From 876c4df1b6b719892754b2b64c661dd73f8dff0c Mon Sep 17 00:00:00 2001
From: Bogdan Dobrelya <bdobrelia@mirantis.com>
Date: Tue, 15 Nov 2016 11:18:53 +0100
Subject: [PATCH] Fix mountflags and kubelet config

Add missing --require-kubeconfig to the if..else stanza.
Make sure certs dirs mounted in RO.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
---
 roles/kubernetes/node/templates/kubelet.j2             | 2 +-
 roles/network_plugin/canal/templates/canal-node.yml.j2 | 2 ++
 roles/network_plugin/flannel/templates/flannel-pod.yml | 1 +
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/roles/kubernetes/node/templates/kubelet.j2 b/roles/kubernetes/node/templates/kubelet.j2
index b02e0c0a0..fb70670c1 100644
--- a/roles/kubernetes/node/templates/kubelet.j2
+++ b/roles/kubernetes/node/templates/kubelet.j2
@@ -21,7 +21,7 @@ KUBELET_ARGS="--cluster_dns={{ skydns_server }} --cluster_domain={{ dns_domain }
 {% elif dns_setup|bool %}
 KUBELET_ARGS="--cluster_dns={{ dns_server }} --cluster_domain={{ dns_domain }} --kubeconfig={{ kube_config_dir}}/node-kubeconfig.yaml --require-kubeconfig --pod-manifest-path={{ kube_manifest_dir }} --resolv-conf={{ kube_resolv_conf }} --pod-infra-container-image={{ pod_infra_image_repo }}:{{ pod_infra_image_tag }}"
 {% else %}
-KUBELET_ARGS="--kubeconfig={{ kube_config_dir}}/kubelet.kubeconfig --pod-manifest-path={{ kube_manifest_dir }} --pod-infra-container-image={{ pod_infra_image_repo }}:{{ pod_infra_image_tag }}"
+KUBELET_ARGS="--kubeconfig={{ kube_config_dir}}/kubelet.kubeconfig --require-kubeconfig --pod-manifest-path={{ kube_manifest_dir }} --pod-infra-container-image={{ pod_infra_image_repo }}:{{ pod_infra_image_tag }}"
 {% endif %}
 {% if kube_network_plugin is defined and kube_network_plugin in ["calico", "weave", "canal"] %}
 KUBELET_NETWORK_PLUGIN="--network-plugin=cni --network-plugin-dir=/etc/cni/net.d"
diff --git a/roles/network_plugin/canal/templates/canal-node.yml.j2 b/roles/network_plugin/canal/templates/canal-node.yml.j2
index c3894d47f..4fbb8bc14 100644
--- a/roles/network_plugin/canal/templates/canal-node.yml.j2
+++ b/roles/network_plugin/canal/templates/canal-node.yml.j2
@@ -111,6 +111,7 @@ spec:
               mountPath: "/run/flannel"
             - name: "canal-certs"
               mountPath: "{{ canal_cert_dir }}"
+              readOnly: true
         # Runs calico/node container on each Kubernetes node.  This
         # container programs network policy and local routes on each
         # host.
@@ -156,3 +157,4 @@ spec:
               readOnly: false
             - name: "canal-certs"
               mountPath: "{{ canal_cert_dir }}"
+              readOnly: true
diff --git a/roles/network_plugin/flannel/templates/flannel-pod.yml b/roles/network_plugin/flannel/templates/flannel-pod.yml
index 02c41e18b..74a935bf1 100644
--- a/roles/network_plugin/flannel/templates/flannel-pod.yml
+++ b/roles/network_plugin/flannel/templates/flannel-pod.yml
@@ -33,6 +33,7 @@
             mountPath: "/run/flannel"
           - name: "etcd-certs"
             mountPath: "{{ etcd_cert_dir }}"
+            readOnly: true
         securityContext:
           privileged: true
     hostNetwork: true
-- 
GitLab