diff --git a/CHANGES.md b/CHANGES.md index 1e87c1619..3d133baac 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -5,6 +5,7 @@ Notable changes between versions. ## Latest * Kubernetes [v1.19.1](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.19.md#v1191) + * Change control plane seccomp annotations to GA `seccompProfile` ([#822](https://github.com/poseidon/typhoon/pull/822)) * Update Cilium from v1.8.2 to [v1.8.3](https://github.com/cilium/cilium/releases/tag/v1.8.3) * Update Calico from v1.15.2 to [v1.15.3](https://github.com/projectcalico/calico/releases/tag/v3.15.3) diff --git a/addons/grafana/deployment.yaml b/addons/grafana/deployment.yaml index 59de8a765..89e184544 100644 --- a/addons/grafana/deployment.yaml +++ b/addons/grafana/deployment.yaml @@ -18,9 +18,10 @@ spec: labels: name: grafana phase: prod - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: grafana image: docker.io/grafana/grafana:7.1.5 diff --git a/addons/nginx-ingress/aws/deployment.yaml b/addons/nginx-ingress/aws/deployment.yaml index e32bfb1cc..f323016b8 100644 --- a/addons/nginx-ingress/aws/deployment.yaml +++ b/addons/nginx-ingress/aws/deployment.yaml @@ -17,9 +17,10 @@ spec: labels: name: nginx-ingress-controller phase: prod - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: nginx-ingress-controller image: k8s.gcr.io/ingress-nginx/controller:v0.35.0 diff --git a/addons/nginx-ingress/azure/deployment.yaml b/addons/nginx-ingress/azure/deployment.yaml index e32bfb1cc..f323016b8 100644 --- a/addons/nginx-ingress/azure/deployment.yaml +++ b/addons/nginx-ingress/azure/deployment.yaml @@ -17,9 +17,10 @@ spec: labels: name: nginx-ingress-controller phase: prod - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: nginx-ingress-controller image: k8s.gcr.io/ingress-nginx/controller:v0.35.0 diff --git a/addons/nginx-ingress/bare-metal/deployment.yaml b/addons/nginx-ingress/bare-metal/deployment.yaml index be102c73d..fdd9b2709 100644 --- a/addons/nginx-ingress/bare-metal/deployment.yaml +++ b/addons/nginx-ingress/bare-metal/deployment.yaml @@ -17,9 +17,10 @@ spec: labels: name: nginx-ingress-controller phase: prod - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: nginx-ingress-controller image: k8s.gcr.io/ingress-nginx/controller:v0.35.0 diff --git a/addons/nginx-ingress/digital-ocean/daemonset.yaml b/addons/nginx-ingress/digital-ocean/daemonset.yaml index 2f26cf139..00c945767 100644 --- a/addons/nginx-ingress/digital-ocean/daemonset.yaml +++ b/addons/nginx-ingress/digital-ocean/daemonset.yaml @@ -17,9 +17,10 @@ spec: labels: name: nginx-ingress-controller phase: prod - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: nginx-ingress-controller image: k8s.gcr.io/ingress-nginx/controller:v0.35.0 diff --git a/addons/nginx-ingress/google-cloud/deployment.yaml b/addons/nginx-ingress/google-cloud/deployment.yaml index e32bfb1cc..f323016b8 100644 --- a/addons/nginx-ingress/google-cloud/deployment.yaml +++ b/addons/nginx-ingress/google-cloud/deployment.yaml @@ -17,9 +17,10 @@ spec: labels: name: nginx-ingress-controller phase: prod - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: + securityContext: + seccompProfile: + type: RuntimeDefault containers: - name: nginx-ingress-controller image: k8s.gcr.io/ingress-nginx/controller:v0.35.0 diff --git a/addons/prometheus/deployment.yaml b/addons/prometheus/deployment.yaml index a0dbc4832..5ffd82fc7 100644 --- a/addons/prometheus/deployment.yaml +++ b/addons/prometheus/deployment.yaml @@ -14,9 +14,10 @@ spec: labels: name: prometheus phase: prod - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: prometheus containers: - name: prometheus diff --git a/addons/prometheus/exporters/kube-state-metrics/deployment.yaml b/addons/prometheus/exporters/kube-state-metrics/deployment.yaml index fb5389a57..6e4660b17 100644 --- a/addons/prometheus/exporters/kube-state-metrics/deployment.yaml +++ b/addons/prometheus/exporters/kube-state-metrics/deployment.yaml @@ -18,9 +18,10 @@ spec: labels: name: kube-state-metrics phase: prod - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: kube-state-metrics containers: - name: kube-state-metrics diff --git a/addons/prometheus/exporters/node-exporter/daemonset.yaml b/addons/prometheus/exporters/node-exporter/daemonset.yaml index 2a30c37be..b11fa5c6d 100644 --- a/addons/prometheus/exporters/node-exporter/daemonset.yaml +++ b/addons/prometheus/exporters/node-exporter/daemonset.yaml @@ -17,13 +17,13 @@ spec: labels: name: node-exporter phase: prod - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: serviceAccountName: node-exporter securityContext: runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault hostNetwork: true hostPID: true containers: diff --git a/aws/container-linux/kubernetes/bootstrap.tf b/aws/container-linux/kubernetes/bootstrap.tf index b8022873d..55d718d03 100644 --- a/aws/container-linux/kubernetes/bootstrap.tf +++ b/aws/container-linux/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/aws/fedora-coreos/kubernetes/bootstrap.tf b/aws/fedora-coreos/kubernetes/bootstrap.tf index bac64f614..b30aa6f81 100644 --- a/aws/fedora-coreos/kubernetes/bootstrap.tf +++ b/aws/fedora-coreos/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/azure/container-linux/kubernetes/bootstrap.tf b/azure/container-linux/kubernetes/bootstrap.tf index 9734694e4..8217ad64d 100644 --- a/azure/container-linux/kubernetes/bootstrap.tf +++ b/azure/container-linux/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/azure/fedora-coreos/kubernetes/bootstrap.tf b/azure/fedora-coreos/kubernetes/bootstrap.tf index 662858511..9c6d4e367 100644 --- a/azure/fedora-coreos/kubernetes/bootstrap.tf +++ b/azure/fedora-coreos/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/bare-metal/container-linux/kubernetes/bootstrap.tf b/bare-metal/container-linux/kubernetes/bootstrap.tf index 3e2761a72..ef0e373e6 100644 --- a/bare-metal/container-linux/kubernetes/bootstrap.tf +++ b/bare-metal/container-linux/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352" cluster_name = var.cluster_name api_servers = [var.k8s_domain_name] diff --git a/bare-metal/fedora-coreos/kubernetes/bootstrap.tf b/bare-metal/fedora-coreos/kubernetes/bootstrap.tf index f81ee857e..15f4f022b 100644 --- a/bare-metal/fedora-coreos/kubernetes/bootstrap.tf +++ b/bare-metal/fedora-coreos/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352" cluster_name = var.cluster_name api_servers = [var.k8s_domain_name] diff --git a/digital-ocean/container-linux/kubernetes/bootstrap.tf b/digital-ocean/container-linux/kubernetes/bootstrap.tf index 73c05fc59..4d305ed6f 100644 --- a/digital-ocean/container-linux/kubernetes/bootstrap.tf +++ b/digital-ocean/container-linux/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf b/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf index 6292c06ec..03c8ad5cd 100644 --- a/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf +++ b/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/google-cloud/container-linux/kubernetes/bootstrap.tf b/google-cloud/container-linux/kubernetes/bootstrap.tf index f94c10c2a..a23a401c0 100644 --- a/google-cloud/container-linux/kubernetes/bootstrap.tf +++ b/google-cloud/container-linux/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/google-cloud/fedora-coreos/kubernetes/bootstrap.tf b/google-cloud/fedora-coreos/kubernetes/bootstrap.tf index ac91705fc..93c2ed21a 100644 --- a/google-cloud/fedora-coreos/kubernetes/bootstrap.tf +++ b/google-cloud/fedora-coreos/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=c72826908bde6213789ece309aeba7e15806ce73" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=f2dd897d6765ffb56598f8a523f21d984da3a352" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)]