karmada-io
/
karmada
mirror of https://github.com/karmada-io/karmada.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #6052 from zhzhuang-zju/securityContext 

config security context
This commit is contained in:
karmada-bot 2025-01-17 16:47:46 +08:00 committed by GitHub
parent 9a30bc9ec6 3e9ef29290
commit 4f869218cf
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
11 changed files with 66 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
artifacts/deploy/karmada-aggregated-apiserver.yaml
View File

@ -24,6 +24,9 @@ spec:
- name: karmada-aggregated-apiserver - name: karmada-aggregated-apiserver
image: docker.io/karmada/karmada-aggregated-apiserver:latest image: docker.io/karmada/karmada-aggregated-apiserver:latest
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
privileged: false
command: command:
- /bin/karmada-aggregated-apiserver - /bin/karmada-aggregated-apiserver
- --kubeconfig=/etc/karmada/config/karmada.config - --kubeconfig=/etc/karmada/config/karmada.config
@ -77,6 +80,9 @@ spec:
- name: etcd-client-cert - name: etcd-client-cert
secret: secret:
secretName: karmada-aggregated-apiserver-etcd-client-cert secretName: karmada-aggregated-apiserver-etcd-client-cert
securityContext:
seccompProfile:
type: RuntimeDefault
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service

7
artifacts/deploy/karmada-apiserver.yaml
View File

@ -100,6 +100,9 @@ spec:
- name: service-account-key-pair - name: service-account-key-pair
mountPath: /etc/karmada/pki/service-account-key-pair mountPath: /etc/karmada/pki/service-account-key-pair
readOnly: true readOnly: true
securityContext:
allowPrivilegeEscalation: false
privileged: false
volumes: volumes:
- name: server-cert - name: server-cert
secret: secret:
@ -121,7 +124,9 @@ spec:
priorityClassName: system-node-critical priorityClassName: system-node-critical
restartPolicy: Always restartPolicy: Always
schedulerName: default-scheduler schedulerName: default-scheduler
securityContext: {} securityContext:
seccompProfile:
type: RuntimeDefault
terminationGracePeriodSeconds: 30 terminationGracePeriodSeconds: 30
tolerations: tolerations:
- effect: NoExecute - effect: NoExecute

6
artifacts/deploy/karmada-controller-manager.yaml
View File

@ -21,6 +21,9 @@ spec:
operator: Exists operator: Exists
containers: containers:
- name: karmada-controller-manager - name: karmada-controller-manager
securityContext:
allowPrivilegeEscalation: false
privileged: false
image: docker.io/karmada/karmada-controller-manager:latest image: docker.io/karmada/karmada-controller-manager:latest
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: command:
@ -53,3 +56,6 @@ spec:
- name: karmada-config - name: karmada-config
secret: secret:
secretName: karmada-controller-manager-config secretName: karmada-controller-manager-config
securityContext:
seccompProfile:
type: RuntimeDefault

6
artifacts/deploy/karmada-descheduler.yaml
View File

@ -21,6 +21,9 @@ spec:
operator: Exists operator: Exists
containers: containers:
- name: karmada-descheduler - name: karmada-descheduler
securityContext:
allowPrivilegeEscalation: false
privileged: false
image: docker.io/karmada/karmada-descheduler:latest image: docker.io/karmada/karmada-descheduler:latest
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: command:
@ -58,3 +61,6 @@ spec:
- name: scheduler-estimator-client-cert - name: scheduler-estimator-client-cert
secret: secret:
secretName: karmada-descheduler-scheduler-estimator-client-cert secretName: karmada-descheduler-scheduler-estimator-client-cert
securityContext:
seccompProfile:
type: RuntimeDefault

6
artifacts/deploy/karmada-etcd.yaml
View File

@ -33,6 +33,9 @@ spec:
- operator: Exists - operator: Exists
containers: containers:
- name: etcd - name: etcd
securityContext:
allowPrivilegeEscalation: false
privileged: false
image: registry.k8s.io/etcd:3.5.16-0 image: registry.k8s.io/etcd:3.5.16-0
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:
@ -88,6 +91,9 @@ spec:
mountPath: /etc/karmada/pki/server mountPath: /etc/karmada/pki/server
- name: etcd-client-cert - name: etcd-client-cert
mountPath: /etc/karmada/pki/etcd-client mountPath: /etc/karmada/pki/etcd-client
securityContext:
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- name: etcd-data - name: etcd-data
hostPath: hostPath:

