easylinux/kube-prometheus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Drop Linux capabilities

Browse Source 
Signed-off-by: GitHub <noreply@github.com>
This commit is contained in:
Arthur Silva Sens
2022-02-01 09:25:21 +00:00
committed by GitHub
parent 6bfb07aac2
commit 931af3241d
14 changed files with 58 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@@ -66,7 +66,7 @@ kubeconform: crdschemas manifests $(KUBECONFORM_BIN)
.PHONY: kubescape .PHONY: kubescape
kubescape: $(KUBESCAPE_BIN) ## Runs a security analysis on generated manifests - failing if risk score is above threshold percentage 't' kubescape: $(KUBESCAPE_BIN) ## Runs a security analysis on generated manifests - failing if risk score is above threshold percentage 't'
$(KUBESCAPE_BIN) scan -s framework -t 20 nsa manifests/*.yaml --exceptions 'kubescape-exceptions.json' $(KUBESCAPE_BIN) scan -s framework -t 16 nsa manifests/*.yaml --exceptions 'kubescape-exceptions.json'
.PHONY: fmt .PHONY: fmt
fmt: $(JSONNETFMT_BIN) fmt: $(JSONNETFMT_BIN)

2
jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
View File

@@ -175,6 +175,7 @@ function(params) {
runAsUser: 65534, runAsUser: 65534,
allowPrivilegeEscalation: false, allowPrivilegeEscalation: false,
readOnlyRootFilesystem: true, readOnlyRootFilesystem: true,
capabilities: { drop: ['ALL'] },
}, },
volumeMounts: [{ volumeMounts: [{
mountPath: '/etc/blackbox_exporter/', mountPath: '/etc/blackbox_exporter/',
@@ -196,6 +197,7 @@ function(params) {
runAsUser: 65534, runAsUser: 65534,
allowPrivilegeEscalation: false, allowPrivilegeEscalation: false,
readOnlyRootFilesystem: true, readOnlyRootFilesystem: true,
capabilities: { drop: ['ALL'] },
}, },
terminationMessagePath: '/dev/termination-log', terminationMessagePath: '/dev/termination-log',
terminationMessagePolicy: 'FallbackToLogsOnError', terminationMessagePolicy: 'FallbackToLogsOnError',

2
jsonnet/kube-prometheus/components/grafana.libsonnet
View File

@@ -87,6 +87,7 @@ function(params)
// FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged // FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged
// 'allowPrivilegeEscalation: false' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/128 gets merged. // 'allowPrivilegeEscalation: false' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/128 gets merged.
// 'readOnlyRootFilesystem: true' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/129 gets merged. // 'readOnlyRootFilesystem: true' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/129 gets merged.
// 'capabilities: { drop: ['ALL'] }' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/130 gets merged.
deployment+: { deployment+: {
spec+: { spec+: {
template+: { template+: {
@@ -95,6 +96,7 @@ function(params)
securityContext+: { securityContext+: {
allowPrivilegeEscalation: false, allowPrivilegeEscalation: false,
readOnlyRootFilesystem: true, readOnlyRootFilesystem: true,
capabilities: { drop: ['ALL'] },
}, },
}, super.containers), }, super.containers),
}, },

1
jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet
View File

@@ -63,5 +63,6 @@ function(params) {
runAsNonRoot: true, runAsNonRoot: true,
allowPrivilegeEscalation: false, allowPrivilegeEscalation: false,
readOnlyRootFilesystem: true, readOnlyRootFilesystem: true,
capabilities: { drop: ['ALL'] },
}, },
} }

5
jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
View File

@@ -118,6 +118,8 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
image: ksm._config.kubeRbacProxyImage, image: ksm._config.kubeRbacProxyImage,
}), }),
// FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged
// 'capabilities: { drop: ['ALL'] },' can be deleted when https://github.com/kubernetes/kube-state-metrics/pull/1674 gets merged.
deployment+: { deployment+: {
spec+: { spec+: {
template+: { template+: {
@@ -133,6 +135,9 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
readinessProbe:: null, readinessProbe:: null,
args: ['--host=127.0.0.1', '--port=8081', '--telemetry-host=127.0.0.1', '--telemetry-port=8082'], args: ['--host=127.0.0.1', '--port=8081', '--telemetry-host=127.0.0.1', '--telemetry-port=8082'],
resources: ksm._config.resources, resources: ksm._config.resources,
securityContext+: {
capabilities: { drop: ['ALL'] },
},
}, super.containers) + [kubeRbacProxyMain, kubeRbacProxySelf], }, super.containers) + [kubeRbacProxyMain, kubeRbacProxySelf],
}, },
}, },

