From 5eb4078d68fe40f9eb1d31a5110ff9eb451f9f72 Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Mon, 15 Oct 2018 23:24:27 -0700 Subject: [PATCH] Add docker/default seccomp to control plane and addons * Annotate pods, deployments, and daemonsets to start containers with the Docker runtime's default seccomp profile * Overrides Kubernetes default behavior which started containers with seccomp=unconfined * https://docs.docker.com/engine/security/seccomp/#pass-a-profile-for-a-container --- CHANGES.md | 2 ++ addons/cluo/update-agent.yaml | 2 ++ addons/cluo/update-operator.yaml | 2 ++ addons/grafana/deployment.yaml | 2 ++ addons/nginx-ingress/aws/default-backend/deployment.yaml | 2 ++ addons/nginx-ingress/aws/deployment.yaml | 2 ++ addons/nginx-ingress/azure/default-backend/deployment.yaml | 2 ++ addons/nginx-ingress/azure/deployment.yaml | 2 ++ addons/nginx-ingress/bare-metal/default-backend/deployment.yaml | 2 ++ addons/nginx-ingress/bare-metal/deployment.yaml | 2 ++ addons/nginx-ingress/digital-ocean/daemonset.yaml | 2 ++ .../nginx-ingress/digital-ocean/default-backend/deployment.yaml | 2 ++ .../nginx-ingress/google-cloud/default-backend/deployment.yaml | 2 ++ addons/nginx-ingress/google-cloud/deployment.yaml | 2 ++ addons/prometheus/deployment.yaml | 2 ++ addons/prometheus/exporters/kube-state-metrics/deployment.yaml | 2 ++ addons/prometheus/exporters/node-exporter/daemonset.yaml | 2 ++ aws/container-linux/kubernetes/bootkube.tf | 2 +- aws/fedora-atomic/kubernetes/bootkube.tf | 2 +- azure/container-linux/kubernetes/bootkube.tf | 2 +- bare-metal/container-linux/kubernetes/bootkube.tf | 2 +- bare-metal/fedora-atomic/kubernetes/bootkube.tf | 2 +- digital-ocean/container-linux/kubernetes/bootkube.tf | 2 +- digital-ocean/fedora-atomic/kubernetes/bootkube.tf | 2 +- google-cloud/container-linux/kubernetes/bootkube.tf | 2 +- google-cloud/fedora-atomic/kubernetes/bootkube.tf | 2 +- 26 files changed, 43 insertions(+), 9 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 80d7dfbd..778c0377 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -11,6 +11,8 @@ Notable changes between versions. * Single-controller clusters continue to run 2 replicas as before * Raise default CoreDNS replica count to the larger of 2 or the number of controller nodes ([#313](https://github.com/poseidon/typhoon/pull/313)) * Add AntiAffinity preferred rule to favor spreading CoreDNS pods +* Annotate Kubernetes control plane and addons to start containers with the Docker runtime's default seccomp profile ([#319](https://github.com/poseidon/typhoon/pull/319)) + * Override Kubernetes default behavior that starts containers with seccomp=unconfined #### Azure diff --git a/addons/cluo/update-agent.yaml b/addons/cluo/update-agent.yaml index 5175aa2c..c40f3fe5 100644 --- a/addons/cluo/update-agent.yaml +++ b/addons/cluo/update-agent.yaml @@ -15,6 +15,8 @@ spec: metadata: labels: app: container-linux-update-agent + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: containers: - name: update-agent diff --git a/addons/cluo/update-operator.yaml b/addons/cluo/update-operator.yaml index 8ddb0799..62b04a60 100644 --- a/addons/cluo/update-operator.yaml +++ b/addons/cluo/update-operator.yaml @@ -12,6 +12,8 @@ spec: metadata: labels: app: container-linux-update-operator + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: containers: - name: update-operator diff --git a/addons/grafana/deployment.yaml b/addons/grafana/deployment.yaml index fde1d130..64063cdb 100644 --- a/addons/grafana/deployment.yaml +++ b/addons/grafana/deployment.yaml @@ -18,6 +18,8 @@ spec: labels: name: grafana phase: prod + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: containers: - name: grafana diff --git a/addons/nginx-ingress/aws/default-backend/deployment.yaml b/addons/nginx-ingress/aws/default-backend/deployment.yaml index 786968e0..ce640189 100644 --- a/addons/nginx-ingress/aws/default-backend/deployment.yaml +++ b/addons/nginx-ingress/aws/default-backend/deployment.yaml @@ -14,6 +14,8 @@ spec: labels: name: default-backend phase: prod + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: containers: - name: default-backend diff --git a/addons/nginx-ingress/aws/deployment.yaml b/addons/nginx-ingress/aws/deployment.yaml index 58fac73d..10a21b66 100644 --- a/addons/nginx-ingress/aws/deployment.yaml +++ b/addons/nginx-ingress/aws/deployment.yaml @@ -17,6 +17,8 @@ spec: labels: name: nginx-ingress-controller phase: prod + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: nodeSelector: