Adding recommendations from tallclair.

2019-09-11 19:30:32 +01:00 · 2019-09-11 19:30:32 +01:00 · 72ee17c5ca
commit 72ee17c5ca
parent 8dcc976db3
3 changed files with 3 additions and 12 deletions
--- a/cluster/addons/dns/kube-dns/kube-dns.yaml.base
+++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.base
@ -82,13 +82,12 @@ spec:
      labels:
        k8s-app: kube-dns
      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
+        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
        prometheus.io/port: "10054"
        prometheus.io/scrape: "true"
    spec:
      priorityClassName: system-cluster-critical
      securityContext:
-        runAsNonRoot: true
        supplementalGroups: [ 65534 ]
        fsGroup: 65534
      tolerations:
@ -198,8 +197,6 @@ spec:
          mountPath: /etc/k8s/dns/dnsmasq-nanny
        securityContext:
          allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: false
-          runAsNonRoot: false
          capabilities:
            drop:
              - all
--- a/cluster/addons/dns/kube-dns/kube-dns.yaml.in
+++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.in
@ -82,13 +82,12 @@ spec:
      labels:
        k8s-app: kube-dns
      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
+        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
        prometheus.io/port: "10054"
        prometheus.io/scrape: "true"
    spec:
      priorityClassName: system-cluster-critical
      securityContext:
-        runAsNonRoot: true
        supplementalGroups: [ 65534 ]
        fsGroup: 65534
      tolerations:
@ -198,8 +197,6 @@ spec:
          mountPath: /etc/k8s/dns/dnsmasq-nanny
        securityContext:
          allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: false
-          runAsNonRoot: false
          capabilities:
            drop:
              - all
--- a/cluster/addons/dns/kube-dns/kube-dns.yaml.sed
+++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.sed
@ -82,13 +82,12 @@ spec:
      labels:
        k8s-app: kube-dns
      annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
+        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
        prometheus.io/port: "10054"
        prometheus.io/scrape: "true"
    spec:
      priorityClassName: system-cluster-critical
      securityContext:
-        runAsNonRoot: true
        supplementalGroups: [ 65534 ]
        fsGroup: 65534
      tolerations:
@ -198,8 +197,6 @@ spec:
          mountPath: /etc/k8s/dns/dnsmasq-nanny
        securityContext:
          allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: false
-          runAsNonRoot: false
          capabilities:
            drop:
              - all