Skip to content

Commit 5caaf92

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #7831 from Nordix/tuomo/add-security-context
✨ add explicit securitycontexts to controllers
2 parents 281297c + 9ac1f05 commit 5caaf92

File tree

5 files changed

+143
-93
lines changed

5 files changed

+143
-93
lines changed

bootstrap/kubeadm/config/manager/manager.yaml

Lines changed: 33 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -16,31 +16,43 @@ spec:
1616
control-plane: controller-manager
1717
spec:
1818
containers:
19-
- command:
20-
- /manager
21-
args:
22-
- "--leader-elect"
23-
- "--metrics-bind-addr=localhost:8080"
24-
- "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},KubeadmBootstrapFormatIgnition=${EXP_KUBEADM_BOOTSTRAP_FORMAT_IGNITION:=false}"
25-
- "--bootstrap-token-ttl=${KUBEADM_BOOTSTRAP_TOKEN_TTL:=15m}"
26-
image: controller:latest
27-
name: manager
28-
ports:
29-
- containerPort: 9440
30-
name: healthz
31-
protocol: TCP
32-
readinessProbe:
33-
httpGet:
34-
path: /readyz
35-
port: healthz
36-
livenessProbe:
37-
httpGet:
38-
path: /healthz
39-
port: healthz
19+
- command:
20+
- /manager
21+
args:
22+
- "--leader-elect"
23+
- "--metrics-bind-addr=localhost:8080"
24+
- "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},KubeadmBootstrapFormatIgnition=${EXP_KUBEADM_BOOTSTRAP_FORMAT_IGNITION:=false}"
25+
- "--bootstrap-token-ttl=${KUBEADM_BOOTSTRAP_TOKEN_TTL:=15m}"
26+
image: controller:latest
27+
name: manager
28+
ports:
29+
- containerPort: 9440
30+
name: healthz
31+
protocol: TCP
32+
readinessProbe:
33+
httpGet:
34+
path: /readyz
35+
port: healthz
36+
livenessProbe:
37+
httpGet:
38+
path: /healthz
39+
port: healthz
40+
securityContext:
41+
allowPrivilegeEscalation: false
42+
capabilities:
43+
drop:
44+
- ALL
45+
privileged: false
46+
runAsUser: 65532
47+
runAsGroup: 65532
4048
terminationGracePeriodSeconds: 10
4149
serviceAccountName: manager
4250
tolerations:
4351
- effect: NoSchedule
4452
key: node-role.kubernetes.io/master
4553
- effect: NoSchedule
4654
key: node-role.kubernetes.io/control-plane
55+
securityContext:
56+
runAsNonRoot: true
57+
seccompProfile:
58+
type: RuntimeDefault

config/manager/manager.yaml

Lines changed: 45 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -17,43 +17,55 @@ spec:
1717
control-plane: controller-manager
1818
spec:
1919
containers:
20-
- command:
21-
- /manager
22-
args:
23-
- "--leader-elect"
24-
- "--metrics-bind-addr=localhost:8080"
25-
- "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},ClusterResourceSet=${EXP_CLUSTER_RESOURCE_SET:=false},ClusterTopology=${CLUSTER_TOPOLOGY:=false},RuntimeSDK=${EXP_RUNTIME_SDK:=false}"
26-
image: controller:latest
27-
name: manager
28-
env:
29-
- name: POD_NAMESPACE
30-
valueFrom:
31-
fieldRef:
32-
fieldPath: metadata.namespace
33-
- name: POD_NAME
34-
valueFrom:
35-
fieldRef:
36-
fieldPath: metadata.name
37-
- name: POD_UID
38-
valueFrom:
39-
fieldRef:
40-
fieldPath: metadata.uid
41-
ports:
42-
- containerPort: 9440
43-
name: healthz
44-
protocol: TCP
45-
readinessProbe:
46-
httpGet:
47-
path: /readyz
48-
port: healthz
49-
livenessProbe:
50-
httpGet:
51-
path: /healthz
52-
port: healthz
20+
- command:
21+
- /manager
22+
args:
23+
- "--leader-elect"
24+
- "--metrics-bind-addr=localhost:8080"
25+
- "--feature-gates=MachinePool=${EXP_MACHINE_POOL:=false},ClusterResourceSet=${EXP_CLUSTER_RESOURCE_SET:=false},ClusterTopology=${CLUSTER_TOPOLOGY:=false},RuntimeSDK=${EXP_RUNTIME_SDK:=false}"
26+
image: controller:latest
27+
name: manager
28+
env:
29+
- name: POD_NAMESPACE
30+
valueFrom:
31+
fieldRef:
32+
fieldPath: metadata.namespace
33+
- name: POD_NAME
34+
valueFrom:
35+
fieldRef:
36+
fieldPath: metadata.name
37+
- name: POD_UID
38+
valueFrom:
39+
fieldRef:
40+
fieldPath: metadata.uid
41+
ports:
42+
- containerPort: 9440
43+
name: healthz
44+
protocol: TCP
45+
readinessProbe:
46+
httpGet:
47+
path: /readyz
48+
port: healthz
49+
livenessProbe:
50+
httpGet:
51+
path: /healthz
52+
port: healthz
53+
securityContext:
54+
allowPrivilegeEscalation: false
55+
capabilities:
56+
drop:
57+
- ALL
58+
privileged: false
59+
runAsUser: 65532
60+
runAsGroup: 65532
5361
terminationGracePeriodSeconds: 10
5462
serviceAccountName: manager
5563
tolerations:
5664
- effect: NoSchedule
5765
key: node-role.kubernetes.io/master
5866
- effect: NoSchedule
5967
key: node-role.kubernetes.io/control-plane
68+
securityContext:
69+
runAsNonRoot: true
70+
seccompProfile:
71+
type: RuntimeDefault

