easylinux/kube-prometheus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Explicitly declare allowPrivilegeEscalation to false

Browse Source 
Although containers that do not run as privileged already have this set to false by kubernetes
Kubespace [asks us](https://hub.armo.cloud/docs/c-0016) to explicitly declare it to false where not needed.

Signed-off-by: Arthur Silva Sens <arthursens2005@gmail.com>
This commit is contained in:
Arthur Silva Sens
2022-01-20 22:11:54 +00:00
committed by GitHub
parent f7d3019a8f
commit b60b302499
12 changed files with 48 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
View File

@@ -172,6 +172,7 @@ function(params) {
} else { } else {
runAsNonRoot: true, runAsNonRoot: true,
runAsUser: 65534, runAsUser: 65534,
allowPrivilegeEscalation: false,
}, },
volumeMounts: [{ volumeMounts: [{
mountPath: '/etc/blackbox_exporter/', mountPath: '/etc/blackbox_exporter/',
@@ -188,7 +189,11 @@ function(params) {
'--volume-dir=/etc/blackbox_exporter/', '--volume-dir=/etc/blackbox_exporter/',
], ],
resources: bb._config.resources, resources: bb._config.resources,
securityContext: { runAsNonRoot: true, runAsUser: 65534 }, securityContext: {
runAsNonRoot: true,
runAsUser: 65534,
allowPrivilegeEscalation: false,
},
terminationMessagePath: '/dev/termination-log', terminationMessagePath: '/dev/termination-log',
terminationMessagePolicy: 'FallbackToLogsOnError', terminationMessagePolicy: 'FallbackToLogsOnError',
volumeMounts: [{ volumeMounts: [{

16
jsonnet/kube-prometheus/components/grafana.libsonnet
View File

@@ -83,4 +83,20 @@ function(params)
}], }],
}, },
}, },
// FIXME(ArthurSens): The override adding 'allowPrivilegeEscalation: false' can be deleted when
// https://github.com/brancz/kubernetes-grafana/pull/128 gets merged.
deployment+: {
spec+: {
template+: {
spec+: {
containers: std.map(function(c) c {
securityContext+: {
allowPrivilegeEscalation: false,
},
}, super.containers),
},
},
},
},
} }

1
jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet
View File

@@ -61,5 +61,6 @@ function(params) {
runAsUser: 65532, runAsUser: 65532,
runAsGroup: 65532, runAsGroup: 65532,
runAsNonRoot: true, runAsNonRoot: true,
allowPrivilegeEscalation: false,
}, },
} }

5
jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
View File

@@ -118,6 +118,8 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
image: ksm._config.kubeRbacProxyImage, image: ksm._config.kubeRbacProxyImage,
}), }),
// FIXME(ArthurSens): The override adding 'allowPrivilegeEscalation: false' can be deleted when
// https://github.com/kubernetes/kube-state-metrics/pull/1668 gets merged.
deployment+: { deployment+: {
spec+: { spec+: {
template+: { template+: {
@@ -133,6 +135,9 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
readinessProbe:: null, readinessProbe:: null,
args: ['--host=127.0.0.1', '--port=8081', '--telemetry-host=127.0.0.1', '--telemetry-port=8082'], args: ['--host=127.0.0.1', '--port=8081', '--telemetry-host=127.0.0.1', '--telemetry-port=8082'],
resources: ksm._config.resources, resources: ksm._config.resources,
securityContext+: {
allowPrivilegeEscalation: false,
},
}, super.containers) + [kubeRbacProxyMain, kubeRbacProxySelf], }, super.containers) + [kubeRbacProxyMain, kubeRbacProxySelf],
}, },
}, },

3
jsonnet/kube-prometheus/components/node-exporter.libsonnet
View File

@@ -181,6 +181,9 @@ function(params) {
{ name: 'root', mountPath: '/host/root', mountPropagation: 'HostToContainer', readOnly: true }, { name: 'root', mountPath: '/host/root', mountPropagation: 'HostToContainer', readOnly: true },
], ],
resources: ne._config.resources, resources: ne._config.resources,
securityContext: {
allowPrivilegeEscalation: false,
},
}; };
local kubeRbacProxy = krp({ local kubeRbacProxy = krp({

