From 5700d90c076bfdb01779f1cb8d7bc7695fc0701b Mon Sep 17 00:00:00 2001 From: Suraj Deshmukh Date: Wed, 12 Feb 2020 14:55:46 +0530 Subject: [PATCH 1/2] cl kubelet: Make calico mount readonly In container linux change the kubelet's `/var/lib/calico` mount to `readOnly`. Kubelet only needs to read this and not make any amendments to the file. Signed-off-by: Suraj Deshmukh --- aws/container-linux/kubernetes/cl/controller.yaml | 2 +- aws/container-linux/kubernetes/workers/cl/worker.yaml | 2 +- azure/container-linux/kubernetes/cl/controller.yaml | 2 +- azure/container-linux/kubernetes/workers/cl/worker.yaml | 2 +- bare-metal/container-linux/kubernetes/cl/controller.yaml | 2 +- bare-metal/container-linux/kubernetes/cl/worker.yaml | 2 +- digital-ocean/container-linux/kubernetes/cl/controller.yaml | 2 +- digital-ocean/container-linux/kubernetes/cl/worker.yaml | 2 +- google-cloud/container-linux/kubernetes/cl/controller.yaml | 2 +- google-cloud/container-linux/kubernetes/workers/cl/worker.yaml | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/aws/container-linux/kubernetes/cl/controller.yaml b/aws/container-linux/kubernetes/cl/controller.yaml index 670bb39ff..3e2a777be 100644 --- a/aws/container-linux/kubernetes/cl/controller.yaml +++ b/aws/container-linux/kubernetes/cl/controller.yaml @@ -79,7 +79,7 @@ systemd: --mount volume=run,target=/run \ --volume usr-share-certs,kind=host,source=/usr/share/ca-certificates,readOnly=true \ --mount volume=usr-share-certs,target=/usr/share/ca-certificates \ - --volume var-lib-calico,kind=host,source=/var/lib/calico \ + --volume var-lib-calico,kind=host,source=/var/lib/calico,readOnly=true \ --mount volume=var-lib-calico,target=/var/lib/calico \ --volume var-lib-docker,kind=host,source=/var/lib/docker \ --mount volume=var-lib-docker,target=/var/lib/docker \ diff --git a/aws/container-linux/kubernetes/workers/cl/worker.yaml b/aws/container-linux/kubernetes/workers/cl/worker.yaml index cd8fc92cc..1eac9085f 100644 --- a/aws/container-linux/kubernetes/workers/cl/worker.yaml +++ b/aws/container-linux/kubernetes/workers/cl/worker.yaml @@ -54,7 +54,7 @@ systemd: --mount volume=run,target=/run \ --volume usr-share-certs,kind=host,source=/usr/share/ca-certificates,readOnly=true \ --mount volume=usr-share-certs,target=/usr/share/ca-certificates \ - --volume var-lib-calico,kind=host,source=/var/lib/calico \ + --volume var-lib-calico,kind=host,source=/var/lib/calico,readOnly=true \ --mount volume=var-lib-calico,target=/var/lib/calico \ --volume var-lib-docker,kind=host,source=/var/lib/docker \ --mount volume=var-lib-docker,target=/var/lib/docker \ diff --git a/azure/container-linux/kubernetes/cl/controller.yaml b/azure/container-linux/kubernetes/cl/controller.yaml index 4f18d6bb6..850c7173b 100644 --- a/azure/container-linux/kubernetes/cl/controller.yaml +++ b/azure/container-linux/kubernetes/cl/controller.yaml @@ -78,7 +78,7 @@ systemd: --mount volume=run,target=/run \ --volume usr-share-certs,kind=host,source=/usr/share/ca-certificates,readOnly=true \ --mount volume=usr-share-certs,target=/usr/share/ca-certificates \ - --volume var-lib-calico,kind=host,source=/var/lib/calico \ + --volume var-lib-calico,kind=host,source=/var/lib/calico,readOnly=true \ --mount volume=var-lib-calico,target=/var/lib/calico \ --volume var-lib-docker,kind=host,source=/var/lib/docker \ --mount volume=var-lib-docker,target=/var/lib/docker \ diff --git a/azure/container-linux/kubernetes/workers/cl/worker.yaml