diff --git a/artifacts/deploy/karmada-aggregated-apiserver.yaml b/artifacts/deploy/karmada-aggregated-apiserver.yaml index 00e651f72..ad20a8508 100644 --- a/artifacts/deploy/karmada-aggregated-apiserver.yaml +++ b/artifacts/deploy/karmada-aggregated-apiserver.yaml @@ -24,6 +24,9 @@ spec: - name: karmada-aggregated-apiserver image: docker.io/karmada/karmada-aggregated-apiserver:latest imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + privileged: false command: - /bin/karmada-aggregated-apiserver - --kubeconfig=/etc/karmada/config/karmada.config @@ -77,6 +80,9 @@ spec: - name: etcd-client-cert secret: secretName: karmada-aggregated-apiserver-etcd-client-cert + securityContext: + seccompProfile: + type: RuntimeDefault --- apiVersion: v1 kind: Service diff --git a/artifacts/deploy/karmada-apiserver.yaml b/artifacts/deploy/karmada-apiserver.yaml index ef26ae311..acee35fbd 100644 --- a/artifacts/deploy/karmada-apiserver.yaml +++ b/artifacts/deploy/karmada-apiserver.yaml @@ -100,6 +100,9 @@ spec: - name: service-account-key-pair mountPath: /etc/karmada/pki/service-account-key-pair readOnly: true + securityContext: + allowPrivilegeEscalation: false + privileged: false volumes: - name: server-cert secret: @@ -121,7 +124,9 @@ spec: priorityClassName: system-node-critical restartPolicy: Always schedulerName: default-scheduler - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault terminationGracePeriodSeconds: 30 tolerations: - effect: NoExecute diff --git a/artifacts/deploy/karmada-controller-manager.yaml b/artifacts/deploy/karmada-controller-manager.yaml index 814a02d7f..ecb7a5ab7 100644 --- a/artifacts/deploy/karmada-controller-manager.yaml +++ b/artifacts/deploy/karmada-controller-manager.yaml @@ -21,6 +21,9 @@ spec: operator: Exists containers: - name: karmada-controller-manager + securityContext: + allowPrivilegeEscalation: false + privileged: false image: docker.io/karmada/karmada-controller-manager:latest imagePullPolicy: IfNotPresent command: @@ -53,3 +56,6 @@ spec: - name: karmada-config secret: secretName: karmada-controller-manager-config + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/artifacts/deploy/karmada-descheduler.yaml b/artifacts/deploy/karmada-descheduler.yaml index 46a0f4851..8063cebd0 100644 --- a/artifacts/deploy/karmada-descheduler.yaml +++ b/artifacts/deploy/karmada-descheduler.yaml @@ -21,6 +21,9 @@ spec: operator: Exists containers: - name: karmada-descheduler + securityContext: + allowPrivilegeEscalation: false + privileged: false image: docker.io/karmada/karmada-descheduler:latest imagePullPolicy: IfNotPresent command: @@ -58,3 +61,6 @@ spec: - name: scheduler-estimator-client-cert secret: secretName: karmada-descheduler-scheduler-estimator-client-cert + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/artifacts/deploy/karmada-etcd.yaml b/artifacts/deploy/karmada-etcd.yaml index e7025737f..197cec3fc 100644 --- a/artifacts/deploy/karmada-etcd.yaml +++ b/artifacts/deploy/karmada-etcd.yaml @@ -33,6 +33,9 @@ spec: - operator: Exists containers: - name: etcd + securityContext: + allowPrivilegeEscalation: false + privileged: false image: registry.k8s.io/etcd:3.5.16-0 imagePullPolicy: IfNotPresent livenessProbe: @@ -88,6 +91,9 @@ spec: mountPath: /etc/karmada/pki/server - name: etcd-client-cert mountPath: /etc/karmada/pki/etcd-client + securityContext: + seccompProfile: + type: RuntimeDefault volumes: - name: etcd-data hostPath: diff --git a/artifacts/deploy/karmada-metrics-adapter.yaml b/artifacts/deploy/karmada-metrics-adapter.yaml index 19eaf8954..9ed6eaca4 100644 --- a/artifacts/deploy/karmada-metrics-adapter.yaml +++ b/artifacts/deploy/karmada-metrics-adapter.yaml @@ -22,6 +22,9 @@ spec: automountServiceAccountToken: