From 8daa9e6f7749a622b9e0006ddffd0242c6abebce Mon Sep 17 00:00:00 2001
From: Vinayak Goyal <vinaygo@google.com>
Date: Sat, 23 May 2020 20:40:38 -0700
Subject: [PATCH] Updating kube-controller-manager to run as non-root.

---
 cluster/gce/gci/configure-helper.sh           | 19 +++++++++++++++++++
 .../kube-controller-manager.manifest          | 12 ++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh
index 58ba60f4b5d..c4528e52f4a 100644
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@@ -1840,6 +1840,16 @@ function update-node-label() {
   done
 }
 
+# A helper function that sets file permissions for kube-controller-manager to
+# run as non root.
+function run-kube-controller-manager-as-non-root {
+  prepare-log-file /var/log/kube-controller-manager.log ${KUBE_CONTROLLER_MANAGER_RUNASUSER} ${KUBE_CONTROLLER_MANAGER_RUNASGROUP}
+  setfacl -m u:${KUBE_CONTROLLER_MANAGER_RUNASUSER}:r "${CA_CERT_BUNDLE_PATH}"
+  setfacl -m u:${KUBE_CONTROLLER_MANAGER_RUNASUSER}:r "${SERVICEACCOUNT_CERT_PATH}"
+  setfacl -m u:${KUBE_CONTROLLER_MANAGER_RUNASUSER}:r "${SERVICEACCOUNT_KEY_PATH}"
+}
+
+
 # Starts kubernetes controller manager.
 # It prepares the log file, loads the docker image, calculates variables, sets them
 # in the manifest file, and then copies the manifest file to /etc/kubernetes/manifests.
@@ -1937,6 +1947,15 @@ function start-kube-controller-manager {
   sed -i -e "s@{{flexvolume_hostpath}}@${FLEXVOLUME_HOSTPATH_VOLUME}@g" "${src_file}"
   sed -i -e "s@{{cpurequest}}@${KUBE_CONTROLLER_MANAGER_CPU_REQUEST}@g" "${src_file}"
 
+  if [[ -n "${KUBE_CONTROLLER_MANAGER_RUNASUSER:-}" && -n "${KUBE_CONTROLLER_MANAGER_RUNASGROUP:-}" ]]; then
+    run-kube-controller-manager-as-non-root
+    sed -i -e "s@{{runAsUser}}@${KUBE_CONTROLLER_MANAGER_RUNASUSER}@g" "${src_file}"
+    sed -i -e "s@{{runAsGroup}}@${KUBE_CONTROLLER_MANAGER_RUNASGROUP}@g" "${src_file}"
+  else
+    sed -i -e "s@{{runAsUser}}@0@g" "${src_file}"
+    sed -i -e "s@{{runAsGroup}}@0@g" "${src_file}"
+  fi
+
   cp "${src_file}" /etc/kubernetes/manifests
 }
 
diff --git a/cluster/gce/manifests/kube-controller-manager.manifest b/cluster/gce/manifests/kube-controller-manager.manifest
index 0ed484ea6bc..ce436ff61b8 100644
--- a/cluster/gce/manifests/kube-controller-manager.manifest
+++ b/cluster/gce/manifests/kube-controller-manager.manifest
@@ -13,12 +13,24 @@
   }
 },
 "spec":{
+"securityContext": {
+  "runAsUser": {{runAsUser}},
+  "runAsGroup": {{runAsGroup}}
+},
 "priorityClassName": "system-node-critical",
 "priority": 2000001000,
 "hostNetwork": true,
 "containers":[
     {
     "name": "kube-controller-manager",
+    "securityContext": {
+      "allowPrivilegeEscalation": false,
+      "capabilities": {
+        "drop": [
+          "all"
+        ]
+      }
+    },
     "image": "{{pillar['kube_docker_registry']}}/kube-controller-manager-amd64:{{pillar['kube-controller-manager_docker_tag']}}",
     "resources": {
       "requests": {