Merge pull request #101164 from vinayakankugoyal/apiservernonroot

Run control-plane as non root in kube-up.
2025-09-15 14:14:39 +00:00 · 2021-05-06 17:33:14 -07:00
parent 8da9d2ff55 6aa495ddc6
commit ca0c04e4d3
3 changed files with 23 additions and 21 deletions
--- a/cluster/gce/util.sh
+++ b/cluster/gce/util.sh
@@ -1355,6 +1355,18 @@ ETCD_PEER_KEY: $(yaml-quote "${ETCD_PEER_KEY_BASE64:-}")
 ETCD_PEER_CERT: $(yaml-quote "${ETCD_PEER_CERT_BASE64:-}")
 SERVICEACCOUNT_ISSUER: $(yaml-quote "${SERVICEACCOUNT_ISSUER:-}")
 KUBECTL_PRUNE_WHITELIST_OVERRIDE: $(yaml-quote "${KUBECTL_PRUNE_WHITELIST_OVERRIDE:-}")
+KUBE_SCHEDULER_RUNASUSER: 2001
+KUBE_SCHEDULER_RUNASGROUP: 2001
+KUBE_ADDON_MANAGER_RUNASUSER: 2002
+KUBE_ADDON_MANAGER_RUNASGROUP: 2002
+KUBE_CONTROLLER_MANAGER_RUNASUSER: 2003
+KUBE_CONTROLLER_MANAGER_RUNASGROUP: 2003
+KUBE_API_SERVER_RUNASUSER: 2004
+KUBE_API_SERVER_RUNASGROUP: 2004
+KUBE_PKI_READERS_GROUP: 2005
+ETCD_RUNASUSER: 2006
+ETCD_RUNASGROUP: 2006
+KUBE_POD_LOG_READERS_GROUP: 2007
 EOF
    # KUBE_APISERVER_REQUEST_TIMEOUT_SEC (if set) controls the --request-timeout
    # flag