node-role.kubernetes.io/node: "" diff --git a/addons/nginx-ingress/azure/default-backend/deployment.yaml b/addons/nginx-ingress/azure/default-backend/deployment.yaml index 786968e0..ce640189 100644 --- a/addons/nginx-ingress/azure/default-backend/deployment.yaml +++ b/addons/nginx-ingress/azure/default-backend/deployment.yaml @@ -14,6 +14,8 @@ spec: labels: name: default-backend phase: prod + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: containers: - name: default-backend diff --git a/addons/nginx-ingress/azure/deployment.yaml b/addons/nginx-ingress/azure/deployment.yaml index 58fac73d..10a21b66 100644 --- a/addons/nginx-ingress/azure/deployment.yaml +++ b/addons/nginx-ingress/azure/deployment.yaml @@ -17,6 +17,8 @@ spec: labels: name: nginx-ingress-controller phase: prod + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: nodeSelector: node-role.kubernetes.io/node: "" diff --git a/addons/nginx-ingress/bare-metal/default-backend/deployment.yaml b/addons/nginx-ingress/bare-metal/default-backend/deployment.yaml index 786968e0..ce640189 100644 --- a/addons/nginx-ingress/bare-metal/default-backend/deployment.yaml +++ b/addons/nginx-ingress/bare-metal/default-backend/deployment.yaml @@ -14,6 +14,8 @@ spec: labels: name: default-backend phase: prod + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: containers: - name: default-backend diff --git a/addons/nginx-ingress/bare-metal/deployment.yaml b/addons/nginx-ingress/bare-metal/deployment.yaml index 812077bb..163df8cd 100644 --- a/addons/nginx-ingress/bare-metal/deployment.yaml +++ b/addons/nginx-ingress/bare-metal/deployment.yaml @@ -17,6 +17,8 @@ spec: labels: name: ingress-controller-public phase: prod + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: containers: - name: nginx-ingress-controller diff --git a/addons/nginx-ingress/digital-ocean/daemonset.yaml b/addons/nginx-ingress/digital-ocean/daemonset.yaml index c6677617..d94c603a 100644 --- a/addons/nginx-ingress/digital-ocean/daemonset.yaml +++ b/addons/nginx-ingress/digital-ocean/daemonset.yaml @@ -17,6 +17,8 @@ spec: labels: name: nginx-ingress-controller phase: prod + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: nodeSelector: node-role.kubernetes.io/node: "" diff --git a/addons/nginx-ingress/digital-ocean/default-backend/deployment.yaml b/addons/nginx-ingress/digital-ocean/default-backend/deployment.yaml index 786968e0..ce640189 100644 --- a/addons/nginx-ingress/digital-ocean/default-backend/deployment.yaml +++ b/addons/nginx-ingress/digital-ocean/default-backend/deployment.yaml @@ -14,6 +14,8 @@ spec: labels: name: default-backend phase: prod + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: containers: - name: default-backend diff --git a/addons/nginx-ingress/google-cloud/default-backend/deployment.yaml b/addons/nginx-ingress/google-cloud/default-backend/deployment.yaml index 786968e0..ce640189 100644 --- a/addons/nginx-ingress/google-cloud/default-backend/deployment.yaml +++ b/addons/nginx-ingress/google-cloud/default-backend/deployment.yaml @@ -14,6 +14,8 @@ spec: labels: name: default-backend phase: prod + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: containers: - name: default-backend diff --git a/addons/nginx-ingress/google-cloud/deployment.yaml b/addons/nginx-ingress/google-cloud/deployment.yaml index 58fac73d..10a21b66 100644 --- a/addons/nginx-ingress/google-cloud/deployment.yaml +++ b/addons/nginx-ingress/google-cloud/deployment.yaml @@ -17,6 +17,8 @@ spec: labels: name: nginx-ingress-controller phase: prod + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: nodeSelector: node-role.kubernetes.io/node: "" diff --git a/addons/prometheus/deployment.yaml b/addons/prometheus/deployment.yaml index e1eded9e..4b8e4848 100644 --- a/addons/prometheus/deployment.yaml +++ b/addons/prometheus/deployment.yaml @@ -14,6 +14,8 @@ spec: labels: name: prometheus phase: prod + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: serviceAccountName: prometheus containers: diff --git a/addons/prometheus/exporters/kube-state-metrics/deployment.yaml b/addons/prometheus/exporters/kube-state-metrics/deployment.yaml index 8bf5cc85..ec7553db 100644 --- a/addons/prometheus/exporters/kube-state-metrics/deployment.yaml +++ b/addons/prometheus/exporters/kube-state-metrics/deployment.yaml @@ -18,6 +18,8 @@ spec: labels: name: kube-state-metrics phase: prod + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: serviceAccountName: kube-state-metrics containers: diff --git a/addons/prometheus/exporters/node-exporter/daemonset.yaml