github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
k3s/federation
History
Kubernetes Submit Queue 72c6251508 Merge pull request #47019 from jessfraz/allowPrivilegeEscalation 
Automatic merge from submit-queue (batch tested with PRs 49651, 49707, 49662, 47019, 49747)

Add support for `no_new_privs` via AllowPrivilegeEscalation

**What this PR does / why we need it**:
Implements kubernetes/community#639
Fixes #38417

Adds `AllowPrivilegeEscalation` and `DefaultAllowPrivilegeEscalation` to `PodSecurityPolicy`.
Adds `AllowPrivilegeEscalation` to container `SecurityContext`.

Adds the proposed behavior to `kuberuntime`, `dockershim`, and `rkt`. Adds a bunch of unit tests to ensure the desired default behavior and that when `DefaultAllowPrivilegeEscalation` is explicitly set.

Tests pass locally with docker and rkt runtimes. There are also a few integration tests with a `setuid` binary for sanity.

**Release note**:

```release-note
Adds AllowPrivilegeEscalation to control whether a process can gain more privileges than it's parent process
```
 		2017-07-31 16:56:58 -07:00
..
apis Merge pull request #47019 from jessfraz/allowPrivilegeEscalation 2017-07-31 16:56:58 -07:00
client Remove federation internal clienset 2017-07-26 06:22:30 +05:30
cluster [Federation] Update to enable all apis in e2e tests 2017-07-19 21:26:25 +05:30
cmd Merge pull request #43443 from irfanurrehman/kubefed-doc-1 2017-07-25 21:52:45 -07:00
deploy
develop Revert "[Federation] Build a simple hyperkube image on-the-fly only containing the hyperkube binary for development and testing purposes." 2017-04-24 22:26:20 -07:00
docs/api-reference Merge pull request #47019 from jessfraz/allowPrivilegeEscalation 2017-07-31 16:56:58 -07:00
manifests Release 3.0.17 etcd image 2017-02-27 16:23:44 +01:00
pkg Merge pull request #46283 from ktsakalozos/feature/nodeport-port 2017-07-30 04:01:36 -07:00
plugin/pkg/admission/schedulingpolicy [Federation]Fix forgeting to close file 2017-06-24 10:04:06 +08:00
registry/cluster Grow signature for predicate attributes to include init status 2017-06-02 22:09:04 -04:00
BUILD Auto generated files 2017-07-26 06:22:30 +05:30
Makefile
OWNERS fed: Add marun as reviewer 2017-02-09 09:50:57 -08:00
README.md federation:update outdated link 2017-05-08 09:07:40 +08:00

README.md

Cluster Federation

Kubernetes Cluster Federation enables users to federate multiple Kubernetes clusters. Please see the user guide and the admin guide for more details about setting up and using the Cluster Federation.

Building Kubernetes Cluster Federation

Please see the Kubernetes Development Guide for initial setup. Once you have the development environment setup as explained in that guide, you also need to install jq

Building cluster federation artifacts should be as simple as running:

make build

You can specify the docker registry to tag the image using the KUBE_REGISTRY environment variable. Please make sure that you use the same value in all the subsequent commands.

To push the built docker images to the registry, run:

make push

To initialize the deployment run:

(This pulls the installer images)

make init

To deploy the clusters and install the federation components, edit the ${KUBE_ROOT}/_output/federation/config.json file to describe your clusters and run:

make deploy

To turn down the federation components and tear down the clusters run:

make destroy

Ideas for improvement

  1. Continue with destroy phase even in the face of errors.

    The bash script sets set -e errexit which causes the script to exit at the very first error. This should be the default mode for deploying components but not for destroying/cleanup.

Analytics