kubecertagent: explicitly run as root

We need root here because the files that this pod reads are
most likely restricted to root access.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
This commit is contained in:
Ryan Richard 2020-11-02 16:33:46 -05:00 committed by Andrew Keesler
parent 2e50e8f01b
commit a01921012d
No known key found for this signature in database
GPG Key ID: 27CE0444346F9413

View File

@ -157,6 +157,9 @@ func newAgentPod(
agentPod.Annotations[controllerManagerNameAnnotationKey] = controllerManagerPod.Name agentPod.Annotations[controllerManagerNameAnnotationKey] = controllerManagerPod.Name
agentPod.Annotations[controllerManagerUIDAnnotationKey] = string(controllerManagerPod.UID) agentPod.Annotations[controllerManagerUIDAnnotationKey] = string(controllerManagerPod.UID)
// We need to run the agent pod as root since the file permissions on the cluster keypair usually
// restricts access to only root.
rootID := int64(0)
agentPod.Spec.Containers[0].VolumeMounts = controllerManagerPod.Spec.Containers[0].VolumeMounts agentPod.Spec.Containers[0].VolumeMounts = controllerManagerPod.Spec.Containers[0].VolumeMounts
agentPod.Spec.Volumes = controllerManagerPod.Spec.Volumes agentPod.Spec.Volumes = controllerManagerPod.Spec.Volumes
agentPod.Spec.RestartPolicy = corev1.RestartPolicyNever agentPod.Spec.RestartPolicy = corev1.RestartPolicyNever
@ -164,6 +167,10 @@ func newAgentPod(
agentPod.Spec.AutomountServiceAccountToken = boolPtr(false) agentPod.Spec.AutomountServiceAccountToken = boolPtr(false)
agentPod.Spec.NodeName = controllerManagerPod.Spec.NodeName agentPod.Spec.NodeName = controllerManagerPod.Spec.NodeName
agentPod.Spec.Tolerations = controllerManagerPod.Spec.Tolerations agentPod.Spec.Tolerations = controllerManagerPod.Spec.Tolerations
agentPod.Spec.SecurityContext = &corev1.PodSecurityContext{
RunAsUser: &rootID,
RunAsGroup: &rootID,
}
return agentPod return agentPod
} }
@ -177,6 +184,11 @@ func isAgentPodUpToDate(actualAgentPod, expectedAgentPod *corev1.Pod) bool {
break break
} }
} }
if actualAgentPod.Spec.SecurityContext == nil {
return false
}
return requiredLabelsAllPresentWithCorrectValues && return requiredLabelsAllPresentWithCorrectValues &&
equality.Semantic.DeepEqual( equality.Semantic.DeepEqual(
actualAgentPod.Spec.Containers[0].VolumeMounts, actualAgentPod.Spec.Containers[0].VolumeMounts,
@ -217,6 +229,14 @@ func isAgentPodUpToDate(actualAgentPod, expectedAgentPod *corev1.Pod) bool {
equality.Semantic.DeepEqual( equality.Semantic.DeepEqual(
actualAgentPod.Spec.Tolerations, actualAgentPod.Spec.Tolerations,
expectedAgentPod.Spec.Tolerations, expectedAgentPod.Spec.Tolerations,
) &&
equality.Semantic.DeepEqual(
actualAgentPod.Spec.SecurityContext.RunAsUser,
expectedAgentPod.Spec.SecurityContext.RunAsUser,
) &&
equality.Semantic.DeepEqual(
actualAgentPod.Spec.SecurityContext.RunAsGroup,
expectedAgentPod.Spec.SecurityContext.RunAsGroup,
) )
} }