b/azure/container-linux/kubernetes/workers/cl/worker.yaml index 994c8f4c5..fe7fb84c8 100644 --- a/azure/container-linux/kubernetes/workers/cl/worker.yaml +++ b/azure/container-linux/kubernetes/workers/cl/worker.yaml @@ -53,7 +53,7 @@ systemd: --mount volume=run,target=/run \ --volume usr-share-certs,kind=host,source=/usr/share/ca-certificates,readOnly=true \ --mount volume=usr-share-certs,target=/usr/share/ca-certificates \ - --volume var-lib-calico,kind=host,source=/var/lib/calico \ + --volume var-lib-calico,kind=host,source=/var/lib/calico,readOnly=true \ --mount volume=var-lib-calico,target=/var/lib/calico \ --volume var-lib-docker,kind=host,source=/var/lib/docker \ --mount volume=var-lib-docker,target=/var/lib/docker \ diff --git a/bare-metal/container-linux/kubernetes/cl/controller.yaml b/bare-metal/container-linux/kubernetes/cl/controller.yaml index 5fe9d7cc2..4f5dd370b 100644 --- a/bare-metal/container-linux/kubernetes/cl/controller.yaml +++ b/bare-metal/container-linux/kubernetes/cl/controller.yaml @@ -87,7 +87,7 @@ systemd: --mount volume=run,target=/run \ --volume usr-share-certs,kind=host,source=/usr/share/ca-certificates,readOnly=true \ --mount volume=usr-share-certs,target=/usr/share/ca-certificates \ - --volume var-lib-calico,kind=host,source=/var/lib/calico \ + --volume var-lib-calico,kind=host,source=/var/lib/calico,readOnly=true \ --mount volume=var-lib-calico,target=/var/lib/calico \ --volume var-lib-docker,kind=host,source=/var/lib/docker \ --mount volume=var-lib-docker,target=/var/lib/docker \ diff --git a/bare-metal/container-linux/kubernetes/cl/worker.yaml b/bare-metal/container-linux/kubernetes/cl/worker.yaml index 5a1db8ac5..8f6e984ff 100644 --- a/bare-metal/container-linux/kubernetes/cl/worker.yaml +++ b/bare-metal/container-linux/kubernetes/cl/worker.yaml @@ -62,7 +62,7 @@ systemd: --mount volume=run,target=/run \ --volume usr-share-certs,kind=host,source=/usr/share/ca-certificates,readOnly=true \ --mount volume=usr-share-certs,target=/usr/share/ca-certificates \ - --volume var-lib-calico,kind=host,source=/var/lib/calico \ + --volume var-lib-calico,kind=host,source=/var/lib/calico,readOnly=true \ --mount volume=var-lib-calico,target=/var/lib/calico \ --volume var-lib-docker,kind=host,source=/var/lib/docker \ --mount volume=var-lib-docker,target=/var/lib/docker \ diff --git a/digital-ocean/container-linux/kubernetes/cl/controller.yaml b/digital-ocean/container-linux/kubernetes/cl/controller.yaml index c011427d8..f751e6824 100644 --- a/digital-ocean/container-linux/kubernetes/cl/controller.yaml +++ b/digital-ocean/container-linux/kubernetes/cl/controller.yaml @@ -89,7 +89,7 @@ systemd: --mount volume=run,target=/run \ --volume usr-share-certs,kind=host,source=/usr/share/ca-certificates,readOnly=true \ --mount volume=usr-share-certs,target=/usr/share/ca-certificates \ - --volume var-lib-calico,kind=host,source=/var/lib/calico \ + --volume var-lib-calico,kind=host,source=/var/lib/calico,readOnly=true \ --mount volume=var-lib-calico,target=/var/lib/calico \ --volume var-lib-docker,kind=host,source=/var/lib/docker \ --mount volume=var-lib-docker,target=/var/lib/docker \ diff --git a/digital-ocean/container-linux/kubernetes/cl/worker.yaml b/digital-ocean/container-linux/kubernetes/cl/worker.yaml index 94714efbc..0a23c0cce 100644 --- a/digital-ocean/container-linux/kubernetes/cl/worker.yaml +++ b/digital-ocean/container-linux/kubernetes/cl/worker.yaml @@ -64,7 +64,7 @@ systemd: --mount volume=run,target=/run \ --volume usr-share-certs,kind=host,source=/usr/share/ca-certificates,readOnly=true \ --mount volume=usr-share-certs,target=/usr/share/ca-certificates \ - --volume var-lib-calico,kind=host,source=/var/lib/calico \ + --volume var-lib-calico,kind=host,source=/var/lib/calico,readOnly=true \ --mount volume=var-lib-calico,target=/var/lib/calico \ --volume var-lib-docker,kind=host,source=/var/lib/docker \ --mount volume=var-lib-docker,target=/var/lib/docker \ diff --git a/google-cloud/container-linux/kubernetes/cl/controller.yaml b/google-cloud/container-linux/kubernetes/cl/controller.yaml index d7f0a744d..4f286eee5 100644 --- a/google-cloud/container-linux/kubernetes/cl/controller.yaml +++ b/google-cloud/container-linux/kubernetes/cl/controller.yaml @@ -78,7 +78,7 @@ systemd: --mount volume=run,target=/run \ --volume usr-share-certs,kind=host,source=/usr/share/ca-certificates,readOnly=true \ --mount volume=usr-share-certs,target=/usr/share/ca-certificates \ - --volume var-lib-calico,kind=host,source=/var/lib/calico \ + --volume var-lib-calico,kind=host,source=/var/lib/calico,readOnly=true \ --mount volume=var-lib-calico,target=/var/lib/calico \ --volume var-lib-docker,kind=host,source=/var/lib/docker \ --mount volume=var-lib-docker,target=/var/lib/docker \ diff --git a/google-cloud/container-linux/kubernetes/workers/cl/worker.yaml b/google-cloud/container-linux/kubernetes/workers/cl/worker.yaml index 766fe98d7..26dffd3e5 100644 --- a/google-cloud/container-linux/kubernetes/workers/cl/worker.yaml +++ b/google-cloud/container-linux/kubernetes/workers/cl/worker.yaml @@ -53,7 +53,7 @@ systemd: --mount volume=run,target=/run \ --volume usr-share-certs,kind=host,source=/usr/share/ca-certificates,readOnly=true \ --mount volume=usr-share-certs,target=/usr/share/ca-certificates \ - --volume var-lib-calico,kind=host,source=/var/lib/calico \ + --volume var-lib-calico,kind=host,source=/var/lib/calico,readOnly=true \ --mount volume=var-lib-calico,target=/var/lib/calico \ --volume var-lib-docker,kind=host,source=/var/lib/docker \ --mount volume=var-lib-docker,target=/var/lib/docker \ From 073c74f5aa928c9f1a2195296aaf15839a4432cc Mon Sep 17 00:00:00 2001 From: Suraj Deshmukh Date: Tue, 18 Feb 2020 10:24:06 +0530 Subject: [PATCH 2/2] fedora-coreos kubelet: Make calico mount readonly In fedora coreos change the kubelet's `/var/lib/calico` mount to read-only `ro`. Kubelet only needs to read this and not make any amendments to the file. Signed-off-by: Suraj Deshmukh --- aws/fedora-coreos/kubernetes/fcc/controller.yaml | 2 +- aws/fedora-coreos/kubernetes/workers/fcc/worker.yaml | 2 +- bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml | 2 +- bare-metal/fedora-coreos/kubernetes/fcc/worker.yaml | 2 +- google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml | 2 +- google-cloud/fedora-coreos/kubernetes/workers/fcc/worker.yaml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/aws/fedora-coreos/kubernetes/fcc/controller.yaml b/aws/fedora-coreos/kubernetes/fcc/controller.yaml index f9aaf6be8..a90558c7b 100644 --- a/aws/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/aws/fedora-coreos/kubernetes/fcc/controller.yaml @@ -73,7 +73,7 @@ systemd: --volume /sys/fs/cgroup:/sys/fs/cgroup:ro \ --volume /sys/fs/cgroup/systemd:/sys/fs/cgroup/systemd \ --volume /etc/pki/tls/certs:/usr/share/ca-certificates:ro \ - --volume /var/lib/calico:/var/lib/calico \ + --volume /var/lib/calico:/var/lib/calico:ro \ --volume /var/lib/docker:/var/lib/docker \ --volume /var/lib/kubelet:/var/lib/kubelet:rshared,z \ --volume /var/log:/var/log \ diff --git a/aws/fedora-coreos/kubernetes/workers/fcc/worker.yaml b/aws/fedora-coreos/kubernetes/workers/fcc/worker.yaml index 7d1d536d2..992cb604b 100644 --- a/aws/fedora-coreos/kubernetes/workers/fcc/worker.yaml +++ b/aws/fedora-coreos/kubernetes/workers/fcc/worker.yaml @@ -43,7 +43,7 @@ systemd: --volume /sys/fs/cgroup:/sys/fs/cgroup:ro \ --volume /sys/fs/cgroup/systemd:/sys/fs/cgroup/systemd \ --volume /etc/pki/tls/certs:/usr/share/ca-certificates:ro \ - --volume /var/lib/calico:/var/lib/calico \ + --volume /var/lib/calico:/var/lib/calico:ro \ --volume /var/lib/docker:/var/lib/docker \ --volume /var/lib/kubelet:/var/lib/kubelet:rshared,z \ --volume /var/log:/var/log \ diff --git a/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml b/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml index c8cc09792..6a6f74e20 100644 --- a/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml @@ -72,7 +72,7 @@ systemd: --volume /sys/fs/cgroup:/sys/fs/cgroup:ro \ --volume /sys/fs/cgroup/systemd:/sys/fs/cgroup/systemd \ --volume /etc/pki/tls/certs:/usr/share/ca-certificates:ro \ - --volume /var/lib/calico:/var/lib/calico \ + --volume /var/lib/calico:/var/lib/calico:ro \ --volume /var/lib/docker:/var/lib/docker \ --volume /var/lib/kubelet:/var/lib/kubelet:rshared,z \ --volume /var/log:/var/log \ diff --git a/bare-metal/fedora-coreos/kubernetes/fcc/worker.yaml b/bare-metal/fedora-coreos/kubernetes/fcc/worker.yaml index 49b05d538..c0e09b58c 100644 --- a/bare-metal/fedora-coreos/kubernetes/fcc/worker.yaml +++ b/bare-metal/fedora-coreos/kubernetes/fcc/worker.yaml @@ -42,7 +42,7 @@ systemd: --volume /sys/fs/cgroup:/sys/fs/cgroup:ro \ --volume /sys/fs/cgroup/systemd:/sys/fs/cgroup/systemd \ --volume /etc/pki/tls/certs:/usr/share/ca-certificates:ro \ - --volume /var/lib/calico:/var/lib/calico \ + --volume /var/lib/calico:/var/lib/calico:ro \ --volume /var/lib/docker:/var/lib/docker \ --volume /var/lib/kubelet:/var/lib/kubelet:rshared,z \ --volume /var/log:/var/log \ diff --git a/google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml b/google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml index f9aaf6be8..a90558c7b 100644 --- a/google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml @@ -73,7 +73,7 @@ systemd: --volume /sys/fs/cgroup:/sys/fs/cgroup:ro \ --volume /sys/fs/cgroup/systemd:/sys/fs/cgroup/systemd \ --volume /etc/pki/tls/certs:/usr/share/ca-certificates:ro \ - --volume /var/lib/calico:/var/lib/calico \ + --volume /var/lib/calico:/var/lib/calico:ro \ --volume /var/lib/docker:/var/lib/docker \ --volume /var/lib/kubelet:/var/lib/kubelet:rshared,z \ --volume /var/log:/var/log \ diff --git a/google-cloud/fedora-coreos/kubernetes/workers/fcc/worker.yaml b/google-cloud/fedora-coreos/kubernetes/workers/fcc/worker.yaml index 7d1d536d2..992cb604b 100644 --- a/google-cloud/fedora-coreos/kubernetes/workers/fcc/worker.yaml +++ b/google-cloud/fedora-coreos/kubernetes/workers/fcc/worker.yaml @@ -43,7 +43,7 @@ systemd: --volume /sys/fs/cgroup:/sys/fs/cgroup:ro \ --volume /sys/fs/cgroup/systemd:/sys/fs/cgroup/systemd \ --volume /etc/pki/tls/certs:/usr/share/ca-certificates:ro \ - --volume /var/lib/calico:/var/lib/calico \ + --volume /var/lib/calico:/var/lib/calico:ro \ --volume /var/lib/docker:/var/lib/docker \ --volume /var/lib/kubelet:/var/lib/kubelet:rshared,z \ --volume /var/log:/var/log \