Add build-arg for --allow-privileged

https://github.com/kubernetes/kubernetes/pull/77820 https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.15.md#node story: 2005124 Change-Id: I2935d34ace08800c805028f1673bc515f2f577e6 Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
2019-06-20 01:39:59 +02:00 · 2019-06-20 01:39:59 +02:00 · fe0f0efa72
parent 85bd42474b
commit fe0f0efa72
11 changed files with 15 additions and 15 deletions
--- a/dockerfiles/kubernetes-apiserver/Dockerfile
+++ b/dockerfiles/kubernetes-apiserver/Dockerfile
@ -1,4 +1,5 @@
 ARG KUBE_VERSION=v1.13.0
+ARG ADD_KUBE_ALLOW_PRIV=false

 FROM fedora:rawhide
 ARG KUBE_VERSION
@ -30,6 +31,7 @@ COPY service.template config.json.template /exports/
 # however, this would require hard-coding the container name

 COPY apiserver config /etc/kubernetes/
+RUN [ $ADD_KUBE_ALLOW_PRIV = "true" ] && echo "KUBE_ALLOW_PRIV=\"--allow-privileged=false\"" >> /etc/kubernetes/config || true
 RUN mkdir -p /exports/hostfs/usr/local/bin/
 COPY --from=0 /root/kubectl /exports/hostfs/usr/local/bin/
 RUN chmod +x /exports/hostfs/usr/local/bin/kubectl && \
--- a/dockerfiles/kubernetes-apiserver/config
+++ b/dockerfiles/kubernetes-apiserver/config
@ -15,8 +15,5 @@ KUBE_LOGTOSTDERR="--logtostderr=true"
 # journal message level, 0 is debug
 KUBE_LOG_LEVEL="--v=0"

-# Should this cluster be allowed to run privileged docker containers
-KUBE_ALLOW_PRIV="--allow-privileged=false"
-
 # How the controller-manager, scheduler, and proxy find the apiserver
 KUBE_MASTER="--master=http://127.0.0.1:8080"
--- a/dockerfiles/kubernetes-controller-manager/Dockerfile
+++ b/dockerfiles/kubernetes-controller-manager/Dockerfile
@ -1,4 +1,5 @@
 ARG KUBE_VERSION=v1.13.0
+ARG ADD_KUBE_ALLOW_PRIV=false
 FROM gcr.io/google-containers/kube-controller-manager-amd64:${KUBE_VERSION}

 ENV container=docker
@ -17,6 +18,7 @@ COPY launch.sh /usr/bin/kube-controller-manager-docker.sh
 COPY service.template config.json.template /exports/

 COPY controller-manager config /etc/kubernetes/
+RUN [ $ADD_KUBE_ALLOW_PRIV = "true" ] && echo "KUBE_ALLOW_PRIV=\"--allow-privileged=false\"" >> /etc/kubernetes/config || true
 RUN mkdir -p /exports/hostfs/etc/kubernetes && \
    cp /etc/kubernetes/config /exports/hostfs/etc/kubernetes/ && \
    cp /etc/kubernetes/controller-manager /exports/hostfs/etc/kubernetes/
--- a/dockerfiles/kubernetes-controller-manager/config
+++ b/dockerfiles/kubernetes-controller-manager/config
@ -15,8 +15,5 @@ KUBE_LOGTOSTDERR="--logtostderr=true"
 # journal message level, 0 is debug
 KUBE_LOG_LEVEL="--v=0"

-# Should this cluster be allowed to run privileged docker containers
-KUBE_ALLOW_PRIV="--allow-privileged=false"
-
 # How the controller-manager, scheduler, and proxy find the apiserver
 KUBE_MASTER="--master=http://127.0.0.1:8080"
--- a/dockerfiles/kubernetes-kubelet/Dockerfile
+++ b/dockerfiles/kubernetes-kubelet/Dockerfile
@ -1,4 +1,5 @@
 ARG KUBE_VERSION=v1.13.0
+ARG ADD_KUBE_ALLOW_PRIV=false
 FROM gcr.io/google-containers/hyperkube-amd64:${KUBE_VERSION}

 ENV container=docker
@ -14,6 +15,7 @@ LABEL bzcomponent="$NAME" \

 COPY launch.sh /usr/bin/kubelet-docker.sh
 COPY kubelet config /etc/kubernetes/
+RUN [ $ADD_KUBE_ALLOW_PRIV = "true" ] && echo "KUBE_ALLOW_PRIV=\"--allow-privileged=false\"" >> /etc/kubernetes/config || true

 COPY manifest.json tmpfiles.template service.template config.json.template /exports/

--- a/dockerfiles/kubernetes-kubelet/config
+++ b/dockerfiles/kubernetes-kubelet/config
@ -15,8 +15,5 @@ KUBE_LOGTOSTDERR="--logtostderr=true"
 # journal message level, 0 is debug
 KUBE_LOG_LEVEL="--v=0"

