From 9a2682671cf94639dd0db446a7c374a288986c1c Mon Sep 17 00:00:00 2001
From: Alex Vest <alex.vest@storageos.com>
Date: Thu, 21 Jan 2021 17:48:06 +0000
Subject: [PATCH] Update daemonset manifest to mount /etc/machine-id

Mounted as ReadOnly in order to minimize attack surface as in #3880
---
 prog/weave-kube/weave-daemonset-k8s-1.11.yaml | 6 ++++++
 prog/weave-kube/weave-daemonset-k8s-1.8.yaml  | 6 ++++++
 prog/weave-kube/weave-daemonset-k8s-1.9.yaml  | 6 ++++++
 3 files changed, 18 insertions(+)

diff --git a/prog/weave-kube/weave-daemonset-k8s-1.11.yaml b/prog/weave-kube/weave-daemonset-k8s-1.11.yaml
index af56ecf7f..04b0e435b 100644
--- a/prog/weave-kube/weave-daemonset-k8s-1.11.yaml
+++ b/prog/weave-kube/weave-daemonset-k8s-1.11.yaml
@@ -169,6 +169,9 @@ items:
                 - name: dbus
                   mountPath: /host/var/lib/dbus
                   readOnly: true
+                - mountPath: /host/etc/machine-id
+                  name: cni-machine-id
+                  readOnly: true
                 - name: xtables-lock
                   mountPath: /run/xtables.lock
                   readOnly: false
@@ -216,6 +219,9 @@ items:
             - name: cni-conf
               hostPath:
                 path: /etc
+            - name: cni-machine-id
+              hostPath:
+                path: /etc/machine-id
             - name: dbus
               hostPath:
                 path: /var/lib/dbus
diff --git a/prog/weave-kube/weave-daemonset-k8s-1.8.yaml b/prog/weave-kube/weave-daemonset-k8s-1.8.yaml
index 35e248fa9..383aa1d88 100644
--- a/prog/weave-kube/weave-daemonset-k8s-1.8.yaml
+++ b/prog/weave-kube/weave-daemonset-k8s-1.8.yaml
@@ -166,6 +166,9 @@ items:
                 - name: dbus
                   mountPath: /host/var/lib/dbus
                   readOnly: true
+                - mountPath: /host/etc/machine-id
+                  name: cni-machine-id
+                  readOnly: true
                 - name: xtables-lock
                   mountPath: /run/xtables.lock
                   readOnly: false
@@ -212,6 +215,9 @@ items:
             - name: cni-conf
               hostPath:
                 path: /etc
+            - name: cni-machine-id
+              hostPath:
+                path: /etc/machine-id
             - name: dbus
               hostPath:
                 path: /var/lib/dbus
diff --git a/prog/weave-kube/weave-daemonset-k8s-1.9.yaml b/prog/weave-kube/weave-daemonset-k8s-1.9.yaml
index 18fdb44d1..a66656fe1 100644
--- a/prog/weave-kube/weave-daemonset-k8s-1.9.yaml
+++ b/prog/weave-kube/weave-daemonset-k8s-1.9.yaml
@@ -169,6 +169,9 @@ items:
                 - name: dbus
                   mountPath: /host/var/lib/dbus
                   readOnly: true
+                - mountPath: /host/etc/machine-id
+                  name: cni-machine-id
+                  readOnly: true
                 - name: xtables-lock
                   mountPath: /run/xtables.lock
                   readOnly: false
@@ -216,6 +219,9 @@ items:
             - name: cni-conf
               hostPath:
                 path: /etc
+            - name: cni-machine-id
+              hostPath:
+                path: /etc/machine-id
             - name: dbus
               hostPath:
                 path: /var/lib/dbus