Run autoscaler as non root in kube-up

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2025-07-30 15:05:27 +00:00 · 2024-02-24 18:58:58 -05:00 · 2024-02-24 18:58:58 -05:00 · df92ad9bcb
commit df92ad9bcb
parent e2ff63103d
3 changed files with 17 additions and 1 deletions
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@ -2465,7 +2465,7 @@ function start-cluster-autoscaler {
    echo "Start kubernetes cluster autoscaler"
    setup-addon-manifests "addons" "rbac/cluster-autoscaler"
    create-kubeconfig "cluster-autoscaler" "${KUBE_CLUSTER_AUTOSCALER_TOKEN}"
-    prepare-log-file /var/log/cluster-autoscaler.log
+    prepare-log-file /var/log/cluster-autoscaler.log "${CLUSTER_AUTOSCALER_RUNASUSER:-0}"

    # Remove salt comments and replace variables with values
    local -r src_file="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty/cluster-autoscaler.manifest"
@ -2485,6 +2485,17 @@ function start-cluster-autoscaler {
    sed -i -e "s@{{cloud_config_volume}}@${CLOUD_CONFIG_VOLUME}@g" "${src_file}"
    sed -i -e "s@{%.*%}@@g" "${src_file}"

+    if [[ -n "${CLUSTER_AUTOSCALER_RUNASUSER:-}" && -n "${CLUSTER_AUTOSCALER_RUNASGROUP:-}" ]]; then
+      #run-cluster-autoscaler-as-non-root
+      sed -i -e "s@{{runAsUser}}@\"runAsUser\": ${CLUSTER_AUTOSCALER_RUNASUSER},@g" "${src_file}"
+      sed -i -e "s@{{runAsGroup}}@\"runAsGroup\":${CLUSTER_AUTOSCALER_RUNASGROUP},@g" "${src_file}"
+      sed -i -e "s@{{supplementalGroups}}@\"supplementalGroups\": [ ${KUBE_PKI_READERS_GROUP} ],@g" "${src_file}"
+    else
+      sed -i -e "s@{{runAsUser}}@@g" "${src_file}"
+      sed -i -e "s@{{runAsGroup}}@@g" "${src_file}"
+      sed -i -e "s@{{supplementalGroups}}@@g" "${src_file}"
+    fi
+
    cp "${src_file}" /etc/kubernetes/manifests
  fi
 }
--- a/cluster/gce/manifests/cluster-autoscaler.manifest
+++ b/cluster/gce/manifests/cluster-autoscaler.manifest
@ -11,6 +11,9 @@
    },
    "spec": {
        "securityContext": {
+            {{runAsUser}}
+            {{runAsGroup}}
+            {{supplementalGroups}}
            "seccompProfile": {
                "type": "RuntimeDefault"
            }
--- a/cluster/gce/util.sh
+++ b/cluster/gce/util.sh
@ -1363,6 +1363,8 @@ KONNECTIVITY_SERVER_RUNASGROUP: 2008
 KONNECTIVITY_SERVER_SOCKET_WRITER_GROUP: 2008
 CLOUD_CONTROLLER_MANAGER_RUNASUSER: 2009
 CLOUD_CONTROLLER_MANAGER_RUNASGROUP: 2009
+CLUSTER_AUTOSCALER_RUNASUSER: 2010
+CLUSTER_AUTOSCALER_RUNASGROUP: 2010

 EOF
    # KUBE_APISERVER_REQUEST_TIMEOUT_SEC (if set) controls the --request-timeout