ensure the /etc/os-release is mounted read only

This commit is contained in:
Spencer Smith 2017-05-01 14:51:40 -04:00
parent f608e9e4f8
commit 755c20f2f9
2 changed files with 2 additions and 2 deletions

View file

@ -25,7 +25,7 @@
-v /var/lib/cni:/var/lib/cni:shared \ -v /var/lib/cni:/var/lib/cni:shared \
-v /var/run:/var/run:rw \ -v /var/run:/var/run:rw \
-v {{kube_config_dir}}:{{kube_config_dir}}:ro \ -v {{kube_config_dir}}:{{kube_config_dir}}:ro \
-v /etc/os-release:/etc/os-release \ -v /etc/os-release:/etc/os-release:ro \
{{ hyperkube_image_repo }}:{{ hyperkube_image_tag}} \ {{ hyperkube_image_repo }}:{{ hyperkube_image_tag}} \
./hyperkube kubelet \ ./hyperkube kubelet \
"$@" "$@"

View file

@ -20,7 +20,7 @@ ExecStartPre=-/bin/mkdir -p /var/lib/kubelet
EnvironmentFile={{kube_config_dir}}/kubelet.env EnvironmentFile={{kube_config_dir}}/kubelet.env
# stage1-fly mounts /proc /sys /dev so no need to duplicate the mounts # stage1-fly mounts /proc /sys /dev so no need to duplicate the mounts
ExecStart=/usr/bin/rkt run \ ExecStart=/usr/bin/rkt run \
--volume os-release,kind=host,source=/etc/os-release \ --volume os-release,kind=host,source=/etc/os-release,readOnly=true \
--volume dns,kind=host,source=/etc/resolv.conf \ --volume dns,kind=host,source=/etc/resolv.conf \
--volume etc-kubernetes,kind=host,source={{ kube_config_dir }},readOnly=false \ --volume etc-kubernetes,kind=host,source={{ kube_config_dir }},readOnly=false \
--volume etc-ssl-certs,kind=host,source=/etc/ssl/certs,readOnly=true \ --volume etc-ssl-certs,kind=host,source=/etc/ssl/certs,readOnly=true \