diff --git a/cluster/config-defaults.yaml b/cluster/config-defaults.yaml index f42dace8ba..52db72a12e 100644 --- a/cluster/config-defaults.yaml +++ b/cluster/config-defaults.yaml @@ -255,6 +255,8 @@ apiserver_proxy: "true" # when set to true, service account tokens can be used from outside the cluster # requires apiserver_proxy to be set to "true" allow_external_service_accounts: "false" +# issue service account tokens with expiration time. +rotate_service_account_tokens: "false" # use kube-aws-iam-controller for kube-system components kube_aws_iam_controller_kube_system_enable: "true" diff --git a/cluster/manifests/dashboard/deployment.yaml b/cluster/manifests/dashboard/deployment.yaml index 3766646c59..3e6e3dae45 100644 --- a/cluster/manifests/dashboard/deployment.yaml +++ b/cluster/manifests/dashboard/deployment.yaml @@ -47,3 +47,5 @@ spec: readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 + securityContext: + fsGroup: 1000 diff --git a/cluster/manifests/external-dns/deployment.yaml b/cluster/manifests/external-dns/deployment.yaml index b39ceaa17c..2247996e60 100644 --- a/cluster/manifests/external-dns/deployment.yaml +++ b/cluster/manifests/external-dns/deployment.yaml @@ -65,6 +65,8 @@ spec: runAsUser: 65534 capabilities: drop: ["ALL"] + securityContext: + fsGroup: 65534 {{ if eq .ConfigItems.kube_aws_iam_controller_kube_system_enable "true"}} volumes: - name: aws-iam-credentials diff --git a/cluster/manifests/heapster/deployment.yaml b/cluster/manifests/heapster/deployment.yaml index deda001d0d..1bc4f2f5d0 100644 --- a/cluster/manifests/heapster/deployment.yaml +++ b/cluster/manifests/heapster/deployment.yaml @@ -24,6 +24,8 @@ spec: value: "1" priorityClassName: system-cluster-critical serviceAccountName: heapster + securityContext: + fsGroup: 65534 containers: - image: registry.opensource.zalan.do/teapot/heapster:v1.5.4 name: heapster diff --git a/cluster/manifests/kube-proxy/configmap.yaml b/cluster/manifests/kube-proxy/configmap.yaml index 96dff5412e..f2d847f842 100644 --- a/cluster/manifests/kube-proxy/configmap.yaml +++ b/cluster/manifests/kube-proxy/configmap.yaml @@ -24,6 +24,7 @@ data: enableProfiling: false featureGates: TaintBasedEvictions: true + BoundServiceAccountTokenVolume: {{ .Cluster.ConfigItems.rotate_service_account_tokens }} healthzBindAddress: 0.0.0.0:10256 hostnameOverride: "" iptables: diff --git a/cluster/manifests/kube-state-metrics/deployment.yaml b/cluster/manifests/kube-state-metrics/deployment.yaml index 12606d6138..84b107aa0d 100644 --- a/cluster/manifests/kube-state-metrics/deployment.yaml +++ b/cluster/manifests/kube-state-metrics/deployment.yaml @@ -47,3 +47,5 @@ spec: runAsUser: 65534 capabilities: drop: ["ALL"] + securityContext: + fsGroup: 65534 diff --git a/cluster/manifests/psp/pod_security_policy.yaml b/cluster/manifests/psp/pod_security_policy.yaml index 653b4d4d3b..381c55c6c1 100644 --- a/cluster/manifests/psp/pod_security_policy.yaml +++ b/cluster/manifests/psp/pod_security_policy.yaml @@ -43,3 +43,4 @@ spec: - persistentVolumeClaim - downwardAPI - configMap + - projected diff --git a/cluster/manifests/skipper/deployment.yaml b/cluster/manifests/skipper/deployment.yaml index 0742e74bdd..4279f220aa 100644 --- a/cluster/manifests/skipper/deployment.yaml +++ b/cluster/manifests/skipper/deployment.yaml @@ -177,6 +177,8 @@ spec: name: skipper-ingress key: lightstep-token {{ end }} + securityContext: + fsGroup: 1000 {{ if eq .ConfigItems.enable_apimonitoring "true"}} volumes: - name: filters diff --git a/cluster/node-pools/master-default/userdata.yaml b/cluster/node-pools/master-default/userdata.yaml index 98eb998350..09a625b1fe 100644 --- a/cluster/node-pools/master-default/userdata.yaml +++ b/cluster/node-pools/master-default/userdata.yaml @@ -41,11 +41,9 @@ write_files: {{- if not (index .Cluster.ConfigItems "enable_cfs_quota") }} cpuCFSQuota: false {{- end }} -{{- if ne .NodePool.ConfigItems.pod_max_pids "-1" }} featureGates: - SupportPodPidsLimit: true + BoundServiceAccountTokenVolume: {{ .Cluster.ConfigItems.rotate_service_account_tokens }} podPidsLimit: {{ .NodePool.ConfigItems.pod_max_pids }} -{{- end }} maxPods: {{ nodeCIDRMaxPods (parseInt64 .Cluster.ConfigItems.node_cidr_mask_size) 8 }} healthzPort: 10248 healthzBindAddress: "0.0.0.0" @@ -120,8 +118,12 @@ write_files: - --authorization-mode=Webhook,RBAC - --authorization-webhook-config-file=/etc/kubernetes/config/authz.yaml - --admission-control-config-file=/etc/kubernetes/config/image-policy-webhook.yaml - - --feature-gates=TaintNodesByCondition={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},ScheduleDaemonSetPods={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},TTLAfterFinished=true,CustomResourceWebhookConversion={{.Cluster.ConfigItems.custom_resource_webhook_conversion}},CustomResourcePublishOpenAPI={{.Cluster.ConfigItems.custom_resource_publish_openapi}} + - --feature-gates=TaintNodesByCondition={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},ScheduleDaemonSetPods={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},TTLAfterFinished=true,CustomResourceWebhookConversion={{.Cluster.ConfigItems.custom_resource_webhook_conversion}},CustomResourcePublishOpenAPI={{.Cluster.ConfigItems.custom_resource_publish_openapi}},BoundServiceAccountTokenVolume={{ .Cluster.ConfigItems.rotate_service_account_tokens }} - --anonymous-auth=false + {{- if eq .Cluster.ConfigItems.rotate_service_account_tokens "true" }} + - --service-account-signing-key-file=/etc/kubernetes/ssl/service-account-private-key.pem + - --service-account-issuer=kubernetes/serviceaccount + {{- end }} {{ if ne .Cluster.ConfigItems.audittrail_url "" }} - --audit-webhook-config-file=/etc/kubernetes/config/audit.yaml - --audit-webhook-mode=batch @@ -461,7 +463,7 @@ write_files: - --root-ca-file=/etc/kubernetes/ssl/ca.pem - --cloud-provider=aws - --cloud-config=/etc/kubernetes/cloud-config.ini - - --feature-gates=TaintNodesByCondition={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},ScheduleDaemonSetPods={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},TTLAfterFinished=true + - --feature-gates=TaintNodesByCondition={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},ScheduleDaemonSetPods={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},TTLAfterFinished=true,BoundServiceAccountTokenVolume={{ .Cluster.ConfigItems.rotate_service_account_tokens }} - --horizontal-pod-autoscaler-use-rest-clients=true - --use-service-account-credentials=true - --configure-cloud-routes=false @@ -524,7 +526,7 @@ write_files: args: - --master=http://127.0.0.1:8080 - --leader-elect=true - - --feature-gates=TaintBasedEvictions=true,TaintNodesByCondition={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},ScheduleDaemonSetPods={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}} + - --feature-gates=TaintBasedEvictions=true,TaintNodesByCondition={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},ScheduleDaemonSetPods={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},BoundServiceAccountTokenVolume={{ .Cluster.ConfigItems.rotate_service_account_tokens }} env: - name: KUBE_MAX_PD_VOLS value: "26" diff --git a/cluster/node-pools/worker-default/userdata.yaml b/cluster/node-pools/worker-default/userdata.yaml index 13b6c61f36..c3b2468433 100644 --- a/cluster/node-pools/worker-default/userdata.yaml +++ b/cluster/node-pools/worker-default/userdata.yaml @@ -51,11 +51,12 @@ write_files: kind: KubeletConfiguration clusterDomain: cluster.local cpuCFSQuota: false -{{- if ne .NodePool.ConfigItems.pod_max_pids "-1" }} featureGates: SupportPodPidsLimit: true - podPidsLimit: {{ .NodePool.ConfigItems.pod_max_pids }} +{{- if eq .Cluster.ConfigItems.rotate_service_account_tokens "true" }} + BoundServiceAccountTokenVolume: {{ .Cluster.ConfigItems.rotate_service_account_tokens }} {{- end }} + podPidsLimit: {{ .NodePool.ConfigItems.pod_max_pids }} cpuManagerPolicy: {{ .NodePool.ConfigItems.cpu_manager_policy }} maxPods: {{ nodeCIDRMaxPods (parseInt64 .Cluster.ConfigItems.node_cidr_mask_size) 0 }} healthzPort: 10248