components/*: Forbid write access to root filesystem

Signed-off-by: GitHub <noreply@github.com>
2022-01-27 09:13:18 +00:00
parent 48b2bb6a72
commit 57c46a2861
13 changed files with 33 additions and 5 deletions
--- a/manifests/blackboxExporter-deployment.yaml
+++ b/manifests/blackboxExporter-deployment.yaml
@@ -43,6 +43,7 @@ spec:
            memory: 20Mi
        securityContext:
          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 65534
        volumeMounts:
@@ -63,6 +64,7 @@ spec:
            memory: 20Mi
        securityContext:
          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 65534
        terminationMessagePath: /dev/termination-log
@@ -90,6 +92,7 @@ spec:
            memory: 20Mi
        securityContext:
          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
--- a/manifests/grafana-deployment.yaml
+++ b/manifests/grafana-deployment.yaml
@@ -47,6 +47,7 @@ spec:
            memory: 100Mi
        securityContext:
          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /var/lib/grafana
          name: grafana-storage
--- a/manifests/kubeStateMetrics-deployment.yaml
+++ b/manifests/kubeStateMetrics-deployment.yaml
@@ -43,6 +43,7 @@ spec:
            memory: 190Mi
        securityContext:
          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
          runAsUser: 65534
      - args:
        - --logtostderr
@@ -63,6 +64,7 @@ spec:
            memory: 20Mi
        securityContext:
          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
@@ -85,6 +87,7 @@ spec:
            memory: 20Mi
        securityContext:
          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
--- a/manifests/nodeExporter-daemonset.yaml
+++ b/manifests/nodeExporter-daemonset.yaml
@@ -45,6 +45,7 @@ spec:
            memory: 180Mi
        securityContext:
          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /host/sys
          mountPropagation: HostToContainer
@@ -79,6 +80,7 @@ spec:
            memory: 20Mi
        securityContext:
          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532
--- a/manifests/prometheusAdapter-deployment.yaml
+++ b/manifests/prometheusAdapter-deployment.yaml
@@ -49,6 +49,7 @@ spec:
            memory: 180Mi
        securityContext:
          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /tmp
          name: tmpfs
--- a/manifests/prometheusOperator-deployment.yaml
+++ b/manifests/prometheusOperator-deployment.yaml
@@ -44,6 +44,7 @@ spec:
            memory: 100Mi
        securityContext:
          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
      - args:
        - --logtostderr
        - --secure-listen-address=:8443
@@ -63,6 +64,7 @@ spec:
            memory: 20Mi
        securityContext:
          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
          runAsGroup: 65532
          runAsNonRoot: true
          runAsUser: 65532