github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update .in and .sed files.

Browse Source
This commit is contained in:
Paulo Gomes 2019-09-04 21:49:31 +01:00
parent 594b18a119
commit f12d1347b2
2 changed files with 42 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
cluster/addons/dns/kube-dns/kube-dns.yaml.in
View File

@ -88,6 +88,7 @@ spec:
spec: spec:
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
securityContext: securityContext:
runAsNonRoot: true
supplementalGroups: [ 65534 ] supplementalGroups: [ 65534 ]
fsGroup: 65534 fsGroup: 65534
tolerations: tolerations:
@ -150,6 +151,11 @@ spec:
volumeMounts: volumeMounts:
- name: kube-dns-config - name: kube-dns-config
mountPath: /kube-dns-config mountPath: /kube-dns-config
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
- name: dnsmasq - name: dnsmasq
image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13 image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13
livenessProbe: livenessProbe:
@ -190,6 +196,16 @@ spec:
volumeMounts: volumeMounts:
- name: kube-dns-config - name: kube-dns-config
mountPath: /etc/k8s/dns/dnsmasq-nanny mountPath: /etc/k8s/dns/dnsmasq-nanny
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
runAsNonRoot: false
capabilities:
drop:
- all
add:
- NET_BIND_SERVICE
- SETGID
- name: sidecar - name: sidecar
image: k8s.gcr.io/k8s-dns-sidecar:1.14.13 image: k8s.gcr.io/k8s-dns-sidecar:1.14.13
livenessProbe: livenessProbe:
@ -214,5 +230,10 @@ spec:
requests: requests:
memory: 20Mi memory: 20Mi
cpu: 10m cpu: 10m
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
dnsPolicy: Default # Don't use cluster DNS. dnsPolicy: Default # Don't use cluster DNS.
serviceAccountName: kube-dns serviceAccountName: kube-dns

21
cluster/addons/dns/kube-dns/kube-dns.yaml.sed
View File

@ -88,6 +88,7 @@ spec:
spec: spec:
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
securityContext: securityContext:
runAsNonRoot: true
supplementalGroups: [ 65534 ] supplementalGroups: [ 65534 ]
fsGroup: 65534 fsGroup: 65534
tolerations: tolerations:
@ -150,6 +151,11 @@ spec:
volumeMounts: volumeMounts:
- name: kube-dns-config - name: kube-dns-config
mountPath: /kube-dns-config mountPath: /kube-dns-config
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
- name: dnsmasq - name: dnsmasq
image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13 image: k8s.gcr.io/k8s-dns-dnsmasq-nanny:1.14.13
livenessProbe: livenessProbe:
@ -190,6 +196,16 @@ spec:
volumeMounts: volumeMounts:
- name: kube-dns-config - name: kube-dns-config
mountPath: /etc/k8s/dns/dnsmasq-nanny mountPath: /etc/k8s/dns/dnsmasq-nanny
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
runAsNonRoot: false
capabilities:
drop:
- all
add:
- NET_BIND_SERVICE
- SETGID
- name: sidecar - name: sidecar
image: k8s.gcr.io/k8s-dns-sidecar:1.14.13 image: k8s.gcr.io/k8s-dns-sidecar:1.14.13
livenessProbe: livenessProbe:
@ -214,5 +230,10 @@ spec:
requests: requests:
memory: 20Mi memory: 20Mi
cpu: 10m cpu: 10m
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
dnsPolicy: Default # Don't use cluster DNS. dnsPolicy: Default # Don't use cluster DNS.
serviceAccountName: kube-dns serviceAccountName: kube-dns