6
artifacts/deploy/karmada-metrics-adapter.yaml
View File

@ -22,6 +22,9 @@ spec:
automountServiceAccountToken: false automountServiceAccountToken: false
containers: containers:
- name: karmada-metrics-adapter - name: karmada-metrics-adapter
securityContext:
allowPrivilegeEscalation: false
privileged: false
image: docker.io/karmada/karmada-metrics-adapter:latest image: docker.io/karmada/karmada-metrics-adapter:latest
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: command:
@ -71,6 +74,9 @@ spec:
- name: server-cert - name: server-cert
secret: secret:
secretName: karmada-metrics-adapter-cert secretName: karmada-metrics-adapter-cert
securityContext:
seccompProfile:
type: RuntimeDefault
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service

6
artifacts/deploy/karmada-scheduler-estimator.yaml
View File

@ -21,6 +21,9 @@ spec:
operator: Exists operator: Exists
containers: containers:
- name: karmada-scheduler-estimator - name: karmada-scheduler-estimator
securityContext:
allowPrivilegeEscalation: false
privileged: false
image: docker.io/karmada/karmada-scheduler-estimator:latest image: docker.io/karmada/karmada-scheduler-estimator:latest
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: command:
@ -59,6 +62,9 @@ spec:
- name: member-kubeconfig - name: member-kubeconfig
secret: secret:
secretName: {{member_cluster_name}}-kubeconfig secretName: {{member_cluster_name}}-kubeconfig
securityContext:
seccompProfile:
type: RuntimeDefault
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service

6
artifacts/deploy/karmada-scheduler.yaml
View File

@ -21,6 +21,9 @@ spec:
operator: Exists operator: Exists
containers: containers:
- name: karmada-scheduler - name: karmada-scheduler
securityContext:
allowPrivilegeEscalation: false
privileged: false
image: docker.io/karmada/karmada-scheduler:latest image: docker.io/karmada/karmada-scheduler:latest
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:
@ -59,3 +62,6 @@ spec:
- name: scheduler-estimator-client-cert - name: scheduler-estimator-client-cert
secret: secret:
secretName: karmada-scheduler-scheduler-estimator-client-cert secretName: karmada-scheduler-scheduler-estimator-client-cert
securityContext:
seccompProfile:
type: RuntimeDefault

6
artifacts/deploy/karmada-search.yaml
View File

@ -22,6 +22,9 @@ spec:
automountServiceAccountToken: false automountServiceAccountToken: false
containers: containers:
- name: karmada-search - name: karmada-search
securityContext:
allowPrivilegeEscalation: false
privileged: false
image: docker.io/karmada/karmada-search:latest image: docker.io/karmada/karmada-search:latest
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: command:
@ -70,6 +73,9 @@ spec:
- name: etcd-client-cert - name: etcd-client-cert
secret: secret:
secretName: karmada-search-etcd-client-cert secretName: karmada-search-etcd-client-cert
securityContext:
seccompProfile:
type: RuntimeDefault
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service

6
artifacts/deploy/karmada-webhook.yaml
View File

@ -21,6 +21,9 @@ spec:
operator: Exists operator: Exists
containers: containers:
- name: karmada-webhook - name: karmada-webhook
securityContext:
allowPrivilegeEscalation: false
privileged: false
image: docker.io/karmada/karmada-webhook:latest image: docker.io/karmada/karmada-webhook:latest
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: command:
@ -56,6 +59,9 @@ spec:
- name: server-cert - name: server-cert
secret: secret:
secretName: karmada-webhook-cert secretName: karmada-webhook-cert
securityContext:
seccompProfile:
type: RuntimeDefault
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service

6
artifacts/deploy/kube-controller-manager.yaml
View File

@ -58,6 +58,9 @@ spec:
- --v=4 - --v=4
image: registry.k8s.io/kube-controller-manager:{{karmada_apiserver_version}} image: registry.k8s.io/kube-controller-manager:{{karmada_apiserver_version}}
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
privileged: false
livenessProbe: livenessProbe:
failureThreshold: 8 failureThreshold: 8
httpGet: httpGet:
@ -91,3 +94,6 @@ spec:
- name: service-account-key-pair - name: service-account-key-pair
secret: secret:
secretName: kube-controller-manager-service-account-key-pair secretName: kube-controller-manager-service-account-key-pair
securityContext:
seccompProfile:
type: RuntimeDefault