diff --git a/roles/kubernetes-apps/ansible/templates/coredns-clusterrole.yml.j2 b/roles/kubernetes-apps/ansible/templates/coredns-clusterrole.yml.j2 index 79c4e775d..d5f91eddf 100644 --- a/roles/kubernetes-apps/ansible/templates/coredns-clusterrole.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/coredns-clusterrole.yml.j2 @@ -7,26 +7,26 @@ metadata: addonmanager.kubernetes.io/mode: Reconcile name: system:coredns rules: - - apiGroups: - - "" - resources: - - endpoints - - services - - pods - - namespaces - verbs: - - list - - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - list - - watch +- apiGroups: + - "" + resources: + - endpoints + - services + - pods + - namespaces + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch diff --git a/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2 b/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2 index fa8106935..316425bfd 100644 --- a/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2 @@ -22,9 +22,11 @@ spec: labels: k8s-app: kube-dns{{ coredns_ordinal_suffix }} annotations: - seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' createdby: 'kubespray' spec: + securityContext: + seccompProfile: + type: RuntimeDefault nodeSelector: {{ coredns_deployment_nodeselector }} priorityClassName: system-cluster-critical diff --git a/roles/kubernetes-apps/ansible/templates/coredns-sa.yml.j2 b/roles/kubernetes-apps/ansible/templates/coredns-sa.yml.j2 index daebd6a8e..64d9c4dae 100644 --- a/roles/kubernetes-apps/ansible/templates/coredns-sa.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/coredns-sa.yml.j2 @@ -5,4 +5,5 @@ metadata: name: coredns namespace: kube-system labels: + kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile