Update .in and .sed files.

2025-07-28 22:17:14 +00:00 · 2019-09-04 21:49:31 +01:00 · 2019-09-04 21:49:31 +01:00 · f12d1347b2
commit f12d1347b2
parent 594b18a119
2 changed files with 42 additions and 0 deletions
--- a/cluster/addons/dns/kube-dns/kube-dns.yaml.in
+++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.in
@ -88,6 +88,7 @@ spec:
    spec:
      priorityClassName: system-cluster-critical
      securityContext:
+        runAsNonRoot: true
        supplementalGroups: [ 65534 ]
        fsGroup: 65534
      tolerations:
@ -150,6 +151,11 @@ spec:
        volumeMounts:
        - name: kube-dns-config
          mountPath: /kube-dns-config
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsUser: 1001
+          runAsGroup: 2001
      - name: dnsmasq
        image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13
        livenessProbe:
@ -190,6 +196,16 @@ spec:
        volumeMounts:
        - name: kube-dns-config
          mountPath: /etc/k8s/dns/dnsmasq-nanny
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: false
+          runAsNonRoot: false
+          capabilities:
+            drop:
+              - all
+            add:
+              - NET_BIND_SERVICE
+              - SETGID
      - name: sidecar
        image: k8s.gcr.io/k8s-dns-sidecar:1.14.13
        livenessProbe:
@ -214,5 +230,10 @@ spec:
          requests:
            memory: 20Mi
            cpu: 10m
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsUser: 1001
+            runAsGroup: 2001
      dnsPolicy: Default  # Don't use cluster DNS.
      serviceAccountName: kube-dns
--- a/cluster/addons/dns/kube-dns/kube-dns.yaml.sed
+++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.sed
@ -88,6 +88,7 @@ spec:
    spec:
      priorityClassName: system-cluster-critical
      securityContext:
+        runAsNonRoot: true
        supplementalGroups: [ 65534 ]
        fsGroup: 65534
      tolerations:
@ -150,6 +151,11 @@ spec:
        volumeMounts:
        - name: kube-dns-config
          mountPath: /kube-dns-config
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsUser: 1001
+          runAsGroup: 2001
      - name: dnsmasq
        image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13
        livenessProbe:
@ -190,6 +196,16 @@ spec:
        volumeMounts:
        - name: kube-dns-config
          mountPath: /etc/k8s/dns/dnsmasq-nanny
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: false
+          runAsNonRoot: false
+          capabilities:
+            drop:
+              - all
+            add:
+              - NET_BIND_SERVICE
+              - SETGID
      - name: sidecar
        image: k8s.gcr.io/k8s-dns-sidecar:1.14.13
        livenessProbe:
@ -214,5 +230,10 @@ spec:
          requests:
            memory: 20Mi
            cpu: 10m
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsUser: 1001
+            runAsGroup: 2001
      dnsPolicy: Default  # Don't use cluster DNS.
      serviceAccountName: kube-dns