mirrors/kube-prometheus
1
0
Fork 0
mirror of https://github.com/prometheus-operator/kube-prometheus.git synced 2025-10-29 15:11:02 +01:00
Code Issues Projects Releases Wiki Activity

disable injecting unnecessary variables allowing access to k8s API

Browse Source
This commit is contained in:
Paweł Krupa (paulfantom) 2022-02-04 14:08:52 +01:00
parent f51e9b14e9
commit 3429bc77a4
8 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
jsonnet/kube-prometheus/components/alertmanager.libsonnet
View File

@ -121,6 +121,7 @@ function(params) {
apiVersion: 'v1',
kind: 'ServiceAccount',
metadata: am._metadata,
automountServiceAccountToken: false,
},
service: {

2
jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
View File

@ -115,6 +115,7 @@ function(params) {
apiVersion: 'v1',
kind: 'ServiceAccount',
metadata: bb._metadata,
automountServiceAccountToken: false,
},
clusterRole: {
@ -238,6 +239,7 @@ function(params) {
spec: {
containers: [blackboxExporter, reloader, kubeRbacProxy],
nodeSelector: { 'kubernetes.io/os': 'linux' },
automountServiceAccountToken: true,
serviceAccountName: 'blackbox-exporter',
volumes: [{
name: 'config',

2
jsonnet/kube-prometheus/components/grafana.libsonnet
View File

@ -88,10 +88,12 @@ function(params)
// 'allowPrivilegeEscalation: false' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/128 gets merged.
// 'readOnlyRootFilesystem: true' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/129 gets merged.
// 'capabilities: { drop: ['ALL'] }' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/130 gets merged.
// FIXME(paulfantom): `automountServiceAccountToken` can be removed after porting to brancz/kuberentes-grafana
deployment+: {
spec+: {
template+: {
spec+: {
automountServiceAccountToken: false,
containers: std.map(function(c) c {
securityContext+: {
allowPrivilegeEscalation: false,

1
jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
View File

@ -129,6 +129,7 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
},
},
spec+: {
automountServiceAccountToken: true,
containers: std.map(function(c) c {
ports:: null,
livenessProbe:: null,

2
jsonnet/kube-prometheus/components/node-exporter.libsonnet
View File

@ -114,6 +114,7 @@ function(params) {
apiVersion: 'v1',
kind: 'ServiceAccount',
metadata: ne._metadata,
automountServiceAccountToken: false,
},
service: {
@ -240,6 +241,7 @@ function(params) {
{ name: 'sys', hostPath: { path: '/sys' } },
{ name: 'root', hostPath: { path: '/' } },
],
automountServiceAccountToken: true,
serviceAccountName: ne._config.name,
securityContext: {
runAsUser: 65534,

2
jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
View File

@ -253,6 +253,7 @@ function(params) {
spec: {
containers: [c],
serviceAccountName: $.serviceAccount.metadata.name,
automountServiceAccountToken: true,
nodeSelector: { 'kubernetes.io/os': 'linux' },
volumes: [
{ name: 'tmpfs', emptyDir: {} },
@ -268,6 +269,7 @@ function(params) {
apiVersion: 'v1',
kind: 'ServiceAccount',
metadata: pa._metadata,
automountServiceAccountToken: false,
},
clusterRole: {

1
jsonnet/kube-prometheus/components/prometheus-operator.libsonnet
View File

@ -131,6 +131,7 @@ function(params)
spec+: {
template+: {
spec+: {
automountServiceAccountToken: true,
containers: std.map(function(c) c {
securityContext+: {
capabilities: { drop: ['ALL'] },

1
jsonnet/kube-prometheus/components/prometheus.libsonnet
View File

@ -98,6 +98,7 @@ function(params) {
apiVersion: 'v1',
kind: 'ServiceAccount',
metadata: p._metadata,
automountServiceAccountToken: false,
},
service: {