karmada-io
/
karmada
mirror of https://github.com/karmada-io/karmada.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

config security context 

Signed-off-by: zhzhuang-zju <m17799853869@163.com>
This commit is contained in:
zhzhuang-zju 2025-01-17 15:52:59 +08:00
parent 253dc794b1
commit 3e9ef29290
11 changed files with 66 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
artifacts/deploy/karmada-aggregated-apiserver.yaml
View File

@ -24,6 +24,9 @@ spec:
- name: karmada-aggregated-apiserver
image: docker.io/karmada/karmada-aggregated-apiserver:latest
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
privileged: false
command:
- /bin/karmada-aggregated-apiserver
- --kubeconfig=/etc/karmada/config/karmada.config
@ -77,6 +80,9 @@ spec:
- name: etcd-client-cert
secret:
secretName: karmada-aggregated-apiserver-etcd-client-cert
securityContext:
seccompProfile:
type: RuntimeDefault
---
apiVersion: v1
kind: Service

7
artifacts/deploy/karmada-apiserver.yaml
View File

@ -100,6 +100,9 @@ spec:
- name: service-account-key-pair
mountPath: /etc/karmada/pki/service-account-key-pair
readOnly: true
securityContext:
allowPrivilegeEscalation: false
privileged: false
volumes:
- name: server-cert
secret:
@ -121,7 +124,9 @@ spec:
priorityClassName: system-node-critical
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
securityContext:
seccompProfile:
type: RuntimeDefault
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoExecute

6
artifacts/deploy/karmada-controller-manager.yaml
View File

@ -21,6 +21,9 @@ spec:
operator: Exists
containers:
- name: karmada-controller-manager
securityContext:
allowPrivilegeEscalation: false
privileged: false
image: docker.io/karmada/karmada-controller-manager:latest
imagePullPolicy: IfNotPresent
command:
@ -53,3 +56,6 @@ spec:
- name: karmada-config
secret:
secretName: karmada-controller-manager-config
securityContext:
seccompProfile:
type: RuntimeDefault

6
artifacts/deploy/karmada-descheduler.yaml
View File

@ -21,6 +21,9 @@ spec:
operator: Exists
containers:
- name: karmada-descheduler
securityContext:
allowPrivilegeEscalation: false
privileged: false
image: docker.io/karmada/karmada-descheduler:latest
imagePullPolicy: IfNotPresent
command:
@ -58,3 +61,6 @@ spec:
- name: scheduler-estimator-client-cert
secret:
secretName: karmada-descheduler-scheduler-estimator-client-cert
securityContext:
seccompProfile:
type: RuntimeDefault

6
artifacts/deploy/karmada-etcd.yaml
View File

@ -33,6 +33,9 @@ spec:
- operator: Exists
containers:
- name: etcd
securityContext:
allowPrivilegeEscalation: false
privileged: false
image: registry.k8s.io/etcd:3.5.16-0
imagePullPolicy: IfNotPresent
livenessProbe:
@ -88,6 +91,9 @@ spec:
mountPath: /etc/karmada/pki/server
- name: etcd-client-cert
mountPath: /etc/karmada/pki/etcd-client
securityContext:
seccompProfile:
type: RuntimeDefault
volumes:
- name: etcd-data
hostPath:

6
artifacts/deploy/karmada-metrics-adapter.yaml
View File

@ -22,6 +22,9 @@ spec:
automountServiceAccountToken: false
containers:
- name: karmada-metrics-adapter
securityContext:
allowPrivilegeEscalation: false
privileged: false
image: docker.io/karmada/karmada-metrics-adapter:latest
imagePullPolicy: IfNotPresent
command:
@ -71,6 +74,9 @@ spec:
- name: server-cert
secret:
secretName: karmada-metrics-adapter-cert
securityContext:
seccompProfile:
type: RuntimeDefault
---
apiVersion: v1
kind: Service

6
artifacts/deploy/karmada-scheduler-estimator.yaml
View File

@ -21,6 +21,9 @@ spec:
operator: Exists
containers:
- name: karmada-scheduler-estimator
securityContext:
allowPrivilegeEscalation: false
privileged: false
image: docker.io/karmada/karmada-scheduler-estimator:latest
imagePullPolicy: IfNotPresent
command:
@ -59,6 +62,9 @@ spec:
- name: member-kubeconfig
secret:
secretName: {{member_cluster_name}}-kubeconfig
securityContext:
seccompProfile:
type: RuntimeDefault
---
apiVersion: v1
kind: Service

6
artifacts/deploy/karmada-scheduler.yaml
View File

@ -21,6 +21,9 @@ spec:
operator: Exists
containers:
- name: karmada-scheduler
securityContext:
allowPrivilegeEscalation: false
privileged: false
image: docker.io/karmada/karmada-scheduler:latest
imagePullPolicy: IfNotPresent
livenessProbe:
@ -59,3 +62,6 @@ spec:
- name: scheduler-estimator-client-cert
secret:
secretName: karmada-scheduler-scheduler-estimator-client-cert
securityContext:
seccompProfile:
type: RuntimeDefault

6
artifacts/deploy/karmada-search.yaml
View File

@ -22,6 +22,9 @@ spec:
automountServiceAccountToken: false
containers:
- name: karmada-search
securityContext:
allowPrivilegeEscalation: false
privileged: false
image: docker.io/karmada/karmada-search:latest
imagePullPolicy: IfNotPresent
command:
@ -70,6 +73,9 @@ spec:
- name: etcd-client-cert
secret:
secretName: karmada-search-etcd-client-cert
securityContext:
seccompProfile:
type: RuntimeDefault
---
apiVersion: v1
kind: Service

6
artifacts/deploy/karmada-webhook.yaml
View File

@ -21,6 +21,9 @@ spec:
operator: Exists
containers:
- name: karmada-webhook
securityContext:
allowPrivilegeEscalation: false
privileged: false
image: docker.io/karmada/karmada-webhook:latest
imagePullPolicy: IfNotPresent
command:
@ -56,6 +59,9 @@ spec:
- name: server-cert
secret:
secretName: karmada-webhook-cert
securityContext:
seccompProfile:
type: RuntimeDefault
---
apiVersion: v1
kind: Service

6
artifacts/deploy/kube-controller-manager.yaml
View File

@ -58,6 +58,9 @@ spec:
- --v=4
image: registry.k8s.io/kube-controller-manager:{{karmada_apiserver_version}}
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
privileged: false
livenessProbe:
failureThreshold: 8
httpGet:
@ -91,3 +94,6 @@ spec:
- name: service-account-key-pair
secret:
secretName: kube-controller-manager-service-account-key-pair
securityContext:
seccompProfile:
type: RuntimeDefault