github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-14 21:53:52 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #101164 from vinayakankugoyal/apiservernonroot

Browse Source 
Run control-plane as non root in kube-up.
This commit is contained in:
Kubernetes Prow Robot
2021-05-06 17:33:14 -07:00
committed by GitHub
parent 8da9d2ff55 6aa495ddc6
commit ca0c04e4d3
3 changed files with 23 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
cluster/gce/gci/configure-helper.sh
View File

@@ -2030,18 +2030,6 @@ function update-node-label() {
done
}
# A helper function that sets file permissions for kube-controller-manager to
# run as non root.
# User and group should never contain characters that need to be quoted
# shellcheck disable=SC2086
function run-kube-controller-manager-as-non-root {
prepare-log-file /var/log/kube-controller-manager.log ${KUBE_CONTROLLER_MANAGER_RUNASUSER}
setfacl -m u:${KUBE_CONTROLLER_MANAGER_RUNASUSER}:r "${CA_CERT_BUNDLE_PATH}"
setfacl -m u:${KUBE_CONTROLLER_MANAGER_RUNASUSER}:r "${SERVICEACCOUNT_CERT_PATH}"
setfacl -m u:${KUBE_CONTROLLER_MANAGER_RUNASUSER}:r "${SERVICEACCOUNT_KEY_PATH}"
}
# Starts kubernetes controller manager.
# It prepares the log file, loads the docker image, calculates variables, sets them
# in the manifest file, and then copies the manifest file to /etc/kubernetes/manifests.
@@ -2060,7 +2048,7 @@ function start-kube-controller-manager {
fi
echo "Start kubernetes controller-manager"
create-kubeconfig "kube-controller-manager" "${KUBE_CONTROLLER_MANAGER_TOKEN}"
prepare-log-file /var/log/kube-controller-manager.log
prepare-log-file /var/log/kube-controller-manager.log "${KUBE_CONTROLLER_MANAGER_RUNASUSER:-0}"
# Calculate variables and assemble the command line.
local params=("${CONTROLLER_MANAGER_TEST_LOG_LEVEL:-"--v=2"}" "${CONTROLLER_MANAGER_TEST_ARGS:-}" "${CLOUD_CONFIG_OPT}")
local config_path='/etc/srv/kubernetes/kube-controller-manager/kubeconfig'
@@ -2149,12 +2137,13 @@ function start-kube-controller-manager {
sed -i -e "s@{{cpurequest}}@${KUBE_CONTROLLER_MANAGER_CPU_REQUEST}@g" "${src_file}"
if [[ -n "${KUBE_CONTROLLER_MANAGER_RUNASUSER:-}" && -n "${KUBE_CONTROLLER_MANAGER_RUNASGROUP:-}" ]]; then
run-kube-controller-manager-as-non-root
sed -i -e "s@{{runAsUser}}@${KUBE_CONTROLLER_MANAGER_RUNASUSER}@g" "${src_file}"
sed -i -e "s@{{runAsGroup}}@${KUBE_CONTROLLER_MANAGER_RUNASGROUP}@g" "${src_file}"
sed -i -e "s@{{runAsUser}}@\"runAsUser\": ${KUBE_CONTROLLER_MANAGER_RUNASUSER},@g" "${src_file}"
sed -i -e "s@{{runAsGroup}}@\"runAsGroup\":${KUBE_CONTROLLER_MANAGER_RUNASGROUP},@g" "${src_file}"
sed -i -e "s@{{supplementalGroups}}@\"supplementalGroups\": [ ${KUBE_PKI_READERS_GROUP} ],@g" "${src_file}"
else
sed -i -e "s@{{runAsUser}}@0@g" "${src_file}"
sed -i -e "s@{{runAsGroup}}@0@g" "${src_file}"
sed -i -e "s@{{runAsUser}}@@g" "${src_file}"
sed -i -e "s@{{runAsGroup}}@@g" "${src_file}"
sed -i -e "s@{{supplementalGroups}}@@g" "${src_file}"
fi
cp "${src_file}" /etc/kubernetes/manifests