3
jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
View File

@@ -226,6 +226,9 @@ function(params) {
{ name: 'volume-serving-cert', mountPath: '/var/run/serving-cert', readOnly: false }, { name: 'volume-serving-cert', mountPath: '/var/run/serving-cert', readOnly: false },
{ name: 'config', mountPath: '/etc/adapter', readOnly: false }, { name: 'config', mountPath: '/etc/adapter', readOnly: false },
], ],
securityContext: {
allowPrivilegeEscalation: false,
},
}; };
{ {

3
manifests/blackboxExporter-deployment.yaml
View File

@@ -42,6 +42,7 @@ spec:
cpu: 10m cpu: 10m
memory: 20Mi memory: 20Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true runAsNonRoot: true
runAsUser: 65534 runAsUser: 65534
volumeMounts: volumeMounts:
@@ -61,6 +62,7 @@ spec:
cpu: 10m cpu: 10m
memory: 20Mi memory: 20Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true runAsNonRoot: true
runAsUser: 65534 runAsUser: 65534
terminationMessagePath: /dev/termination-log terminationMessagePath: /dev/termination-log
@@ -87,6 +89,7 @@ spec:
cpu: 10m cpu: 10m
memory: 20Mi memory: 20Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
runAsGroup: 65532 runAsGroup: 65532
runAsNonRoot: true runAsNonRoot: true
runAsUser: 65532 runAsUser: 65532

2
manifests/grafana-deployment.yaml
View File

@@ -45,6 +45,8 @@ spec:
requests: requests:
cpu: 100m cpu: 100m
memory: 100Mi memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
volumeMounts: volumeMounts:
- mountPath: /var/lib/grafana - mountPath: /var/lib/grafana
name: grafana-storage name: grafana-storage

3
manifests/kubeStateMetrics-deployment.yaml
View File

@@ -41,6 +41,7 @@ spec:
cpu: 10m cpu: 10m
memory: 190Mi memory: 190Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
runAsUser: 65534 runAsUser: 65534
- args: - args:
- --logtostderr - --logtostderr
@@ -60,6 +61,7 @@ spec:
cpu: 20m cpu: 20m
memory: 20Mi memory: 20Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
runAsGroup: 65532 runAsGroup: 65532
runAsNonRoot: true runAsNonRoot: true
runAsUser: 65532 runAsUser: 65532
@@ -81,6 +83,7 @@ spec:
cpu: 10m cpu: 10m
memory: 20Mi memory: 20Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
runAsGroup: 65532 runAsGroup: 65532
runAsNonRoot: true runAsNonRoot: true
runAsUser: 65532 runAsUser: 65532

3
manifests/nodeExporter-daemonset.yaml
View File

@@ -43,6 +43,8 @@ spec:
requests: requests:
cpu: 102m cpu: 102m
memory: 180Mi memory: 180Mi
securityContext:
allowPrivilegeEscalation: false
volumeMounts: volumeMounts:
- mountPath: /host/sys - mountPath: /host/sys
mountPropagation: HostToContainer mountPropagation: HostToContainer
@@ -76,6 +78,7 @@ spec:
cpu: 10m cpu: 10m
memory: 20Mi memory: 20Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
runAsGroup: 65532 runAsGroup: 65532
runAsNonRoot: true runAsNonRoot: true
runAsUser: 65532 runAsUser: 65532

2
manifests/prometheusAdapter-deployment.yaml
View File

@@ -47,6 +47,8 @@ spec:
requests: requests:
cpu: 102m cpu: 102m
memory: 180Mi memory: 180Mi
securityContext:
allowPrivilegeEscalation: false
volumeMounts: volumeMounts:
- mountPath: /tmp - mountPath: /tmp
name: tmpfs name: tmpfs

1
manifests/prometheusOperator-deployment.yaml
View File

@@ -61,6 +61,7 @@ spec:
cpu: 10m cpu: 10m
memory: 20Mi memory: 20Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
runAsGroup: 65532 runAsGroup: 65532
runAsNonRoot: true runAsNonRoot: true
runAsUser: 65532 runAsUser: 65532