Merge pull request #1863 from hasbro17/haseeb/run-etcd-pods-as-non-root

k8sutil: run etcd pods as non-root user
coreos · Jan 17, 2018 · 13b4b52 · 13b4b52
2 parents 12e526e + 2899587
commit 13b4b52
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/pkg/util/k8sutil/k8sutil.go b/pkg/util/k8sutil/k8sutil.go
@@ -292,6 +292,9 @@ func newEtcdPod(m *etcdutil.Member, initialCluster []string, clusterName, state,
 		}})
 	}
 
+	runAsNonRoot := true
+	podUID := int64(9000)
+	fsGroup := podUID
 	pod := &v1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        m.Name,
@@ -319,6 +322,11 @@ func newEtcdPod(m *etcdutil.Member, initialCluster []string, clusterName, state,
 			Hostname:                     m.Name,
 			Subdomain:                    clusterName,
 			AutomountServiceAccountToken: func(b bool) *bool { return &b }(false),
+			SecurityContext: &v1.PodSecurityContext{
+				RunAsUser:    &podUID,
+				RunAsNonRoot: &runAsNonRoot,
+				FSGroup:      &fsGroup,
+			},
 		},
 	}
 	SetEtcdVersion(pod, cs.Version)