github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Run CoreDNS container only with CAP_NET_BIND_SERVICE, drop all other (root) privileges. 

Run filesystem of container and config in read-only mode.
pull/8/head
Nico Berlee 2018-05-29 21:40:21 +02:00
parent d373eaa4f3
commit 7ee5729eba
No known key found for this signature in database
GPG Key ID: E74196B211D36789
4 changed files with 36 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
cluster/addons/dns/coredns/coredns.yaml.base
View File

@ -118,6 +118,7 @@ spec:
volumeMounts: volumeMounts:
- name: config-volume - name: config-volume
mountPath: /etc/coredns mountPath: /etc/coredns
readOnly: true
ports: ports:
- containerPort: 53 - containerPort: 53
name: dns name: dns
@ -137,6 +138,14 @@ spec:
timeoutSeconds: 5 timeoutSeconds: 5
successThreshold: 1 successThreshold: 1
failureThreshold: 5 failureThreshold: 5
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- all
readOnlyRootFilesystem: true
dnsPolicy: Default dnsPolicy: Default
volumes: volumes:
- name: config-volume - name: config-volume

9
cluster/addons/dns/coredns/coredns.yaml.in
View File

@ -118,6 +118,7 @@ spec:
volumeMounts: volumeMounts:
- name: config-volume - name: config-volume
mountPath: /etc/coredns mountPath: /etc/coredns
readOnly: true
ports: ports:
- containerPort: 53 - containerPort: 53
name: dns name: dns
@ -137,6 +138,14 @@ spec:
timeoutSeconds: 5 timeoutSeconds: 5
successThreshold: 1 successThreshold: 1
failureThreshold: 5 failureThreshold: 5
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- all
readOnlyRootFilesystem: true
dnsPolicy: Default dnsPolicy: Default
volumes: volumes:
- name: config-volume - name: config-volume

9
cluster/addons/dns/coredns/coredns.yaml.sed
View File

@ -118,6 +118,7 @@ spec:
volumeMounts: volumeMounts:
- name: config-volume - name: config-volume
mountPath: /etc/coredns mountPath: /etc/coredns
readOnly: true
ports: ports:
- containerPort: 53 - containerPort: 53
name: dns name: dns
@ -137,6 +138,14 @@ spec:
timeoutSeconds: 5 timeoutSeconds: 5
successThreshold: 1 successThreshold: 1
failureThreshold: 5 failureThreshold: 5
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- all
readOnlyRootFilesystem: true
dnsPolicy: Default dnsPolicy: Default
volumes: volumes:
- name: config-volume - name: config-volume

9
cmd/kubeadm/app/phases/addons/dns/manifests.go
View File

@ -259,6 +259,7 @@ spec:
volumeMounts: volumeMounts:
- name: config-volume - name: config-volume
mountPath: /etc/coredns mountPath: /etc/coredns
readOnly: true
ports: ports:
- containerPort: 53 - containerPort: 53
name: dns name: dns
@ -278,6 +279,14 @@ spec:
timeoutSeconds: 5 timeoutSeconds: 5
successThreshold: 1 successThreshold: 1
failureThreshold: 5 failureThreshold: 5
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- all
readOnlyRootFilesystem: true
dnsPolicy: Default dnsPolicy: Default
volumes: volumes:
- name: config-volume - name: config-volume