controlplane/kubeadm/config/manager/manager.yaml

Lines changed: 45 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -16,43 +16,55 @@ spec:
1616
control-plane: controller-manager
1717
spec:
1818
containers:
19-
- command:
20-
- /manager
21-
args:
22-
- "--leader-elect"
23-
- "--metrics-bind-addr=localhost:8080"
24-
- "--feature-gates=ClusterTopology=${CLUSTER_TOPOLOGY:=false},KubeadmBootstrapFormatIgnition=${EXP_KUBEADM_BOOTSTRAP_FORMAT_IGNITION:=false}"
25-
image: controller:latest
26-
name: manager
27-
env:
28-
- name: POD_NAMESPACE
29-
valueFrom:
30-
fieldRef:
31-
fieldPath: metadata.namespace
32-
- name: POD_NAME
33-
valueFrom:
34-
fieldRef:
35-
fieldPath: metadata.name
36-
- name: POD_UID
37-
valueFrom:
38-
fieldRef:
39-
fieldPath: metadata.uid
40-
ports:
41-
- containerPort: 9440
42-
name: healthz
43-
protocol: TCP
44-
readinessProbe:
45-
httpGet:
46-
path: /readyz
47-
port: healthz
48-
livenessProbe:
49-
httpGet:
50-
path: /healthz
51-
port: healthz
19+
- command:
20+
- /manager
21+
args:
22+
- "--leader-elect"
23+
- "--metrics-bind-addr=localhost:8080"
24+
- "--feature-gates=ClusterTopology=${CLUSTER_TOPOLOGY:=false},KubeadmBootstrapFormatIgnition=${EXP_KUBEADM_BOOTSTRAP_FORMAT_IGNITION:=false}"
25+
image: controller:latest
26+
name: manager
27+
env:
28+
- name: POD_NAMESPACE
29+
valueFrom:
30+
fieldRef:
31+
fieldPath: metadata.namespace
32+
- name: POD_NAME
33+
valueFrom:
34+
fieldRef:
35+
fieldPath: metadata.name
36+
- name: POD_UID
37+
valueFrom:
38+
fieldRef:
39+
fieldPath: metadata.uid
40+
ports:
41+
- containerPort: 9440
42+
name: healthz
43+
protocol: TCP
44+
readinessProbe:
45+
httpGet:
46+
path: /readyz
47+
port: healthz
48+
livenessProbe:
49+
httpGet:
50+
path: /healthz
51+
port: healthz
52+
securityContext:
53+
allowPrivilegeEscalation: false
54+
capabilities:
55+
drop:
56+
- ALL
57+
privileged: false
58+
runAsUser: 65532
59+
runAsGroup: 65532
5260
terminationGracePeriodSeconds: 10
5361
serviceAccountName: manager
5462
tolerations:
5563
- effect: NoSchedule
5664
key: node-role.kubernetes.io/master
5765
- effect: NoSchedule
5866
key: node-role.kubernetes.io/control-plane
67+
securityContext:
68+
runAsNonRoot: true
69+
seccompProfile:
70+
type: RuntimeDefault

docs/book/src/developer/providers/v1.3-to-v1.4.md

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,13 +5,12 @@ maintainers of providers and consumers of our Go API.
55

66
## Minimum Go version
77

8-
* The Go version used by Cluster API is still Go 1.19.x
8+
- The Go version used by Cluster API is still Go 1.19.x
99

1010
## Dependencies
1111

1212
**Note**: Only the most relevant dependencies are listed, `k8s.io/` and `ginkgo`/`gomega` dependencies in Cluster API are kept in sync with the versions used by `sigs.k8s.io/controller-runtime`.
1313

14-
1514
## Changes by Kind
1615

1716
### Deprecation
@@ -36,5 +35,8 @@ maintainers of providers and consumers of our Go API.
3635

3736
- `clusterctl upgrade apply` no longer requires a namespace when updating providers. It is now optional and in a future release it will be deprecated. The new syntax is `[namespace/]provider:version`.
3837
- `WatchDeploymentLogs` is changed to `WatchDeploymentLogsByName`, it works same as before. Another function `WatchDeploymentLogsByLabelSelector` is added to stream logs of deployment by label selector.
38+
- Cluster API controllers are now using an explicit security context by default.
3939

4040
### Suggested changes for providers
41+
42+
- Providers should add an explicit security context to their controllers deployment, see [#7831](https://github.com/kubernetes-sigs/cluster-api/pull/7831) for reference.

test/extension/config/default/manager.yaml

Lines changed: 16 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -14,14 +14,26 @@ spec:
1414
app: test-extension-manager
1515
spec:
1616
containers:
17-
- command:
18-
- /manager
19-
image: controller:latest
20-
name: manager
17+
- command:
18+
- /manager
19+
image: controller:latest
20+
name: manager
21+
securityContext:
22+
allowPrivilegeEscalation: false
23+
capabilities:
24+
drop:
25+
- ALL
26+
privileged: false
27+
runAsUser: 65532
28+
runAsGroup: 65532
2129
terminationGracePeriodSeconds: 10
2230
serviceAccountName: manager
2331
tolerations:
2432
- effect: NoSchedule
2533
key: node-role.kubernetes.io/master
2634
- effect: NoSchedule
2735
key: node-role.kubernetes.io/control-plane
36+
securityContext:
37+
runAsNonRoot: true
38+
seccompProfile:
39+
type: RuntimeDefault

0 commit comments

Comments
 (0)