b/addons/prometheus/exporters/node-exporter/daemonset.yaml index 5f31657b..4164bd51 100644 --- a/addons/prometheus/exporters/node-exporter/daemonset.yaml +++ b/addons/prometheus/exporters/node-exporter/daemonset.yaml @@ -17,6 +17,8 @@ spec: labels: name: node-exporter phase: prod + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: serviceAccountName: node-exporter securityContext: diff --git a/aws/container-linux/kubernetes/bootkube.tf b/aws/container-linux/kubernetes/bootkube.tf index 9035eb3f..fb7872f8 100644 --- a/aws/container-linux/kubernetes/bootkube.tf +++ b/aws/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f7c2f8d590dcca0cb9bd4de15d765cad29109455" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=2437023c1050609b749850e9b2301a6f00713680" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/aws/fedora-atomic/kubernetes/bootkube.tf b/aws/fedora-atomic/kubernetes/bootkube.tf index 60ca86e8..d3f5194b 100644 --- a/aws/fedora-atomic/kubernetes/bootkube.tf +++ b/aws/fedora-atomic/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f7c2f8d590dcca0cb9bd4de15d765cad29109455" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=2437023c1050609b749850e9b2301a6f00713680" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/azure/container-linux/kubernetes/bootkube.tf b/azure/container-linux/kubernetes/bootkube.tf index e0e85f42..f855e4ca 100644 --- a/azure/container-linux/kubernetes/bootkube.tf +++ b/azure/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f7c2f8d590dcca0cb9bd4de15d765cad29109455" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=2437023c1050609b749850e9b2301a6f00713680" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/bare-metal/container-linux/kubernetes/bootkube.tf b/bare-metal/container-linux/kubernetes/bootkube.tf index bc28a56e..6a7b8504 100644 --- a/bare-metal/container-linux/kubernetes/bootkube.tf +++ b/bare-metal/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f7c2f8d590dcca0cb9bd4de15d765cad29109455" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=2437023c1050609b749850e9b2301a6f00713680" cluster_name = "${var.cluster_name}" api_servers = ["${var.k8s_domain_name}"] diff --git a/bare-metal/fedora-atomic/kubernetes/bootkube.tf b/bare-metal/fedora-atomic/kubernetes/bootkube.tf index 323b0281..83bbe1b7 100644 --- a/bare-metal/fedora-atomic/kubernetes/bootkube.tf +++ b/bare-metal/fedora-atomic/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f7c2f8d590dcca0cb9bd4de15d765cad29109455" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=2437023c1050609b749850e9b2301a6f00713680" cluster_name = "${var.cluster_name}" api_servers = ["${var.k8s_domain_name}"] diff --git a/digital-ocean/container-linux/kubernetes/bootkube.tf b/digital-ocean/container-linux/kubernetes/bootkube.tf index 5fd0af98..dc6ee9bd 100644 --- a/digital-ocean/container-linux/kubernetes/bootkube.tf +++ b/digital-ocean/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f7c2f8d590dcca0cb9bd4de15d765cad29109455" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=2437023c1050609b749850e9b2301a6f00713680" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/digital-ocean/fedora-atomic/kubernetes/bootkube.tf b/digital-ocean/fedora-atomic/kubernetes/bootkube.tf index 045ef285..fda91aa1 100644 --- a/digital-ocean/fedora-atomic/kubernetes/bootkube.tf +++ b/digital-ocean/fedora-atomic/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f7c2f8d590dcca0cb9bd4de15d765cad29109455" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=2437023c1050609b749850e9b2301a6f00713680" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/google-cloud/container-linux/kubernetes/bootkube.tf b/google-cloud/container-linux/kubernetes/bootkube.tf index cacad840..42be39a1 100644 --- a/google-cloud/container-linux/kubernetes/bootkube.tf +++ b/google-cloud/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f7c2f8d590dcca0cb9bd4de15d765cad29109455" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=2437023c1050609b749850e9b2301a6f00713680" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/google-cloud/fedora-atomic/kubernetes/bootkube.tf b/google-cloud/fedora-atomic/kubernetes/bootkube.tf index 384061d0..4eca079d 100644 --- a/google-cloud/fedora-atomic/kubernetes/bootkube.tf +++ b/google-cloud/fedora-atomic/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f7c2f8d590dcca0cb9bd4de15d765cad29109455" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=2437023c1050609b749850e9b2301a6f00713680" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]