Merge pull request #1593 from prometheus-operator/as/forbid-privilege-scalation

Explicitly declare allowPrivilegeEscalation to false in all components
2022-01-24 10:38:33 +00:00
parent 90ad3c99fc 2d02121731
commit 4d004393e1
13 changed files with 49 additions and 2 deletions
--- a/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
@@ -172,6 +172,7 @@ function(params) {
      } else {
        runAsNonRoot: true,
        runAsUser: 65534,
+        allowPrivilegeEscalation: false,
      },
      volumeMounts: [{
        mountPath: '/etc/blackbox_exporter/',
@@ -188,7 +189,11 @@ function(params) {
        '--volume-dir=/etc/blackbox_exporter/',
      ],
      resources: bb._config.resources,
-      securityContext: { runAsNonRoot: true, runAsUser: 65534 },
+      securityContext: {
+        runAsNonRoot: true,
+        runAsUser: 65534,
+        allowPrivilegeEscalation: false,
+      },
      terminationMessagePath: '/dev/termination-log',
      terminationMessagePolicy: 'FallbackToLogsOnError',
      volumeMounts: [{
--- a/jsonnet/kube-prometheus/components/grafana.libsonnet
+++ b/jsonnet/kube-prometheus/components/grafana.libsonnet
@@ -83,4 +83,20 @@ function(params)
        }],
      },
    },
+
+    // FIXME(ArthurSens): The override adding 'allowPrivilegeEscalation: false' can be deleted when
+    // https://github.com/brancz/kubernetes-grafana/pull/128 gets merged.
+    deployment+: {
+      spec+: {
+        template+: {
+          spec+: {
+            containers: std.map(function(c) c {
+              securityContext+: {
+                allowPrivilegeEscalation: false,
+              },
+            }, super.containers),
+          },
+        },
+      },
+    },
  }
--- a/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet
+++ b/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet
@@ -61,5 +61,6 @@ function(params) {
    runAsUser: 65532,
    runAsGroup: 65532,
    runAsNonRoot: true,
+    allowPrivilegeEscalation: false,
  },
 }
--- a/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
+++ b/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
@@ -118,6 +118,8 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
    image: ksm._config.kubeRbacProxyImage,
  }),

+  // FIXME(ArthurSens): The override adding 'allowPrivilegeEscalation: false' can be deleted when
+  // https://github.com/kubernetes/kube-state-metrics/pull/1668 gets merged.
  deployment+: {
    spec+: {
      template+: {
@@ -133,6 +135,9 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
            readinessProbe:: null,
            args: ['--host=127.0.0.1', '--port=8081', '--telemetry-host=127.0.0.1', '--telemetry-port=8082'],
            resources: ksm._config.resources,
+            securityContext+: {
+              allowPrivilegeEscalation: false,
+            },
          }, super.containers) + [kubeRbacProxyMain, kubeRbacProxySelf],
        },
      },
--- a/jsonnet/kube-prometheus/components/node-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/components/node-exporter.libsonnet
@@ -181,6 +181,9 @@ function(params) {
        { name: 'root', mountPath: '/host/root', mountPropagation: 'HostToContainer', readOnly: true },
      ],
      resources: ne._config.resources,
+      securityContext: {
+        allowPrivilegeEscalation: false,
+      },
    };

    local kubeRbacProxy = krp({
--- a/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
+++ b/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
@@ -226,6 +226,9 @@ function(params) {
        { name: 'volume-serving-cert', mountPath: '/var/run/serving-cert', readOnly: false },
        { name: 'config', mountPath: '/etc/adapter', readOnly: false },
      ],
+      securityContext: {
+        allowPrivilegeEscalation: false,
+      },
    };

    {