From befa960a1e56c1d97b81b8a432464c9b19c7914e Mon Sep 17 00:00:00 2001 From: paulfantom Date: Mon, 23 Nov 2020 11:26:47 +0100 Subject: [PATCH 1/2] jsonnet/kube-prometheus: kube-rbac-proxy should run as UID 65532 --- jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet | 4 +++- .../kube-prometheus/node-exporter/node-exporter.libsonnet | 5 +++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet b/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet index fa85f0cf..724087d6 100644 --- a/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet +++ b/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet @@ -41,7 +41,9 @@ { name: krp.config.kubeRbacProxy.securePortName, containerPort: krp.config.kubeRbacProxy.securePort }, ], securityContext: { - runAsUser: 65534, + runAsUser: 65532, + runAsGroup: 65532, + runAsNonRoot: true, }, }], }, diff --git a/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet b/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet index 2865deca..c2288ce7 100644 --- a/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet +++ b/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet @@ -103,6 +103,11 @@ { name: 'https', containerPort: $._config.nodeExporter.port, hostPort: $._config.nodeExporter.port }, ], resources: $._config.resources['kube-rbac-proxy'], + securityContext: { + runAsUser: 65532, + runAsGroup: 65532, + runAsNonRoot: true, + }, }; { From 20fa80fb4c7ca061d45c889ae41522631003dfbd Mon Sep 17 00:00:00 2001 From: paulfantom Date: Mon, 23 Nov 2020 11:28:14 +0100 Subject: [PATCH 2/2] manifests: regenerate --- manifests/kube-state-metrics-deployment.yaml | 8 ++++++-- manifests/node-exporter-daemonset.yaml | 4 ++++ manifests/setup/prometheus-operator-deployment.yaml | 4 +++- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/manifests/kube-state-metrics-deployment.yaml b/manifests/kube-state-metrics-deployment.yaml index b54e6414..9bda5c69 100644 --- a/manifests/kube-state-metrics-deployment.yaml +++ b/manifests/kube-state-metrics-deployment.yaml @@ -36,7 +36,9 @@ spec: - containerPort: 8443 name: https-main securityContext: - runAsUser: 65534 + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 - args: - --logtostderr - --secure-listen-address=:9443 @@ -48,7 +50,9 @@ spec: - containerPort: 9443 name: https-self securityContext: - runAsUser: 65534 + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 nodeSelector: kubernetes.io/os: linux serviceAccountName: kube-state-metrics diff --git a/manifests/node-exporter-daemonset.yaml b/manifests/node-exporter-daemonset.yaml index 32a4e6cf..9a6f163d 100644 --- a/manifests/node-exporter-daemonset.yaml +++ b/manifests/node-exporter-daemonset.yaml @@ -70,6 +70,10 @@ spec: requests: cpu: 10m memory: 20Mi + securityContext: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 hostNetwork: true hostPID: true nodeSelector: diff --git a/manifests/setup/prometheus-operator-deployment.yaml b/manifests/setup/prometheus-operator-deployment.yaml index 119f6390..d4fc4b3f 100644 --- a/manifests/setup/prometheus-operator-deployment.yaml +++ b/manifests/setup/prometheus-operator-deployment.yaml @@ -50,7 +50,9 @@ spec: - containerPort: 8443 name: https securityContext: - runAsUser: 65534 + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 nodeSelector: beta.kubernetes.io/os: linux securityContext: