Merge pull request #64276 from wangzhen127/manifests-seccomp

Automatic merge from submit-queue (batch tested with PRs 64276, 64094, 64719, 64766, 64750). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Use default seccomp profile for GCE manifests

**What this PR does / why we need it**:
This PR sets the default seccomp profile of unprivileged addons to 'docker/default' for GCE manifests. This PR is a followup of #62662. We are using 'docker/default' instead of 'runtime/default' in addons in order to handle node version skew. When seccomp profile is applied automatically by default later, we can remove those annotations.

This is PR is part of #39845.

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #

**Special notes for your reviewer**:

**Release note**:

```release-note
NONE
```
This commit is contained in:
Kubernetes Submit Queue 2018-06-05 11:35:10 -07:00 committed by GitHub
commit e2d997cfea
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 15 additions and 5 deletions

View File

@ -7,6 +7,9 @@
"labels": { "labels": {
"tier": "cluster-management", "tier": "cluster-management",
"component": "cluster-autoscaler" "component": "cluster-autoscaler"
},
"annotations": {
"seccomp.security.alpha.kubernetes.io/pod": "docker/default"
} }
}, },
"spec": { "spec": {

View File

@ -5,6 +5,7 @@ metadata:
namespace: kube-system namespace: kube-system
annotations: annotations:
scheduler.alpha.kubernetes.io/critical-pod: '' scheduler.alpha.kubernetes.io/critical-pod: ''
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
labels: labels:
k8s-app: etcd-empty-dir-cleanup k8s-app: etcd-empty-dir-cleanup
spec: spec:

View File

@ -5,7 +5,8 @@
"name":"etcd-server{{ suffix }}", "name":"etcd-server{{ suffix }}",
"namespace": "kube-system", "namespace": "kube-system",
"annotations": { "annotations": {
"scheduler.alpha.kubernetes.io/critical-pod": "" "scheduler.alpha.kubernetes.io/critical-pod": "",
"seccomp.security.alpha.kubernetes.io/pod": "docker/default"
} }
}, },
"spec":{ "spec":{
@ -62,7 +63,7 @@
"ports": [ "ports": [
{ "name": "serverport", { "name": "serverport",
"containerPort": {{ server_port }}, "containerPort": {{ server_port }},
"hostPort": {{ server_port }} "hostPort": {{ server_port }}
}, },
{ "name": "clientport", { "name": "clientport",
"containerPort": {{ port }}, "containerPort": {{ port }},

View File

@ -5,6 +5,7 @@ metadata:
namespace: kube-system namespace: kube-system
annotations: annotations:
scheduler.alpha.kubernetes.io/critical-pod: '' scheduler.alpha.kubernetes.io/critical-pod: ''
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
labels: labels:
k8s-app: gcp-lb-controller k8s-app: gcp-lb-controller
version: v1.1.1 version: v1.1.1

View File

@ -5,6 +5,7 @@ metadata:
namespace: kube-system namespace: kube-system
annotations: annotations:
scheduler.alpha.kubernetes.io/critical-pod: '' scheduler.alpha.kubernetes.io/critical-pod: ''
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
labels: labels:
component: kube-addon-manager component: kube-addon-manager
spec: spec:

View File

@ -5,7 +5,8 @@
"name":"kube-apiserver", "name":"kube-apiserver",
"namespace": "kube-system", "namespace": "kube-system",
"annotations": { "annotations": {
"scheduler.alpha.kubernetes.io/critical-pod": "" "scheduler.alpha.kubernetes.io/critical-pod": "",
"seccomp.security.alpha.kubernetes.io/pod": "docker/default"
}, },
"labels": { "labels": {
"tier": "control-plane", "tier": "control-plane",

View File

@ -5,7 +5,8 @@
"name":"kube-controller-manager", "name":"kube-controller-manager",
"namespace": "kube-system", "namespace": "kube-system",
"annotations": { "annotations": {
"scheduler.alpha.kubernetes.io/critical-pod": "" "scheduler.alpha.kubernetes.io/critical-pod": "",
"seccomp.security.alpha.kubernetes.io/pod": "docker/default"
}, },
"labels": { "labels": {
"tier": "control-plane", "tier": "control-plane",

View File

@ -5,7 +5,8 @@
"name":"kube-scheduler", "name":"kube-scheduler",
"namespace": "kube-system", "namespace": "kube-system",
"annotations": { "annotations": {
"scheduler.alpha.kubernetes.io/critical-pod": "" "scheduler.alpha.kubernetes.io/critical-pod": "",
"seccomp.security.alpha.kubernetes.io/pod": "docker/default"
}, },
"labels": { "labels": {
"tier": "control-plane", "tier": "control-plane",