Skip to content

Commit

Permalink
security: run as unprivileged
Browse files Browse the repository at this point in the history
  • Loading branch information
@zhangzujian
zhangzujian committed Jul 17, 2023
1 parent b40c35b commit ebc7730
Show file tree
Hide file tree
Showing 13 changed files with 97 additions and 33 deletions.
6 changes: 5 additions & 1 deletion charts/templates/central-deploy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,12 @@ spec:
imagePullPolicy: {{ .Values.image.pullPolicy }}
command: ["/kube-ovn/start-db.sh"]
securityContext:
runAsUser: 0
privileged: false
capabilities:
add: ["SYS_NICE"]
add:
- NET_BIND_SERVICE
- SYS_NICE
env:
- name: ENABLE_SSL
value: "{{ .Values.networking.ENABLE_SSL }}"
Expand Down
6 changes: 6 additions & 0 deletions charts/templates/controller-deploy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,12 @@ spec:
- --pod-default-fip-type={{- .Values.networking.POD_DEFAULT_FIP_TYPE }}
- --enable-metrics={{- .Values.networking.ENABLE_METRICS }}
- --node-local-dns-ip={{- .Values.networking.NODE_LOCAL_DNS_IP }}
securityContext:
runAsUser: 0
privileged: false
capabilities:
add:
- NET_BIND_SERVICE
env:
- name: ENABLE_SSL
value: "{{ .Values.networking.ENABLE_SSL }}"
Expand Down
2 changes: 1 addition & 1 deletion charts/templates/ovncni-ds.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@ spec:
name: cni-conf
- mountPath: /run/openvswitch
name: host-run-ovs
mountPropagation: Bidirectional
mountPropagation: HostToContainer
- mountPath: /run/ovn
name: host-run-ovn
- mountPath: /host/var/run/dbus
Expand Down
8 changes: 7 additions & 1 deletion charts/templates/ovsovn-ds.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,13 @@ spec:
{{- end }}
securityContext:
runAsUser: 0
privileged: true
privileged: false
capabilities:
add:
- NET_ADMIN
- NET_BIND_SERVICE
- SYS_MODULE
- SYS_NICE
env:
- name: ENABLE_SSL
value: "{{ .Values.networking.ENABLE_SSL }}"
Expand Down
24 changes: 20 additions & 4 deletions dist/images/install.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3200,8 +3200,12 @@ spec:
imagePullPolicy: $IMAGE_PULL_POLICY
command: ["/kube-ovn/start-db.sh"]
securityContext:
runAsUser: 0
privileged: false
capabilities:
add: ["SYS_NICE"]
add:
- NET_BIND_SERVICE
- SYS_NICE
env:
- name: ENABLE_SSL
value: "$ENABLE_SSL"
Expand Down Expand Up @@ -3513,7 +3517,13 @@ spec:
command: ["/kube-ovn/start-ovs.sh"]
securityContext:
runAsUser: 0
privileged: true
privileged: false
capabilities:
add:
- NET_ADMIN
- NET_BIND_SERVICE
- SYS_MODULE
- SYS_NICE
env:
- name: ENABLE_SSL
value: "$ENABLE_SSL"
Expand Down Expand Up @@ -3905,6 +3915,12 @@ spec:
- --keep-vm-ip=$ENABLE_KEEP_VM_IP
- --pod-default-fip-type=$POD_DEFAULT_FIP_TYPE
- --node-local-dns-ip=$NODE_LOCAL_DNS_IP
securityContext:
runAsUser: 0
privileged: false
capabilities:
add:
- NET_BIND_SERVICE
env:
- name: ENABLE_SSL
value: "$ENABLE_SSL"
Expand Down Expand Up @@ -4076,15 +4092,15 @@ spec:
name: cni-conf
- mountPath: /run/openvswitch
name: host-run-ovs
mountPropagation: Bidirectional
mountPropagation: HostToContainer
- mountPath: /run/ovn
name: host-run-ovn
- mountPath: /host/var/run/dbus
name: host-dbus
mountPropagation: HostToContainer
- mountPath: /var/run/netns
name: host-ns
mountPropagation: Bidirectional
mountPropagation: HostToContainer
- mountPath: /var/log/kube-ovn
name: kube-ovn-log
- mountPath: /var/log/openvswitch
Expand Down
16 changes: 11 additions & 5 deletions yamls/kube-ovn-dual-stack.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ spec:
hostNetwork: true
containers:
- name: kube-ovn-controller
image: "kubeovn/kube-ovn:v1.12.0"
image: "docker.io/kubeovn/kube-ovn:v1.12.0"