false containers: - name: karmada-metrics-adapter + securityContext: + allowPrivilegeEscalation: false + privileged: false image: docker.io/karmada/karmada-metrics-adapter:latest imagePullPolicy: IfNotPresent command: @@ -71,6 +74,9 @@ spec: - name: server-cert secret: secretName: karmada-metrics-adapter-cert + securityContext: + seccompProfile: + type: RuntimeDefault --- apiVersion: v1 kind: Service diff --git a/artifacts/deploy/karmada-scheduler-estimator.yaml b/artifacts/deploy/karmada-scheduler-estimator.yaml index e44ef8c3a..18f2b2279 100644 --- a/artifacts/deploy/karmada-scheduler-estimator.yaml +++ b/artifacts/deploy/karmada-scheduler-estimator.yaml @@ -21,6 +21,9 @@ spec: operator: Exists containers: - name: karmada-scheduler-estimator + securityContext: + allowPrivilegeEscalation: false + privileged: false image: docker.io/karmada/karmada-scheduler-estimator:latest imagePullPolicy: IfNotPresent command: @@ -59,6 +62,9 @@ spec: - name: member-kubeconfig secret: secretName: {{member_cluster_name}}-kubeconfig + securityContext: + seccompProfile: + type: RuntimeDefault --- apiVersion: v1 kind: Service diff --git a/artifacts/deploy/karmada-scheduler.yaml b/artifacts/deploy/karmada-scheduler.yaml index 1604b9c9e..4b552afd6 100644 --- a/artifacts/deploy/karmada-scheduler.yaml +++ b/artifacts/deploy/karmada-scheduler.yaml @@ -21,6 +21,9 @@ spec: operator: Exists containers: - name: karmada-scheduler + securityContext: + allowPrivilegeEscalation: false + privileged: false image: docker.io/karmada/karmada-scheduler:latest imagePullPolicy: IfNotPresent livenessProbe: @@ -59,3 +62,6 @@ spec: - name: scheduler-estimator-client-cert secret: secretName: karmada-scheduler-scheduler-estimator-client-cert + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/artifacts/deploy/karmada-search.yaml b/artifacts/deploy/karmada-search.yaml index 5c18e788b..40df8be59 100644 --- a/artifacts/deploy/karmada-search.yaml +++ b/artifacts/deploy/karmada-search.yaml @@ -22,6 +22,9 @@ spec: automountServiceAccountToken: false containers: - name: karmada-search + securityContext: + allowPrivilegeEscalation: false + privileged: false image: docker.io/karmada/karmada-search:latest imagePullPolicy: IfNotPresent command: @@ -70,6 +73,9 @@ spec: - name: etcd-client-cert secret: secretName: karmada-search-etcd-client-cert + securityContext: + seccompProfile: + type: RuntimeDefault --- apiVersion: v1 kind: Service diff --git a/artifacts/deploy/karmada-webhook.yaml b/artifacts/deploy/karmada-webhook.yaml index 850bdc5b2..84323db48 100644 --- a/artifacts/deploy/karmada-webhook.yaml +++ b/artifacts/deploy/karmada-webhook.yaml @@ -21,6 +21,9 @@ spec: operator: Exists containers: - name: karmada-webhook + securityContext: + allowPrivilegeEscalation: false + privileged: false image: docker.io/karmada/karmada-webhook:latest imagePullPolicy: IfNotPresent command: @@ -56,6 +59,9 @@ spec: - name: server-cert secret: secretName: karmada-webhook-cert + securityContext: + seccompProfile: + type: RuntimeDefault --- apiVersion: v1 kind: Service diff --git a/artifacts/deploy/kube-controller-manager.yaml b/artifacts/deploy/kube-controller-manager.yaml index 1e98dd2f8..2653803bc 100644 --- a/artifacts/deploy/kube-controller-manager.yaml +++ b/artifacts/deploy/kube-controller-manager.yaml @@ -58,6 +58,9 @@ spec: - --v=4 image: registry.k8s.io/kube-controller-manager:{{karmada_apiserver_version}} imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + privileged: false livenessProbe: failureThreshold: 8 httpGet: @@ -91,3 +94,6 @@ spec: - name: service-account-key-pair secret: secretName: kube-controller-manager-service-account-key-pair + securityContext: + seccompProfile: + type: RuntimeDefault