-# Should this cluster be allowed to run privileged docker containers
-KUBE_ALLOW_PRIV="--allow-privileged=false"
-
 # How the controller-manager, scheduler, and proxy find the apiserver
 KUBE_MASTER="--master=http://127.0.0.1:8080"
--- a/dockerfiles/kubernetes-proxy/Dockerfile
+++ b/dockerfiles/kubernetes-proxy/Dockerfile
@ -1,4 +1,5 @@
 ARG KUBE_VERSION=v1.13.0
+ARG ADD_KUBE_ALLOW_PRIV=false
 FROM gcr.io/google-containers/kube-proxy-amd64:${KUBE_VERSION}
 ENV container=docker

@ -16,6 +17,8 @@ COPY launch.sh /usr/bin/kube-proxy-docker.sh
 COPY service.template config.json.template /exports/

 COPY proxy config /etc/kubernetes/
+RUN [ $ADD_KUBE_ALLOW_PRIV = "true" ] && echo "KUBE_ALLOW_PRIV=\"--allow-privileged=false\"" >> /etc/kubernetes/config || true
+
 RUN mkdir -p /exports/hostfs/etc/kubernetes && \
    cp /etc/kubernetes/config /exports/hostfs/etc/kubernetes/ && \
    cp /etc/kubernetes/proxy /exports/hostfs/etc/kubernetes/
--- a/dockerfiles/kubernetes-proxy/config
+++ b/dockerfiles/kubernetes-proxy/config
@ -15,8 +15,5 @@ KUBE_LOGTOSTDERR="--logtostderr=true"
 # journal message level, 0 is debug
 KUBE_LOG_LEVEL="--v=0"

-# Should this cluster be allowed to run privileged docker containers
-KUBE_ALLOW_PRIV="--allow-privileged=false"
-
 # How the controller-manager, scheduler, and proxy find the apiserver
 KUBE_MASTER="--master=http://127.0.0.1:8080"
--- a/dockerfiles/kubernetes-scheduler/Dockerfile
+++ b/dockerfiles/kubernetes-scheduler/Dockerfile
@ -1,4 +1,5 @@
 ARG KUBE_VERSION=v1.13.0
+ARG ADD_KUBE_ALLOW_PRIV=false
 FROM gcr.io/google-containers/kube-scheduler-amd64:${KUBE_VERSION}
 ENV container=docker

@ -16,6 +17,7 @@ COPY launch.sh /usr/bin/kube-scheduler-docker.sh
 COPY service.template config.json.template /exports/

 COPY scheduler config /etc/kubernetes/
+RUN [ $ADD_KUBE_ALLOW_PRIV = "true" ] && echo "KUBE_ALLOW_PRIV=\"--allow-privileged=false\"" >> /etc/kubernetes/config || true
 RUN mkdir -p /exports/hostfs/etc/kubernetes && \
    cp /etc/kubernetes/config /exports/hostfs/etc/kubernetes/ && \
    cp /etc/kubernetes/scheduler /exports/hostfs/etc/kubernetes/
--- a/dockerfiles/kubernetes-scheduler/config
+++ b/dockerfiles/kubernetes-scheduler/config
@ -15,8 +15,5 @@ KUBE_LOGTOSTDERR="--logtostderr=true"
 # journal message level, 0 is debug
 KUBE_LOG_LEVEL="--v=0"

-# Should this cluster be allowed to run privileged docker containers
-KUBE_ALLOW_PRIV="--allow-privileged=false"
-
 # How the controller-manager, scheduler, and proxy find the apiserver
 KUBE_MASTER="--master=http://127.0.0.1:8080"
--- a/playbooks/container-builder.yaml
+++ b/playbooks/container-builder.yaml
@ -22,6 +22,7 @@
            tag: "{{kubernetes_version_v1_11}}"
            buildargs:
              KUBE_VERSION: "{{kubernetes_version_v1_11}}"
+              ADD_KUBE_ALLOW_PRIV: "true"
            push: no
          with_items: "{{ kubernetes_images }}"
          retries: 10
@ -35,6 +36,7 @@
            tag: "{{kubernetes_version_v1_12}}"
            buildargs:
              KUBE_VERSION: "{{kubernetes_version_v1_12}}"
+              ADD_KUBE_ALLOW_PRIV: "true"
            push: no
          with_items: "{{ kubernetes_images }}"
          retries: 10
@ -48,6 +50,7 @@
            tag: "{{kubernetes_version_v1_13}}"
            buildargs:
              KUBE_VERSION: "{{kubernetes_version_v1_13}}"
+              ADD_KUBE_ALLOW_PRIV: "true"
            push: no
          with_items: "{{ kubernetes_images }}"
          retries: 10
@ -61,6 +64,7 @@
            tag: "{{kubernetes_version_v1_14}}"
            buildargs:
              KUBE_VERSION: "{{kubernetes_version_v1_14}}"
+              ADD_KUBE_ALLOW_PRIV: "true"
            push: no
          with_items: "{{ kubernetes_images }}"
          retries: 10