Merge pull request #3876 from weaveworks/k8s-disable-hostpid

bboreham · web-flow · commit d81e908d1a4a · 2020-12-17T16:53:42.000Z
For K8s, stop running in host PID namespace
diff --git a/prog/weave-kube/weave-daemonset-k8s-1.11.yaml b/prog/weave-kube/weave-daemonset-k8s-1.11.yaml
@@ -177,7 +177,7 @@ items:
                   readOnly: false
           hostNetwork: true
           dnsPolicy: ClusterFirstWithHostNet
-          hostPID: true
+          hostPID: false
           restartPolicy: Always
           securityContext:
             seLinuxOptions: {}
diff --git a/prog/weave-kube/weave-daemonset-k8s-1.6.yaml b/prog/weave-kube/weave-daemonset-k8s-1.6.yaml
@@ -148,7 +148,7 @@ items:
               securityContext:
                 privileged: true
           hostNetwork: true
-          hostPID: true
+          hostPID: false
           restartPolicy: Always
           securityContext:
             seLinuxOptions: {}
diff --git a/prog/weave-kube/weave-daemonset-k8s-1.7.yaml b/prog/weave-kube/weave-daemonset-k8s-1.7.yaml
@@ -164,7 +164,7 @@ items:
                   mountPath: /run/xtables.lock
                   readOnly: false
           hostNetwork: true
-          hostPID: true
+          hostPID: false
           restartPolicy: Always
           securityContext:
             seLinuxOptions: {}
diff --git a/prog/weave-kube/weave-daemonset-k8s-1.8.yaml b/prog/weave-kube/weave-daemonset-k8s-1.8.yaml
@@ -173,7 +173,7 @@ items:
                   mountPath: /run/xtables.lock
                   readOnly: false
           hostNetwork: true
-          hostPID: true
+          hostPID: false
           restartPolicy: Always
           securityContext:
             seLinuxOptions: {}
diff --git a/prog/weave-kube/weave-daemonset-k8s-1.9.yaml b/prog/weave-kube/weave-daemonset-k8s-1.9.yaml
@@ -177,7 +177,7 @@ items:
                   readOnly: false
           hostNetwork: true
           dnsPolicy: ClusterFirstWithHostNet
-          hostPID: true
+          hostPID: false
           restartPolicy: Always
           securityContext:
             seLinuxOptions: {}
diff --git a/test/840_weave_kube_3_test.sh b/test/840_weave_kube_3_test.sh
@@ -52,7 +52,7 @@ fi
 # Ensure Kubernetes uses locally built container images and inject code coverage environment variable (or do nothing depending on $COVERAGE):
 sed -e "s%imagePullPolicy: Always%imagePullPolicy: Never%" \
     -e "s%env:%$WEAVE_ENV_VARS%" \
-    "$(dirname "$0")/../prog/weave-kube/weave-daemonset-k8s-1.9.yaml" | run_on "$HOST1" "$KUBECTL apply -n kube-system -f -"
+    "$(dirname "$0")/../prog/weave-kube/weave-daemonset-k8s-1.11.yaml" | run_on "$HOST1" "$KUBECTL apply -n kube-system -f -"
 
 sleep 2
 
diff --git a/test/860_weave_kube_portmap_3_test.sh b/test/860_weave_kube_portmap_3_test.sh
@@ -50,7 +50,7 @@ function setup_kubernetes_cluster {
     # Ensure Kubernetes uses locally built container images and inject code coverage environment variable (or do nothing depending on $COVERAGE):
     sed -e "s%imagePullPolicy: Always%imagePullPolicy: Never%" \
         -e "s%env:%$COVERAGE_ARGS%" \
-        "$(dirname "$0")/../prog/weave-kube/weave-daemonset-k8s-1.7.yaml" | run_on "$HOST1" "$KUBECTL apply -n kube-system -f -"
+        "$(dirname "$0")/../prog/weave-kube/weave-daemonset-k8s-1.11.yaml" | run_on "$HOST1" "$KUBECTL apply -n kube-system -f -"
 }
 
 function weave_connected {

Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,7 @@ function setup_kubernetes_cluster {`
`50`	`50`	`# Ensure Kubernetes uses locally built container images and inject code coverage environment variable (or do nothing depending on $COVERAGE):`
`51`	`51`	`sed -e "s%imagePullPolicy: Always%imagePullPolicy: Never%" \`
`52`	`52`	`-e "s%env:%$COVERAGE_ARGS%" \`
`53`		`- "$(dirname "$0")/../prog/weave-kube/weave-daemonset-k8s-1.7.yaml" \| run_on "$HOST1" "$KUBECTL apply -n kube-system -f -"`
	`53`	`+ "$(dirname "$0")/../prog/weave-kube/weave-daemonset-k8s-1.11.yaml" \| run_on "$HOST1" "$KUBECTL apply -n kube-system -f -"`
`54`	`54`	`}`
`55`	`55`
`56`	`56`	`function weave_connected {`