Merge pull request #1610 from ArthurSens/as/linux-hardening

Drop Linux capabilities
2022-02-02 12:56:21 +00:00
parent 21e26c808a 931af3241d
commit 755d27bb46
14 changed files with 58 additions and 2 deletions
--- a/manifests/blackboxExporter-deployment.yaml
+++ b/manifests/blackboxExporter-deployment.yaml
@@ -43,6 +43,9 @@ spec:
            memory: 20Mi
        securityContext:
          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 65534
@@ -64,6 +67,9 @@ spec:
            memory: 20Mi
        securityContext:
          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 65534
@@ -92,6 +98,9 @@ spec:
            memory: 20Mi
        securityContext:
          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
          readOnlyRootFilesystem: true
          runAsGroup: 65532
          runAsNonRoot: true
--- a/manifests/grafana-deployment.yaml
+++ b/manifests/grafana-deployment.yaml
@@ -47,6 +47,9 @@ spec:
            memory: 100Mi
        securityContext:
          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /var/lib/grafana
--- a/manifests/kubeStateMetrics-deployment.yaml
+++ b/manifests/kubeStateMetrics-deployment.yaml
@@ -43,6 +43,9 @@ spec:
            memory: 190Mi
        securityContext:
          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
          readOnlyRootFilesystem: true
          runAsUser: 65534
      - args:
@@ -64,6 +67,9 @@ spec:
            memory: 20Mi
        securityContext:
          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
          readOnlyRootFilesystem: true
          runAsGroup: 65532
          runAsNonRoot: true
@@ -87,6 +93,9 @@ spec:
            memory: 20Mi
        securityContext:
          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
          readOnlyRootFilesystem: true
          runAsGroup: 65532
          runAsNonRoot: true
--- a/manifests/nodeExporter-daemonset.yaml
+++ b/manifests/nodeExporter-daemonset.yaml
@@ -45,6 +45,11 @@ spec:
            memory: 180Mi
        securityContext:
          allowPrivilegeEscalation: false
+          capabilities:
+            add:
+            - CAP_SYS_TIME
+            drop:
+            - ALL
          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /host/sys
@@ -80,6 +85,9 @@ spec:
            memory: 20Mi
        securityContext:
          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
          readOnlyRootFilesystem: true
          runAsGroup: 65532
          runAsNonRoot: true
--- a/manifests/prometheusAdapter-deployment.yaml
+++ b/manifests/prometheusAdapter-deployment.yaml
@@ -49,6 +49,9 @@ spec:
            memory: 180Mi
        securityContext:
          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
          readOnlyRootFilesystem: true
        volumeMounts:
        - mountPath: /tmp
--- a/manifests/prometheusOperator-deployment.yaml
+++ b/manifests/prometheusOperator-deployment.yaml
@@ -44,6 +44,9 @@ spec:
            memory: 100Mi
        securityContext:
          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
          readOnlyRootFilesystem: true
      - args:
        - --logtostderr
@@ -64,6 +67,9 @@ spec:
            memory: 20Mi
        securityContext:
          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
          readOnlyRootFilesystem: true
          runAsGroup: 65532
          runAsNonRoot: true