Add securityContext items and add pod security labes

2023-05-31 17:32:41 +01:00
parent 1706065791
commit 1e55a4057c
4 changed files with 10 additions and 0 deletions
--- a/jsonnet/kube-prometheus/addons/pyrra.libsonnet
+++ b/jsonnet/kube-prometheus/addons/pyrra.libsonnet
@@ -80,6 +80,9 @@
        securityContext: {
          allowPrivilegeEscalation: false,
          readOnlyRootFilesystem: true,
+          runAsNonRoot: true,
+          capabilities: { drop: ['ALL'] },
+          seccompProfile: { type: 'RuntimeDefault' },  
        },
      };

--- a/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet
+++ b/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet
@@ -63,5 +63,6 @@ function(params) {
    allowPrivilegeEscalation: false,
    readOnlyRootFilesystem: true,
    capabilities: { drop: ['ALL'] },
+    seccompProfile: { type: 'RuntimeDefault' },
  },
 }
--- a/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
+++ b/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
@@ -280,7 +280,9 @@ function(params) {
      securityContext: {
        allowPrivilegeEscalation: false,
        readOnlyRootFilesystem: true,
+        runAsNonRoot: true,
        capabilities: { drop: ['ALL'] },
+        seccompProfile: { type: 'RuntimeDefault' },
      },
    };

--- a/jsonnet/kube-prometheus/main.libsonnet
+++ b/jsonnet/kube-prometheus/main.libsonnet
@@ -150,6 +150,10 @@ local utils = import './lib/utils.libsonnet';
      kind: 'Namespace',
      metadata: {
        name: $.values.common.namespace,
+        labels: {
+          'pod-security.kubernetes.io/warn': 'privileged',
+          'pod-security.kubernetes.io/warn-version': 'latest',
+        },
      },
    },
  },