Run CoreDNS container only with CAP_NET_BIND_SERVICE, drop all other (root) privileges.

Run filesystem of container and config in read-only mode.
2018-05-29 21:40:21 +02:00 · 2018-05-29 21:40:21 +02:00 · 7ee5729eba
parent d373eaa4f3
commit 7ee5729eba
4 changed files with 36 additions and 0 deletions
--- a/cluster/addons/dns/coredns/coredns.yaml.base
+++ b/cluster/addons/dns/coredns/coredns.yaml.base
@ -118,6 +118,7 @@ spec:
        volumeMounts:
        - name: config-volume
          mountPath: /etc/coredns
+          readOnly: true
        ports:
        - containerPort: 53
          name: dns
@ -137,6 +138,14 @@ spec:
          timeoutSeconds: 5
          successThreshold: 1
          failureThreshold: 5
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - all
+          readOnlyRootFilesystem: true
      dnsPolicy: Default
      volumes:
        - name: config-volume
--- a/cluster/addons/dns/coredns/coredns.yaml.in
+++ b/cluster/addons/dns/coredns/coredns.yaml.in
@ -118,6 +118,7 @@ spec:
        volumeMounts:
        - name: config-volume
          mountPath: /etc/coredns
+          readOnly: true
        ports:
        - containerPort: 53
          name: dns
@ -137,6 +138,14 @@ spec:
          timeoutSeconds: 5
          successThreshold: 1
          failureThreshold: 5
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - all
+          readOnlyRootFilesystem: true
      dnsPolicy: Default
      volumes:
        - name: config-volume
--- a/cluster/addons/dns/coredns/coredns.yaml.sed
+++ b/cluster/addons/dns/coredns/coredns.yaml.sed
@ -118,6 +118,7 @@ spec:
        volumeMounts:
        - name: config-volume
          mountPath: /etc/coredns
+          readOnly: true
        ports:
        - containerPort: 53
          name: dns
@ -137,6 +138,14 @@ spec:
          timeoutSeconds: 5
          successThreshold: 1
          failureThreshold: 5
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - all
+          readOnlyRootFilesystem: true
      dnsPolicy: Default
      volumes:
        - name: config-volume
--- a/cmd/kubeadm/app/phases/addons/dns/manifests.go
+++ b/cmd/kubeadm/app/phases/addons/dns/manifests.go
@ -259,6 +259,7 @@ spec:
        volumeMounts:
        - name: config-volume
          mountPath: /etc/coredns
+          readOnly: true
        ports:
        - containerPort: 53
          name: dns
@ -278,6 +279,14 @@ spec:
          timeoutSeconds: 5
          successThreshold: 1
          failureThreshold: 5
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - all
+          readOnlyRootFilesystem: true
      dnsPolicy: Default
      volumes:
        - name: config-volume