imagePullPolicy: IfNotPresent
args:
- /kube-ovn/start-controller.sh
Expand Down Expand Up @@ -72,6 +72,12 @@ spec:
- --keep-vm-ip=true
- --pod-default-fip-type=
- --node-local-dns-ip=
securityContext:
runAsUser: 0
privileged: false
capabilities:
add:
- NET_BIND_SERVICE
env:
- name: ENABLE_SSL
value: "false"
Expand Down Expand Up @@ -169,7 +175,7 @@ spec:
hostPID: true
initContainers:
- name: install-cni
image: "kubeovn/kube-ovn:v1.12.0"
image: "docker.io/kubeovn/kube-ovn:v1.12.0"
imagePullPolicy: IfNotPresent
command: ["/kube-ovn/install-cni.sh"]
securityContext:
Expand All @@ -182,7 +188,7 @@ spec:
name: local-bin
containers:
- name: cni-server
image: "kubeovn/kube-ovn:v1.12.0"
image: "docker.io/kubeovn/kube-ovn:v1.12.0"
imagePullPolicy: IfNotPresent
command:
- bash
Expand Down Expand Up @@ -357,7 +363,7 @@ spec:
hostPID: true
containers:
- name: pinger
image: "kubeovn/kube-ovn:v1.12.0"
image: "docker.io/kubeovn/kube-ovn:v1.12.0"
command:
- /kube-ovn/kube-ovn-pinger
args:
Expand Down Expand Up @@ -488,7 +494,7 @@ spec:
hostNetwork: true
containers:
- name: kube-ovn-monitor
image: "kubeovn/kube-ovn:v1.12.0"
image: "docker.io/kubeovn/kube-ovn:v1.12.0"
imagePullPolicy: IfNotPresent
command: ["/kube-ovn/start-ovn-monitor.sh"]
args:
Expand Down
16 changes: 11 additions & 5 deletions yamls/kube-ovn-ipv6.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ spec:
hostNetwork: true
containers:
- name: kube-ovn-controller
image: "kubeovn/kube-ovn:v1.12.0"
image: "docker.io/kubeovn/kube-ovn:v1.12.0"
imagePullPolicy: IfNotPresent
args:
- /kube-ovn/start-controller.sh
Expand Down Expand Up @@ -72,6 +72,12 @@ spec:
- --keep-vm-ip=true
- --pod-default-fip-type=
- --node-local-dns-ip=
securityContext:
runAsUser: 0
privileged: false
capabilities:
add:
- NET_BIND_SERVICE
env:
- name: ENABLE_SSL
value: "false"
Expand Down Expand Up @@ -169,7 +175,7 @@ spec:
hostPID: true
initContainers:
- name: install-cni
image: "kubeovn/kube-ovn:v1.12.0"
image: "docker.io/kubeovn/kube-ovn:v1.12.0"
imagePullPolicy: IfNotPresent
command: ["/kube-ovn/install-cni.sh"]
securityContext:
Expand All @@ -182,7 +188,7 @@ spec:
name: local-bin
containers:
- name: cni-server
image: "kubeovn/kube-ovn:v1.12.0"
image: "docker.io/kubeovn/kube-ovn:v1.12.0"
imagePullPolicy: IfNotPresent
command:
- bash
Expand Down Expand Up @@ -357,7 +363,7 @@ spec:
hostPID: true
containers:
- name: pinger
image: "kubeovn/kube-ovn:v1.12.0"
image: "docker.io/kubeovn/kube-ovn:v1.12.0"
command:
- /kube-ovn/kube-ovn-pinger
args:
Expand Down Expand Up @@ -488,7 +494,7 @@ spec:
hostNetwork: true
containers:
- name: kube-ovn-monitor
image: "kubeovn/kube-ovn:v1.12.0"
image: "docker.io/kubeovn/kube-ovn:v1.12.0"
imagePullPolicy: IfNotPresent
command: ["/kube-ovn/start-ovn-monitor.sh"]
args:
Expand Down
16 changes: 11 additions & 5 deletions yamls/kube-ovn.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ spec:
hostNetwork: true
containers:
- name: kube-ovn-controller
image: "kubeovn/kube-ovn:v1.12.0"
image: "docker.io/kubeovn/kube-ovn:v1.12.0"
imagePullPolicy: IfNotPresent
args:
- /kube-ovn/start-controller.sh
Expand Down Expand Up @@ -72,6 +72,12 @@ spec:
- --keep-vm-ip=true
- --pod-default-fip-type=
- --node-local-dns-ip=
securityContext:
runAsUser: 0
privileged: false
capabilities:
add:
- NET_BIND_SERVICE
env:
- name: ENABLE_SSL
value: "false"
Expand Down Expand Up @@ -171,7 +177,7 @@ spec:
hostPID: true
initContainers:
- name: install-cni
image: "kubeovn/kube-ovn:v1.12.0"
image: "docker.io/kubeovn/kube-ovn:v1.12.0"
imagePullPolicy: IfNotPresent
command: ["/kube-ovn/install-cni.sh"]
securityContext:
Expand All @@ -184,7 +190,7 @@ spec:
name: local-bin
containers:
- name: cni-server
image: "kubeovn/kube-ovn:v1.12.0"
image: "docker.io/kubeovn/kube-ovn:v1.12.0"
imagePullPolicy: IfNotPresent
command:
- bash
Expand Down Expand Up @@ -359,7 +365,7 @@ spec:
hostPID: true
containers:
- name: pinger
image: "kubeovn/kube-ovn:v1.12.0"
image: "docker.io/kubeovn/kube-ovn:v1.12.0"
command:
- /kube-ovn/kube-ovn-pinger
args:
Expand Down Expand Up @@ -490,7 +496,7 @@ spec:
hostNetwork: true
containers:
- name: kube-ovn-monitor
image: "kubeovn/kube-ovn:v1.12.0"
image: "docker.io/kubeovn/kube-ovn:v1.12.0"
imagePullPolicy: IfNotPresent
command: ["/kube-ovn/start-ovn-monitor.sh"]
args:
Expand Down
4 changes: 2 additions & 2 deletions yamls/ovn-dpdk.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -204,7 +204,7 @@ spec:
hostNetwork: true
containers:
- name: ovn-central
image: "kubeovn/kube-ovn:v1.10.0"
image: "docker.io/kubeovn/kube-ovn:v1.12.0"
imagePullPolicy: IfNotPresent
command: ["/kube-ovn/start-db.sh"]
securityContext:
Expand Down Expand Up @@ -333,7 +333,7 @@ spec:
hostPID: true
containers:
- name: openvswitch
image: "kubeovn/kube-ovn-dpdk:$DPDK_VERSION"
image: "docker.io/kubeovn/kube-ovn-dpdk:$DPDK_VERSION"
imagePullPolicy: IfNotPresent
command: ["/kube-ovn/start-ovs-dpdk.sh"]
securityContext:
Expand Down
18 changes: 14 additions & 4 deletions yamls/ovn-ha.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,12 +93,16 @@ spec:
hostNetwork: true
containers:
- name: ovn-central
image: "kubeovn/kube-ovn:v1.12.0"
image: "docker.io/kubeovn/kube-ovn:v1.12.0"
imagePullPolicy: IfNotPresent
command: ["/kube-ovn/start-db.sh"]
securityContext:
runAsUser: 0
privileged: false
capabilities:
add: ["SYS_NICE"]
add:
- NET_BIND_SERVICE
- SYS_NICE
env:
- name: NODE_IPS
value: 172.17.0.2,172.17.0.3,172.17.0.4
Expand Down Expand Up @@ -236,12 +240,18 @@ spec:
hostPID: true
containers:
- name: openvswitch
image: "kubeovn/kube-ovn:v1.12.0"
image: "docker.io/kubeovn/kube-ovn:v1.12.0"
imagePullPolicy: IfNotPresent
command: ["/kube-ovn/start-ovs.sh"]
securityContext:
runAsUser: 0
privileged: true
privileged: false
capabilities:
add:
- NET_ADMIN
- NET_BIND_SERVICE
- SYS_MODULE
- SYS_NICE
env:
- name: ENABLE_SSL
value: "false"
Expand Down
10 changes: 7 additions & 3 deletions yamls/ovn.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,12 +93,16 @@ spec:
hostNetwork: true
containers:
- name: ovn-central
image: "kubeovn/kube-ovn:v1.12.0"
image: "docker.io/kubeovn/kube-ovn:v1.12.0"
imagePullPolicy: IfNotPresent
command: ["/kube-ovn/start-db.sh"]
securityContext:
runAsUser: 0
privileged: false
capabilities:
add: ["SYS_NICE"]
add:
- NET_BIND_SERVICE
- SYS_NICE
env:
- name: ENABLE_SSL
value: "false"
Expand Down Expand Up @@ -236,7 +240,7 @@ spec:
hostPID: true
containers:
- name: openvswitch
image: "kubeovn/kube-ovn:v1.12.0"
image: "docker.io/kubeovn/kube-ovn:v1.12.0"
imagePullPolicy: IfNotPresent
command: ["/kube-ovn/start-ovs.sh"]
securityContext:
Expand Down
2 changes: 1 addition & 1 deletion yamls/speaker.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ spec:
hostNetwork: true
containers:
- name: kube-ovn-speaker
image: "kubeovn/kube-ovn:v1.12.0"
image: "docker.io/kubeovn/kube-ovn:v1.12.0"
imagePullPolicy: IfNotPresent
command:
- /kube-ovn/kube-ovn-speaker
Expand Down
2 changes: 1 addition & 1 deletion yamls/webhook.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ spec:
hostNetwork: true
containers:
- name: kube-ovn-webhook
image: "kubeovn/kube-ovn:v1.12.0"
image: "docker.io/kubeovn/kube-ovn:v1.12.0"
imagePullPolicy: IfNotPresent
command:
- /kube-ovn/kube-ovn-webhook
Expand Down

0 comments on commit ebc7730

Please sign in to comment.