Skip to content
Snippets Groups Projects
Commit 0afbc19f authored by Spencer Smith's avatar Spencer Smith
Browse files

ensure the /etc/os-release is mounted read only

parent ac9290f9
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
roles/kubernetes/node/templates/kubelet-container.j2
+ 1
1
View file @ 0afbc19f
...@@ -25,7 +25,7 @@ ...@@ -25,7 +25,7 @@
-v /var/lib/cni:/var/lib/cni:shared \ -v /var/lib/cni:/var/lib/cni:shared \
-v /var/run:/var/run:rw \ -v /var/run:/var/run:rw \
-v {{kube_config_dir}}:{{kube_config_dir}}:ro \ -v {{kube_config_dir}}:{{kube_config_dir}}:ro \
-v /etc/os-release:/etc/os-release \ -v /etc/os-release:/etc/os-release:ro \
{{ hyperkube_image_repo }}:{{ hyperkube_image_tag}} \ {{ hyperkube_image_repo }}:{{ hyperkube_image_tag}} \
./hyperkube kubelet \ ./hyperkube kubelet \
"$@" "$@"
roles/kubernetes/node/templates/kubelet.rkt.service.j2
+ 1
1
View file @ 0afbc19f
...@@ -20,7 +20,7 @@ ExecStartPre=-/bin/mkdir -p /var/lib/kubelet ...@@ -20,7 +20,7 @@ ExecStartPre=-/bin/mkdir -p /var/lib/kubelet
EnvironmentFile={{kube_config_dir}}/kubelet.env EnvironmentFile={{kube_config_dir}}/kubelet.env
# stage1-fly mounts /proc /sys /dev so no need to duplicate the mounts # stage1-fly mounts /proc /sys /dev so no need to duplicate the mounts
ExecStart=/usr/bin/rkt run \ ExecStart=/usr/bin/rkt run \
--volume os-release,kind=host,source=/etc/os-release \ --volume os-release,kind=host,source=/etc/os-release,readOnly=true \
--volume dns,kind=host,source=/etc/resolv.conf \ --volume dns,kind=host,source=/etc/resolv.conf \
--volume etc-kubernetes,kind=host,source={{ kube_config_dir }},readOnly=false \ --volume etc-kubernetes,kind=host,source={{ kube_config_dir }},readOnly=false \
--volume etc-ssl-certs,kind=host,source=/etc/ssl/certs,readOnly=true \ --volume etc-ssl-certs,kind=host,source=/etc/ssl/certs,readOnly=true \
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment