
|
else
|
||||||
|
sed -i -e "s@{{ *run_as_user *}}@@g" "${temp_file}"
|
||||||
|
sed -i -e "s@{{ *run_as_group *}}@@g" "${temp_file}"
|
||||||
|
sed -i -e "s@{{ *supplemental_groups *}}@@g" "${temp_file}"
|
||||||
|
sed -i -e "s@{{ *container_security_context *}}@@g" "${temp_file}"
|
||||||
|
sed -i -e "s@{{ *capabilities *}}@@g" "${temp_file}"
|
||||||
|
sed -i -e "s@{{ *drop_capabilities *}}@@g" "${temp_file}"
|
||||||
|
sed -i -e "s@{{ *disallow_privilege_escalation *}}@@g" "${temp_file}"
|
||||||
|
fi
|
||||||
mv "${temp_file}" /etc/kubernetes/manifests
|
mv "${temp_file}" /etc/kubernetes/manifests
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1943,7 +1963,7 @@ function prepare-konnectivity-server-manifest {
|
|||||||
# in the manifests, and copies them to /etc/kubernetes/manifests.
|
# in the manifests, and copies them to /etc/kubernetes/manifests.
|
||||||
function start-konnectivity-server {
|
function start-konnectivity-server {
|
||||||
echo "Start konnectivity server pods"
|
echo "Start konnectivity server pods"
|
||||||
prepare-log-file /var/log/konnectivity-server.log
|
prepare-log-file /var/log/konnectivity-server.log "${KONNECTIVITY_SERVER_RUNASUSER:-0}"
|
||||||
prepare-konnectivity-server-manifest "8132" "8133" "8134"
|
prepare-konnectivity-server-manifest "8132" "8133" "8134"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -6,6 +6,9 @@ metadata:
|
|||||||
component: konnectivity-server
|
component: konnectivity-server
|
||||||
spec:
|
spec:
|
||||||
securityContext:
|
securityContext:
|
||||||
|
{{ run_as_user }}
|
||||||
|
{{ run_as_group }}
|
||||||
|
{{ supplemental_groups }}
|
||||||
seccompProfile:
|
seccompProfile:
|
||||||
type: RuntimeDefault
|
type: RuntimeDefault
|
||||||
priorityClassName: system-node-critical
|
priorityClassName: system-node-critical
|
||||||
@ -13,6 +16,10 @@ spec:
|
|||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
containers:
|
containers:
|
||||||
- name: konnectivity-server-container
|
- name: konnectivity-server-container
|
||||||
|
{{ container_security_context }}:
|
||||||
|
{{ disallow_privilege_escalation}}
|
||||||
|
{{ capabilities }}
|
||||||
|
{{ drop_capabilities }}
|
||||||
image: k8s.gcr.io/kas-network-proxy/proxy-server:v0.0.15
|
image: k8s.gcr.io/kas-network-proxy/proxy-server:v0.0.15
|
||||||
resources:
|
resources:
|
||||||
requests:
|
requests:
|
||||||
|
@ -1367,6 +1367,9 @@ KUBE_PKI_READERS_GROUP: 2005
|
|||||||
ETCD_RUNASUSER: 2006
|
ETCD_RUNASUSER: 2006
|
||||||
ETCD_RUNASGROUP: 2006
|
ETCD_RUNASGROUP: 2006
|
||||||
KUBE_POD_LOG_READERS_GROUP: 2007
|
KUBE_POD_LOG_READERS_GROUP: 2007
|
||||||
|
KONNECTIVITY_SERVER_RUNASUSER: 2008
|
||||||
|
KONNECTIVITY_SERVER_RUNASGROUP: 2008
|
||||||
|
KONNECTIVITY_SERVER_SOCKET_WRITER_GROUP: 2008
|
||||||
EOF
|
EOF
|
||||||
# KUBE_APISERVER_REQUEST_TIMEOUT_SEC (if set) controls the --request-timeout
|
# KUBE_APISERVER_REQUEST_TIMEOUT_SEC (if set) controls the --request-timeout
|
||||||
# flag
|
# flag
|
||||||
|
Loading…
Reference in New Issue
Block a user