diff --git a/resources/calico/daemonset.yaml b/resources/calico/daemonset.yaml index be222df..f47807e 100644 --- a/resources/calico/daemonset.yaml +++ b/resources/calico/daemonset.yaml @@ -17,11 +17,12 @@ spec: metadata: labels: k8s-app: calico-node - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: hostNetwork: true priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: calico-node tolerations: - key: node-role.kubernetes.io/controller diff --git a/resources/cilium/daemonset.yaml b/resources/cilium/daemonset.yaml index 0c77e03..d138995 100644 --- a/resources/cilium/daemonset.yaml +++ b/resources/cilium/daemonset.yaml @@ -17,12 +17,13 @@ spec: metadata: labels: k8s-app: cilium-agent - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: hostNetwork: true priorityClassName: system-node-critical serviceAccountName: cilium-agent + securityContext: + seccompProfile: + type: RuntimeDefault tolerations: - key: node-role.kubernetes.io/controller operator: Exists diff --git a/resources/cilium/deployment.yaml b/resources/cilium/deployment.yaml index 16db1e6..5230389 100644 --- a/resources/cilium/deployment.yaml +++ b/resources/cilium/deployment.yaml @@ -16,12 +16,13 @@ spec: metadata: labels: name: cilium-operator - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: hostNetwork: true priorityClassName: system-cluster-critical serviceAccountName: cilium-operator + securityContext: + seccompProfile: + type: RuntimeDefault tolerations: - key: node-role.kubernetes.io/controller operator: Exists diff --git a/resources/flannel/daemonset.yaml b/resources/flannel/daemonset.yaml index d310e56..075f675 100644 --- a/resources/flannel/daemonset.yaml +++ b/resources/flannel/daemonset.yaml @@ -17,12 +17,13 @@ spec: metadata: labels: k8s-app: flannel - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: hostNetwork: true priorityClassName: system-node-critical serviceAccountName: flannel + securityContext: + seccompProfile: + type: RuntimeDefault tolerations: - key: node-role.kubernetes.io/controller operator: Exists diff --git a/resources/manifests/coredns/deployment.yaml b/resources/manifests/coredns/deployment.yaml index e558440..66602e4 100644 --- a/resources/manifests/coredns/deployment.yaml +++ b/resources/manifests/coredns/deployment.yaml @@ -21,8 +21,6 @@ spec: labels: tier: control-plane k8s-app: coredns - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: affinity: nodeAffinity: @@ -48,6 +46,9 @@ spec: - coredns topologyKey: kubernetes.io/hostname priorityClassName: system-cluster-critical + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: coredns tolerations: - key: node-role.kubernetes.io/controller diff --git a/resources/manifests/kube-proxy.yaml b/resources/manifests/kube-proxy.yaml index b06c01b..36bfdfd 100644 --- a/resources/manifests/kube-proxy.yaml +++ b/resources/manifests/kube-proxy.yaml @@ -20,11 +20,12 @@ spec: labels: tier: node k8s-app: kube-proxy - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: hostNetwork: true priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault serviceAccountName: kube-proxy tolerations: - key: node-role.kubernetes.io/controller diff --git a/resources/static-manifests/kube-apiserver.yaml b/resources/static-manifests/kube-apiserver.yaml index c163827..dbdbe3a 100644 --- a/resources/static-manifests/kube-apiserver.yaml +++ b/resources/static-manifests/kube-apiserver.yaml @@ -6,14 +6,14 @@ metadata: labels: k8s-app: kube-apiserver tier: control-plane - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: hostNetwork: true priorityClassName: system-cluster-critical securityContext: runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault containers: - name: kube-apiserver image: ${kube_apiserver_image} diff --git a/resources/static-manifests/kube-controller-manager.yaml b/resources/static-manifests/kube-controller-manager.yaml index c1b0456..ac4cb19 100644 --- a/resources/static-manifests/kube-controller-manager.yaml +++ b/resources/static-manifests/kube-controller-manager.yaml @@ -6,14 +6,14 @@ metadata: labels: k8s-app: kube-controller-manager tier: control-plane - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: hostNetwork: true priorityClassName: system-cluster-critical securityContext: runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault containers: - name: kube-controller-manager image: ${kube_controller_manager_image} diff --git a/resources/static-manifests/kube-scheduler.yaml b/resources/static-manifests/kube-scheduler.yaml index 5acac6c..d4d5f6f 100644 --- a/resources/static-manifests/kube-scheduler.yaml +++ b/resources/static-manifests/kube-scheduler.yaml @@ -6,14 +6,14 @@ metadata: labels: k8s-app: kube-scheduler tier: control-plane - annotations: - seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: hostNetwork: true priorityClassName: system-cluster-critical securityContext: runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault containers: - name: kube-scheduler image: ${kube_scheduler_image}