mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-10-22 06:59:03 +00:00
75b3a0f3de
Automatic merge from submit-queue (batch tested with PRs 46210, 48607, 46874, 46598, 49240) kubeadm: Make the hostPath volume mount code more secure **What this PR does / why we need it**: - Refactors the hostpath volume mounting code for the Static Pods - Splits out the functionality that was in a big function to something testable - Unit test a lot - Adds support for mounting external etcd CA/cert/key files in an other path than `/etc/ssl/certs`. Before this you **had** to have your files in there or the apiserver would crashloop - Significantly improves comment coverage - Now only mounts the bare essentials instead of nearly everything. For example, don't mount full `/etc/kubernetes` when the only thing you need is `/etc/kubernetes/scheduler.conf` - Make everything but the etcd datadir read-only for components. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # Fixes: https://github.com/kubernetes/kubeadm/issues/341 **Special notes for your reviewer**: **Release note**: ```release-note NONE ``` cc @kubernetes/sig-cluster-lifecycle-pr-reviews