diff --git a/CHANGES.md b/CHANGES.md index a23ff4f24..43edde95d 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -11,6 +11,8 @@ Notable changes between versions. * Single-controller clusters continue to run 2 replicas as before * Raise default CoreDNS replica count to the larger of 2 or the number of controller nodes ([#313](https://github.com/poseidon/typhoon/pull/313)) * Add AntiAffinity preferred rule to favor spreading CoreDNS pods +* Annotate Kubernetes control plane and addons to start containers with the Docker runtime's default seccomp profile + * Override Kubernetes default behavior that starts containers with seccomp=unconfined #### Azure @@ -24,6 +26,7 @@ Notable changes between versions. #### Addons * Update Prometheus from v2.3.2 to v2.4.2 +* Update Grafana from v5.2.4 to [v5.3.0](https://github.com/grafana/grafana/releases/tag/v5.3.0) ## v1.11.3 diff --git a/addons/cluo/update-agent.yaml b/addons/cluo/update-agent.yaml index 5175aa2c7..c40f3fe5c 100644 --- a/addons/cluo/update-agent.yaml +++ b/addons/cluo/update-agent.yaml @@ -15,6 +15,8 @@ spec: metadata: labels: app: container-linux-update-agent + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: containers: - name: update-agent diff --git a/addons/cluo/update-operator.yaml b/addons/cluo/update-operator.yaml index 8ddb07995..62b04a605 100644 --- a/addons/cluo/update-operator.yaml +++ b/addons/cluo/update-operator.yaml @@ -12,6 +12,8 @@ spec: metadata: labels: app: container-linux-update-operator + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: containers: - name: update-operator diff --git a/addons/grafana/deployment.yaml b/addons/grafana/deployment.yaml index ea021bbed..64063cdbf 100644 --- a/addons/grafana/deployment.yaml +++ b/addons/grafana/deployment.yaml @@ -18,10 +18,12 @@ spec: labels: name: grafana phase: prod + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: containers: - name: grafana - image: grafana/grafana:5.2.4 + image: grafana/grafana:5.3.0 env: - name: GF_SERVER_HTTP_PORT value: "8080" diff --git a/addons/nginx-ingress/aws/default-backend/deployment.yaml b/addons/nginx-ingress/aws/default-backend/deployment.yaml index 786968e05..ce6401897 100644 --- a/addons/nginx-ingress/aws/default-backend/deployment.yaml +++ b/addons/nginx-ingress/aws/default-backend/deployment.yaml @@ -14,6 +14,8 @@ spec: labels: name: default-backend phase: prod + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: containers: - name: default-backend diff --git a/addons/nginx-ingress/aws/deployment.yaml b/addons/nginx-ingress/aws/deployment.yaml index 58fac73d7..10a21b668 100644 --- a/addons/nginx-ingress/aws/deployment.yaml +++ b/addons/nginx-ingress/aws/deployment.yaml @@ -17,6 +17,8 @@ spec: labels: name: nginx-ingress-controller phase: prod + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: nodeSelector: node-role.kubernetes.io/node: "" diff --git a/addons/nginx-ingress/azure/default-backend/deployment.yaml b/addons/nginx-ingress/azure/default-backend/deployment.yaml index 786968e05..ce6401897 100644 --- a/addons/nginx-ingress/azure/default-backend/deployment.yaml +++ b/addons/nginx-ingress/azure/default-backend/deployment.yaml @@ -14,6 +14,8 @@ spec: labels: name: default-backend phase: prod + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: containers: - name: default-backend diff --git a/addons/nginx-ingress/azure/deployment.yaml b/addons/nginx-ingress/azure/deployment.yaml index 58fac73d7..10a21b668 100644 --- a/addons/nginx-ingress/azure/deployment.yaml +++ b/addons/nginx-ingress/azure/deployment.yaml @@ -17,6 +17,8 @@ spec: labels: name: nginx-ingress-controller phase: prod + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: nodeSelector: node-role.kubernetes.io/node: "" diff --git a/addons/nginx-ingress/bare-metal/default-backend/deployment.yaml b/addons/nginx-ingress/bare-metal/default-backend/deployment.yaml index 786968e05..ce6401897 100644 --- a/addons/nginx-ingress/bare-metal/default-backend/deployment.yaml +++ b/addons/nginx-ingress/bare-metal/default-backend/deployment.yaml @@ -14,6 +14,8 @@ spec: labels: name: default-backend phase: prod + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: containers: - name: default-backend diff --git a/addons/nginx-ingress/bare-metal/deployment.yaml b/addons/nginx-ingress/bare-metal/deployment.yaml index 812077bb5..163df8cd6 100644 --- a/addons/nginx-ingress/bare-metal/deployment.yaml +++ b/addons/nginx-ingress/bare-metal/deployment.yaml @@ -17,6 +17,8 @@ spec: labels: name: ingress-controller-public phase: prod + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: containers: - name: nginx-ingress-controller diff --git a/addons/nginx-ingress/digital-ocean/daemonset.yaml b/addons/nginx-ingress/digital-ocean/daemonset.yaml index c66776170..d94c603a8 100644 --- a/addons/nginx-ingress/digital-ocean/daemonset.yaml +++ b/addons/nginx-ingress/digital-ocean/daemonset.yaml @@ -17,6 +17,8 @@ spec: labels: name: nginx-ingress-controller phase: prod + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: nodeSelector: node-role.kubernetes.io/node: "" diff --git a/addons/nginx-ingress/digital-ocean/default-backend/deployment.yaml b/addons/nginx-ingress/digital-ocean/default-backend/deployment.yaml index 786968e05..ce6401897 100644 --- a/addons/nginx-ingress/digital-ocean/default-backend/deployment.yaml +++ b/addons/nginx-ingress/digital-ocean/default-backend/deployment.yaml @@ -14,6 +14,8 @@ spec: labels: name: default-backend phase: prod + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: containers: - name: default-backend diff --git a/addons/nginx-ingress/google-cloud/default-backend/deployment.yaml b/addons/nginx-ingress/google-cloud/default-backend/deployment.yaml index 786968e05..ce6401897 100644 --- a/addons/nginx-ingress/google-cloud/default-backend/deployment.yaml +++ b/addons/nginx-ingress/google-cloud/default-backend/deployment.yaml @@ -14,6 +14,8 @@ spec: labels: name: default-backend phase: prod + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: containers: - name: default-backend diff --git a/addons/nginx-ingress/google-cloud/deployment.yaml b/addons/nginx-ingress/google-cloud/deployment.yaml index 58fac73d7..10a21b668 100644 --- a/addons/nginx-ingress/google-cloud/deployment.yaml +++ b/addons/nginx-ingress/google-cloud/deployment.yaml @@ -17,6 +17,8 @@ spec: labels: name: nginx-ingress-controller phase: prod + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: nodeSelector: node-role.kubernetes.io/node: "" diff --git a/addons/prometheus/deployment.yaml b/addons/prometheus/deployment.yaml index e1eded9ec..4b8e48485 100644 --- a/addons/prometheus/deployment.yaml +++ b/addons/prometheus/deployment.yaml @@ -14,6 +14,8 @@ spec: labels: name: prometheus phase: prod + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: serviceAccountName: prometheus containers: diff --git a/addons/prometheus/exporters/kube-state-metrics/deployment.yaml b/addons/prometheus/exporters/kube-state-metrics/deployment.yaml index 8bf5cc856..ec7553dbe 100644 --- a/addons/prometheus/exporters/kube-state-metrics/deployment.yaml +++ b/addons/prometheus/exporters/kube-state-metrics/deployment.yaml @@ -18,6 +18,8 @@ spec: labels: name: kube-state-metrics phase: prod + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: serviceAccountName: kube-state-metrics containers: diff --git a/addons/prometheus/exporters/node-exporter/daemonset.yaml b/addons/prometheus/exporters/node-exporter/daemonset.yaml index 5f31657b3..4164bd51a 100644 --- a/addons/prometheus/exporters/node-exporter/daemonset.yaml +++ b/addons/prometheus/exporters/node-exporter/daemonset.yaml @@ -17,6 +17,8 @@ spec: labels: name: node-exporter phase: prod + annotations: + seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: serviceAccountName: node-exporter securityContext: diff --git a/aws/container-linux/kubernetes/bootkube.tf b/aws/container-linux/kubernetes/bootkube.tf index 9035eb3f1..fb7872f86 100644 --- a/aws/container-linux/kubernetes/bootkube.tf +++ b/aws/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f7c2f8d590dcca0cb9bd4de15d765cad29109455" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=2437023c1050609b749850e9b2301a6f00713680" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/aws/fedora-atomic/kubernetes/bootkube.tf b/aws/fedora-atomic/kubernetes/bootkube.tf index 60ca86e8d..d3f5194b3 100644 --- a/aws/fedora-atomic/kubernetes/bootkube.tf +++ b/aws/fedora-atomic/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f7c2f8d590dcca0cb9bd4de15d765cad29109455" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=2437023c1050609b749850e9b2301a6f00713680" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/azure/container-linux/kubernetes/bootkube.tf b/azure/container-linux/kubernetes/bootkube.tf index e0e85f42b..f855e4caf 100644 --- a/azure/container-linux/kubernetes/bootkube.tf +++ b/azure/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f7c2f8d590dcca0cb9bd4de15d765cad29109455" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=2437023c1050609b749850e9b2301a6f00713680" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/bare-metal/container-linux/kubernetes/bootkube.tf b/bare-metal/container-linux/kubernetes/bootkube.tf index bc28a56e0..6a7b8504a 100644 --- a/bare-metal/container-linux/kubernetes/bootkube.tf +++ b/bare-metal/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f7c2f8d590dcca0cb9bd4de15d765cad29109455" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=2437023c1050609b749850e9b2301a6f00713680" cluster_name = "${var.cluster_name}" api_servers = ["${var.k8s_domain_name}"] diff --git a/bare-metal/fedora-atomic/kubernetes/bootkube.tf b/bare-metal/fedora-atomic/kubernetes/bootkube.tf index 323b02818..83bbe1b70 100644 --- a/bare-metal/fedora-atomic/kubernetes/bootkube.tf +++ b/bare-metal/fedora-atomic/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f7c2f8d590dcca0cb9bd4de15d765cad29109455" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=2437023c1050609b749850e9b2301a6f00713680" cluster_name = "${var.cluster_name}" api_servers = ["${var.k8s_domain_name}"] diff --git a/digital-ocean/container-linux/kubernetes/bootkube.tf b/digital-ocean/container-linux/kubernetes/bootkube.tf index 5fd0af987..dc6ee9bd6 100644 --- a/digital-ocean/container-linux/kubernetes/bootkube.tf +++ b/digital-ocean/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f7c2f8d590dcca0cb9bd4de15d765cad29109455" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=2437023c1050609b749850e9b2301a6f00713680" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/digital-ocean/fedora-atomic/kubernetes/bootkube.tf b/digital-ocean/fedora-atomic/kubernetes/bootkube.tf index 045ef2858..fda91aa14 100644 --- a/digital-ocean/fedora-atomic/kubernetes/bootkube.tf +++ b/digital-ocean/fedora-atomic/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f7c2f8d590dcca0cb9bd4de15d765cad29109455" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=2437023c1050609b749850e9b2301a6f00713680" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/google-cloud/container-linux/kubernetes/bootkube.tf b/google-cloud/container-linux/kubernetes/bootkube.tf index cacad840b..42be39a1b 100644 --- a/google-cloud/container-linux/kubernetes/bootkube.tf +++ b/google-cloud/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f7c2f8d590dcca0cb9bd4de15d765cad29109455" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=2437023c1050609b749850e9b2301a6f00713680" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/google-cloud/fedora-atomic/kubernetes/bootkube.tf b/google-cloud/fedora-atomic/kubernetes/bootkube.tf index 384061d05..4eca079d7 100644 --- a/google-cloud/fedora-atomic/kubernetes/bootkube.tf +++ b/google-cloud/fedora-atomic/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f7c2f8d590dcca0cb9bd4de15d765cad29109455" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=2437023c1050609b749850e9b2301a6f00713680" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]