fix: remove privilege=true from long run container

kubeovn · Nov 11, 2019 · bdfd351 · bdfd351
1 parent 6d68b1a
commit bdfd351
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 24 deletions.
diff --git a/dist/images/install-cni.sh b/dist/images/install-cni.sh
@@ -1,7 +1,23 @@
-#!/bin/sh
+#!/bin/bash
 
 set -u -e
 
+if [[ -f "/proc/sys/net/bridge/bridge-nf-call-iptables" ]];
+    then echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables;
+fi
+
+if [[ -f "/proc/sys/net/ipv4/ip_forward" ]];
+    then echo 1 > /proc/sys/net/ipv4/ip_forward;
+fi
+
+if [[ -f "/proc/sys/net/ipv6/conf/all/forwarding" ]];
+    then echo 1 > /proc/sys/net/ipv6/conf/all/forwarding;
+fi
+
+if [[ -f "/proc/sys/net/ipv4/conf/all/rp_filter" ]];
+    then echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter;
+fi
+
 exit_with_error(){
   echo $1
   exit 1

diff --git a/dist/images/start-cniserver.sh b/dist/images/start-cniserver.sh
@@ -1,22 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-if [[ -f "/proc/sys/net/bridge/bridge-nf-call-iptables" ]];
-    then echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables;
-fi
-
-if [[ -f "/proc/sys/net/ipv4/ip_forward" ]];
-    then echo 1 > /proc/sys/net/ipv4/ip_forward;
-fi
-
-if [[ -f "/proc/sys/net/ipv6/conf/all/forwarding" ]];
-    then echo 1 > /proc/sys/net/ipv6/conf/all/forwarding;
-fi
-
-if [[ -f "/proc/sys/net/ipv4/conf/all/rp_filter" ]];
-    then echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter;
-fi
-
 SOCK=/run/openvswitch/kube-ovn-daemon.sock
 
 if [[ -e "$SOCK" ]]
@@ -25,4 +9,4 @@ then
 	rm ${SOCK}
 fi
 
-./kube-ovn-daemon --ovs-socket=/run/openvswitch/db.sock --bind-socket=${SOCK} $@
+./kube-ovn-daemon --ovs-socket=/run/openvswitch/db.sock --bind-socket=${SOCK} $@
diff --git a/yamls/kube-ovn-ipv6.yaml b/yamls/kube-ovn-ipv6.yaml
@@ -112,6 +112,9 @@ spec:
           image: "index.alauda.cn/alaudak8s/kube-ovn-cni:v0.9.0-pre"
           imagePullPolicy: Always
           command: ["/kube-ovn/install-cni.sh"]
+          securityContext:
+            runAsUser: 0
+            privileged: true
           volumeMounts:
             - mountPath: /etc/cni/net.d
               name: cni-conf
@@ -126,8 +129,8 @@ spec:
             - --mtu=1420
           imagePullPolicy: Always
           securityContext:
-            runAsUser: 0
-            privileged: true
+            capabilities:
+              add: ["NET_ADMIN", "SYS_ADMIN"]
           env:
             - name: POD_IP
               valueFrom:

diff --git a/yamls/kube-ovn.yaml b/yamls/kube-ovn.yaml
@@ -115,6 +115,9 @@ spec:
         image: "index.alauda.cn/alaudak8s/kube-ovn-cni:v0.9.0-pre"
         imagePullPolicy: Always
         command: ["/kube-ovn/install-cni.sh"]
+        securityContext:
+          runAsUser: 0
+          privileged: true
         volumeMounts:
           - mountPath: /etc/cni/net.d
             name: cni-conf
@@ -130,8 +133,8 @@ spec:
         args:
           - --enable-mirror=true
         securityContext:
-          runAsUser: 0
-          privileged: true
+          capabilities:
+            add: ["NET_ADMIN", "SYS_ADMIN"]
         env:
           - name: POD_IP
             valueFrom:

diff --git a/yamls/ovn.yaml b/yamls/ovn.yaml
@@ -248,8 +248,8 @@ spec:
           image: "index.alauda.cn/alaudak8s/kube-ovn-node:v0.9.0-pre"
           imagePullPolicy: Always
           securityContext:
-            runAsUser: 0
-            privileged: true
+            capabilities:
+              add: ["NET_ADMIN", "SYS_MODULE"]
           env:
             - name: POD_IP
               valueFrom: