github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-15 06:01:50 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #101881 from vinayakankugoyal/konnectivity

Browse Source 
Update konnectivity network proxy server to run as non-root, by defau…
This commit is contained in:
Kubernetes Prow Robot
2021-05-13 23:16:04 -07:00
committed by GitHub
parent 9f0f14952c b951b9349f
commit e8cf412e5e
3 changed files with 31 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
cluster/gce/gci/configure-helper.sh
View File

@@ -1938,6 +1938,26 @@ function prepare-konnectivity-server-manifest {
sed -i -e "s@{{ *health_port *}}@$2@g" "${temp_file}"
sed -i -e "s@{{ *admin_port *}}@$3@g" "${temp_file}"
sed -i -e "s@{{ *liveness_probe_initial_delay *}}@30@g" "${temp_file}"
if [[ -n "${KONNECTIVITY_SERVER_RUNASUSER:-}" && -n "${KONNECTIVITY_SERVER_RUNASGROUP:-}" && -n "${KONNECTIVITY_SERVER_SOCKET_WRITER_GROUP:-}" ]]; then
sed -i -e "s@{{ *run_as_user *}}@runAsUser: ${KONNECTIVITY_SERVER_RUNASUSER}@g" "${temp_file}"
sed -i -e "s@{{ *run_as_group *}}@runAsGroup: ${KONNECTIVITY_SERVER_RUNASGROUP}@g" "${temp_file}"
sed -i -e "s@{{ *supplemental_groups *}}@supplementalGroups: [${KUBE_PKI_READERS_GROUP}]@g" "${temp_file}"
sed -i -e "s@{{ *container_security_context *}}@securityContext:@g" "${temp_file}"
sed -i -e "s@{{ *capabilities *}}@capabilities:@g" "${temp_file}"
sed -i -e "s@{{ *drop_capabilities *}}@drop: [ ALL ]@g" "${temp_file}"
sed -i -e "s@{{ *disallow_privilege_escalation *}}@allowPrivilegeEscalation: false@g" "${temp_file}"
mkdir -p /etc/srv/kubernetes/konnectivity-server/
chown -R "${KONNECTIVITY_SERVER_RUNASUSER}":"${KONNECTIVITY_SERVER_RUNASGROUP}" /etc/srv/kubernetes/konnectivity-server
chmod g+w /etc/srv/kubernetes/konnectivity-server
else
sed -i -e "s@{{ *run_as_user *}}@@g" "${temp_file}"
sed -i -e "s@{{ *run_as_group *}}@@g" "${temp_file}"
sed -i -e "s@{{ *supplemental_groups *}}@@g" "${temp_file}"
sed -i -e "s@{{ *container_security_context *}}@@g" "${temp_file}"
sed -i -e "s@{{ *capabilities *}}@@g" "${temp_file}"
sed -i -e "s@{{ *drop_capabilities *}}@@g" "${temp_file}"
sed -i -e "s@{{ *disallow_privilege_escalation *}}@@g" "${temp_file}"
fi
mv "${temp_file}" /etc/kubernetes/manifests
}
@@ -1946,7 +1966,7 @@ function prepare-konnectivity-server-manifest {
# in the manifests, and copies them to /etc/kubernetes/manifests.
function start-konnectivity-server {
echo "Start konnectivity server pods"
prepare-log-file /var/log/konnectivity-server.log
prepare-log-file /var/log/konnectivity-server.log "${KONNECTIVITY_SERVER_RUNASUSER:-0}"
prepare-konnectivity-server-manifest "8132" "8133" "8134"
}