easylinux/kube-prometheus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: Enforce nobody user and read only / (#1393)

Browse Source 
* Make the Prometheus Operator Docker image run as `nobody` by default.
* Disallow privilege escalation via K8s
* Enforce read only root filesystem
This commit is contained in:
Max Inden
2018-07-17 15:11:46 +02:00
committed by GitHub
parent dabfca595b
commit efe686c0c0
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
manifests/0prometheus-operator-deployment.yaml
View File

@@ -18,6 +18,7 @@ spec:
containers: containers:
- args: - args:
- --kubelet-service=kube-system/kubelet - --kubelet-service=kube-system/kubelet
- -logtostderr=true
- --config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1 - --config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1
- --prometheus-config-reloader=quay.io/coreos/prometheus-config-reloader:v0.22.0 - --prometheus-config-reloader=quay.io/coreos/prometheus-config-reloader:v0.22.0
image: quay.io/coreos/prometheus-operator:v0.22.0 image: quay.io/coreos/prometheus-operator:v0.22.0
@@ -32,6 +33,9 @@ spec:
requests: requests:
cpu: 100m cpu: 100m
memory: 50Mi memory: 50Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
nodeSelector: nodeSelector:
beta.kubernetes.io/os: linux beta.kubernetes.io/os: linux
securityContext: securityContext: