diff --git a/jsonnet/kube-prometheus/addons/pyrra.libsonnet b/jsonnet/kube-prometheus/addons/pyrra.libsonnet index 1980b220..06ed5b29 100644 --- a/jsonnet/kube-prometheus/addons/pyrra.libsonnet +++ b/jsonnet/kube-prometheus/addons/pyrra.libsonnet @@ -80,6 +80,9 @@ securityContext: { allowPrivilegeEscalation: false, readOnlyRootFilesystem: true, + runAsNonRoot: true, + capabilities: { drop: ['ALL'] }, + seccompProfile: { type: 'RuntimeDefault' }, }, }; diff --git a/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet b/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet index bb1c15a2..7055c308 100644 --- a/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet +++ b/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet @@ -63,5 +63,6 @@ function(params) { allowPrivilegeEscalation: false, readOnlyRootFilesystem: true, capabilities: { drop: ['ALL'] }, + seccompProfile: { type: 'RuntimeDefault' }, }, } diff --git a/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet b/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet index 78541d2c..af817262 100644 --- a/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet +++ b/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet @@ -280,7 +280,9 @@ function(params) { securityContext: { allowPrivilegeEscalation: false, readOnlyRootFilesystem: true, + runAsNonRoot: true, capabilities: { drop: ['ALL'] }, + seccompProfile: { type: 'RuntimeDefault' }, }, }; diff --git a/jsonnet/kube-prometheus/main.libsonnet b/jsonnet/kube-prometheus/main.libsonnet index 3405c8f3..969a893b 100644 --- a/jsonnet/kube-prometheus/main.libsonnet +++ b/jsonnet/kube-prometheus/main.libsonnet @@ -150,6 +150,10 @@ local utils = import './lib/utils.libsonnet'; kind: 'Namespace', metadata: { name: $.values.common.namespace, + labels: { + 'pod-security.kubernetes.io/warn': 'privileged', + 'pod-security.kubernetes.io/warn-version': 'latest', + }, }, }, },