components/*: Forbid write access to root filesystem

Signed-off-by: GitHub <noreply@github.com>
2022-01-27 09:13:18 +00:00
parent 48b2bb6a72
commit 57c46a2861
13 changed files with 33 additions and 5 deletions
--- a/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
@@ -169,10 +169,12 @@ function(params) {
      securityContext: if bb._config.privileged then {
        runAsNonRoot: false,
        capabilities: { drop: ['ALL'], add: ['NET_RAW'] },
+        readOnlyRootFilesystem: true,
      } else {
        runAsNonRoot: true,
        runAsUser: 65534,
        allowPrivilegeEscalation: false,
+        readOnlyRootFilesystem: true,
      },
      volumeMounts: [{
        mountPath: '/etc/blackbox_exporter/',
@@ -193,6 +195,7 @@ function(params) {
        runAsNonRoot: true,
        runAsUser: 65534,
        allowPrivilegeEscalation: false,
+        readOnlyRootFilesystem: true,
      },
      terminationMessagePath: '/dev/termination-log',
      terminationMessagePolicy: 'FallbackToLogsOnError',
--- a/jsonnet/kube-prometheus/components/grafana.libsonnet
+++ b/jsonnet/kube-prometheus/components/grafana.libsonnet
@@ -84,8 +84,9 @@ function(params)
      },
    },

-    // FIXME(ArthurSens): The override adding 'allowPrivilegeEscalation: false' can be deleted when
-    // https://github.com/brancz/kubernetes-grafana/pull/128 gets merged.
+    // FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged
+    // 'allowPrivilegeEscalation: false' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/128 gets merged.
+    // 'readOnlyRootFilesystem: true' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/129 gets merged.
    deployment+: {
      spec+: {
        template+: {
@@ -93,6 +94,7 @@ function(params)
            containers: std.map(function(c) c {
              securityContext+: {
                allowPrivilegeEscalation: false,
+                readOnlyRootFilesystem: true,
              },
            }, super.containers),
          },
--- a/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet
+++ b/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet
@@ -62,5 +62,6 @@ function(params) {
    runAsGroup: 65532,
    runAsNonRoot: true,
    allowPrivilegeEscalation: false,
+    readOnlyRootFilesystem: true,
  },
 }
--- a/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
+++ b/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
@@ -118,8 +118,9 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
    image: ksm._config.kubeRbacProxyImage,
  }),

-  // FIXME(ArthurSens): The override adding 'allowPrivilegeEscalation: false' can be deleted when
-  // https://github.com/kubernetes/kube-state-metrics/pull/1668 gets merged.
+  // FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged
+  // 'allowPrivilegeEscalation: false' can be deleted when https://github.com/kubernetes/kube-state-metrics/pull/1668 gets merged.
+  // 'readOnlyRootFilesystem: true' can be deleted when https://github.com/kubernetes/kube-state-metrics/pull/1671 gets merged.
  deployment+: {
    spec+: {
      template+: {
@@ -137,6 +138,7 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
            resources: ksm._config.resources,
            securityContext+: {
              allowPrivilegeEscalation: false,
+              readOnlyRootFilesystem: true,
            },
          }, super.containers) + [kubeRbacProxyMain, kubeRbacProxySelf],
        },
--- a/jsonnet/kube-prometheus/components/node-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/components/node-exporter.libsonnet
@@ -183,6 +183,7 @@ function(params) {
      resources: ne._config.resources,
      securityContext: {
        allowPrivilegeEscalation: false,
+        readOnlyRootFilesystem: true,
      },
    };

--- a/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
+++ b/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
@@ -228,6 +228,7 @@ function(params) {
      ],
      securityContext: {
        allowPrivilegeEscalation: false,
+        readOnlyRootFilesystem: true,
      },
    };

--- a/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet
+++ b/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet
@@ -125,11 +125,17 @@ function(params)
      image: po._config.kubeRbacProxyImage,
    }),

+    // FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged
+    // 'readOnlyRootFilesystem: true' can be deleted when https://github.com/prometheus-operator/prometheus-operator/pull/4531 gets merged.
    deployment+: {
      spec+: {
        template+: {
          spec+: {
-            containers+: [kubeRbacProxy],
+            containers: std.map(function(c) c {
+              securityContext+: {
+                readOnlyRootFilesystem: true,
+              },
+            }, super.containers) + [kubeRbacProxy],
          },
        },
      },