From cc29fc2bfd3ca9e5646621244bffea6c18750ae4 Mon Sep 17 00:00:00 2001 From: Matthias Loibl Date: Mon, 7 Aug 2023 13:02:07 +0200 Subject: [PATCH] run make generate --- manifests/blackboxExporter-deployment.yaml | 2 ++ manifests/kubeStateMetrics-deployment.yaml | 4 ++++ manifests/nodeExporter-daemonset.yaml | 2 ++ manifests/prometheusAdapter-deployment.yaml | 3 +++ manifests/prometheusOperator-deployment.yaml | 2 ++ manifests/setup/namespace.yaml | 3 +++ 6 files changed, 16 insertions(+) diff --git a/manifests/blackboxExporter-deployment.yaml b/manifests/blackboxExporter-deployment.yaml index 0f471c4e..3c3b61b0 100644 --- a/manifests/blackboxExporter-deployment.yaml +++ b/manifests/blackboxExporter-deployment.yaml @@ -105,6 +105,8 @@ spec: runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 + seccompProfile: + type: RuntimeDefault nodeSelector: kubernetes.io/os: linux serviceAccountName: blackbox-exporter diff --git a/manifests/kubeStateMetrics-deployment.yaml b/manifests/kubeStateMetrics-deployment.yaml index aa609edb..a8c62717 100644 --- a/manifests/kubeStateMetrics-deployment.yaml +++ b/manifests/kubeStateMetrics-deployment.yaml @@ -76,6 +76,8 @@ spec: runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 + seccompProfile: + type: RuntimeDefault - args: - --secure-listen-address=:9443 - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 @@ -101,6 +103,8 @@ spec: runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 + seccompProfile: + type: RuntimeDefault nodeSelector: kubernetes.io/os: linux serviceAccountName: kube-state-metrics diff --git a/manifests/nodeExporter-daemonset.yaml b/manifests/nodeExporter-daemonset.yaml index 133afed5..0b37775a 100644 --- a/manifests/nodeExporter-daemonset.yaml +++ b/manifests/nodeExporter-daemonset.yaml @@ -94,6 +94,8 @@ spec: runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 + seccompProfile: + type: RuntimeDefault hostNetwork: true hostPID: true nodeSelector: diff --git a/manifests/prometheusAdapter-deployment.yaml b/manifests/prometheusAdapter-deployment.yaml index 09caa2d7..7c852d52 100644 --- a/manifests/prometheusAdapter-deployment.yaml +++ b/manifests/prometheusAdapter-deployment.yaml @@ -70,6 +70,9 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault startupProbe: failureThreshold: 18 httpGet: diff --git a/manifests/prometheusOperator-deployment.yaml b/manifests/prometheusOperator-deployment.yaml index de65dcae..89a58ca0 100644 --- a/manifests/prometheusOperator-deployment.yaml +++ b/manifests/prometheusOperator-deployment.yaml @@ -73,6 +73,8 @@ spec: runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 + seccompProfile: + type: RuntimeDefault nodeSelector: kubernetes.io/os: linux securityContext: diff --git a/manifests/setup/namespace.yaml b/manifests/setup/namespace.yaml index d3252360..5ca07c8e 100644 --- a/manifests/setup/namespace.yaml +++ b/manifests/setup/namespace.yaml @@ -1,4 +1,7 @@ apiVersion: v1 kind: Namespace metadata: + labels: + pod-security.kubernetes.io/warn: privileged + pod-security.kubernetes.io/warn-version: latest name: monitoring