Merge pull request #1593 from prometheus-operator/as/forbid-privilege-scalation

Explicitly declare allowPrivilegeEscalation to false in all components
2022-01-24 10:38:33 +00:00
parent 90ad3c99fc 2d02121731
commit 4d004393e1
13 changed files with 49 additions and 2 deletions
--- a/manifests/blackboxExporter-deployment.yaml
+++ b/manifests/blackboxExporter-deployment.yaml
@@ -42,6 +42,7 @@ spec:
            cpu: 10m
            memory: 20Mi
        securityContext:
+          allowPrivilegeEscalation: false
          runAsNonRoot: true
          runAsUser: 65534
        volumeMounts:
@@ -61,6 +62,7 @@ spec:
            cpu: 10m
            memory: 20Mi
        securityContext:
+          allowPrivilegeEscalation: false
          runAsNonRoot: true
          runAsUser: 65534
        terminationMessagePath: /dev/termination-log
@@ -87,6 +89,7 @@ spec:
            cpu: 10m
            memory: 20Mi
        securityContext:
+          allowPrivilegeEscalation: false
          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
--- a/manifests/grafana-deployment.yaml
+++ b/manifests/grafana-deployment.yaml
@@ -45,6 +45,8 @@ spec:
          requests:
            cpu: 100m
            memory: 100Mi
+        securityContext:
+          allowPrivilegeEscalation: false
        volumeMounts:
        - mountPath: /var/lib/grafana
          name: grafana-storage
--- a/manifests/kubeStateMetrics-deployment.yaml
+++ b/manifests/kubeStateMetrics-deployment.yaml
@@ -42,6 +42,7 @@ spec:
            cpu: 10m
            memory: 190Mi
        securityContext:
+          allowPrivilegeEscalation: false
          runAsUser: 65534
      - args:
        - --logtostderr
@@ -61,6 +62,7 @@ spec:
            cpu: 20m
            memory: 20Mi
        securityContext:
+          allowPrivilegeEscalation: false
          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
@@ -82,6 +84,7 @@ spec:
            cpu: 10m
            memory: 20Mi
        securityContext:
+          allowPrivilegeEscalation: false
          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
--- a/manifests/nodeExporter-daemonset.yaml
+++ b/manifests/nodeExporter-daemonset.yaml
@@ -43,6 +43,8 @@ spec:
          requests:
            cpu: 102m
            memory: 180Mi
+        securityContext:
+          allowPrivilegeEscalation: false
        volumeMounts:
        - mountPath: /host/sys
          mountPropagation: HostToContainer
@@ -76,6 +78,7 @@ spec:
            cpu: 10m
            memory: 20Mi
        securityContext:
+          allowPrivilegeEscalation: false
          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
--- a/manifests/prometheusAdapter-deployment.yaml
+++ b/manifests/prometheusAdapter-deployment.yaml
@@ -47,6 +47,8 @@ spec:
          requests:
            cpu: 102m
            memory: 180Mi
+        securityContext:
+          allowPrivilegeEscalation: false
        volumeMounts:
        - mountPath: /tmp
          name: tmpfs
--- a/manifests/prometheusOperator-deployment.yaml
+++ b/manifests/prometheusOperator-deployment.yaml
@@ -62,6 +62,7 @@ spec:
            cpu: 10m
            memory: 20Mi
        securityContext:
+          allowPrivilegeEscalation: false
          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532