1
jsonnet/kube-prometheus/components/node-exporter.libsonnet
View File

@@ -184,6 +184,7 @@ function(params) {
securityContext: { securityContext: {
allowPrivilegeEscalation: false, allowPrivilegeEscalation: false,
readOnlyRootFilesystem: true, readOnlyRootFilesystem: true,
capabilities: { drop: ['ALL'], add: ['CAP_SYS_TIME'] },
}, },
}; };

1
jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
View File

@@ -229,6 +229,7 @@ function(params) {
securityContext: { securityContext: {
allowPrivilegeEscalation: false, allowPrivilegeEscalation: false,
readOnlyRootFilesystem: true, readOnlyRootFilesystem: true,
capabilities: { drop: ['ALL'] },
}, },
}; };

8
jsonnet/kube-prometheus/components/prometheus-operator.libsonnet
View File

@@ -125,11 +125,17 @@ function(params)
image: po._config.kubeRbacProxyImage, image: po._config.kubeRbacProxyImage,
}), }),
// FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged
// 'capabilities: { drop: ['ALL'] },' can be deleted when https://github.com/prometheus-operator/prometheus-operator/pull/4546 gets merged.
deployment+: { deployment+: {
spec+: { spec+: {
template+: { template+: {
spec+: { spec+: {
containers+: [kubeRbacProxy], containers: std.map(function(c) c {
securityContext+: {
capabilities: { drop: ['ALL'] },
},
}, super.containers) + [kubeRbacProxy],
}, },
}, },
}, },

9
manifests/blackboxExporter-deployment.yaml
View File

@@ -43,6 +43,9 @@ spec:
memory: 20Mi memory: 20Mi
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsNonRoot: true runAsNonRoot: true
runAsUser: 65534 runAsUser: 65534
@@ -64,6 +67,9 @@ spec:
memory: 20Mi memory: 20Mi
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsNonRoot: true runAsNonRoot: true
runAsUser: 65534 runAsUser: 65534
@@ -92,6 +98,9 @@ spec:
memory: 20Mi memory: 20Mi
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 65532 runAsGroup: 65532
runAsNonRoot: true runAsNonRoot: true

3
manifests/grafana-deployment.yaml
View File

@@ -47,6 +47,9 @@ spec:
memory: 100Mi memory: 100Mi
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
volumeMounts: volumeMounts:
- mountPath: /var/lib/grafana - mountPath: /var/lib/grafana

9
manifests/kubeStateMetrics-deployment.yaml
View File

@@ -43,6 +43,9 @@ spec:
memory: 190Mi memory: 190Mi
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsUser: 65534 runAsUser: 65534
- args: - args:
@@ -64,6 +67,9 @@ spec:
memory: 20Mi memory: 20Mi
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 65532 runAsGroup: 65532
runAsNonRoot: true runAsNonRoot: true
@@ -87,6 +93,9 @@ spec:
memory: 20Mi memory: 20Mi
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 65532 runAsGroup: 65532
runAsNonRoot: true runAsNonRoot: true

8
manifests/nodeExporter-daemonset.yaml
View File

@@ -45,6 +45,11 @@ spec:
memory: 180Mi memory: 180Mi
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities:
add:
- CAP_SYS_TIME
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
volumeMounts: volumeMounts:
- mountPath: /host/sys - mountPath: /host/sys
@@ -80,6 +85,9 @@ spec:
memory: 20Mi memory: 20Mi
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 65532 runAsGroup: 65532
runAsNonRoot: true runAsNonRoot: true

3
manifests/prometheusAdapter-deployment.yaml
View File

@@ -49,6 +49,9 @@ spec:
memory: 180Mi memory: 180Mi
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
volumeMounts: volumeMounts:
- mountPath: /tmp - mountPath: /tmp

6
manifests/prometheusOperator-deployment.yaml
View File

@@ -44,6 +44,9 @@ spec:
memory: 100Mi memory: 100Mi
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
- args: - args:
- --logtostderr - --logtostderr
@@ -64,6 +67,9 @@ spec:
memory: 20Mi memory: 20Mi
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 65532 runAsGroup: 65532
runAsNonRoot: true runAsNonRoot: true