diff --git a/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet b/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet index 5ec0e55f..775e3c66 100644 --- a/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet +++ b/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet @@ -169,10 +169,12 @@ function(params) { securityContext: if bb._config.privileged then { runAsNonRoot: false, capabilities: { drop: ['ALL'], add: ['NET_RAW'] }, + readOnlyRootFilesystem: true, } else { runAsNonRoot: true, runAsUser: 65534, allowPrivilegeEscalation: false, + readOnlyRootFilesystem: true, }, volumeMounts: [{ mountPath: '/etc/blackbox_exporter/', @@ -193,6 +195,7 @@ function(params) { runAsNonRoot: true, runAsUser: 65534, allowPrivilegeEscalation: false, + readOnlyRootFilesystem: true, }, terminationMessagePath: '/dev/termination-log', terminationMessagePolicy: 'FallbackToLogsOnError', diff --git a/jsonnet/kube-prometheus/components/grafana.libsonnet b/jsonnet/kube-prometheus/components/grafana.libsonnet index ef9ff016..5ce0bdde 100644 --- a/jsonnet/kube-prometheus/components/grafana.libsonnet +++ b/jsonnet/kube-prometheus/components/grafana.libsonnet @@ -84,8 +84,9 @@ function(params) }, }, - // FIXME(ArthurSens): The override adding 'allowPrivilegeEscalation: false' can be deleted when - // https://github.com/brancz/kubernetes-grafana/pull/128 gets merged. + // FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged + // 'allowPrivilegeEscalation: false' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/128 gets merged. + // 'readOnlyRootFilesystem: true' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/129 gets merged. deployment+: { spec+: { template+: { @@ -93,6 +94,7 @@ function(params) containers: std.map(function(c) c { securityContext+: { allowPrivilegeEscalation: false, + readOnlyRootFilesystem: true, }, }, super.containers), }, diff --git a/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet b/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet index b63e9d10..f852f143 100644 --- a/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet +++ b/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet @@ -62,5 +62,6 @@ function(params) { runAsGroup: 65532, runAsNonRoot: true, allowPrivilegeEscalation: false, + readOnlyRootFilesystem: true, }, } diff --git a/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet b/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet index c15605d3..63c9bbf6 100644 --- a/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet +++ b/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet @@ -118,8 +118,9 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube- image: ksm._config.kubeRbacProxyImage, }), - // FIXME(ArthurSens): The override adding 'allowPrivilegeEscalation: false' can be deleted when - // https://github.com/kubernetes/kube-state-metrics/pull/1668 gets merged. + // FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged + // 'allowPrivilegeEscalation: false' can be deleted when https://github.com/kubernetes/kube-state-metrics/pull/1668 gets merged. + // 'readOnlyRootFilesystem: true' can be deleted when https://github.com/kubernetes/kube-state-metrics/pull/1671 gets merged. deployment+: { spec+: { template+: { @@ -137,6 +138,7 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube- resources: ksm._config.resources, securityContext+: { allowPrivilegeEscalation: false, + readOnlyRootFilesystem: true, }, }, super.containers) + [kubeRbacProxyMain, kubeRbacProxySelf], }, diff --git a/jsonnet/kube-prometheus/components/node-exporter.libsonnet b/jsonnet/kube-prometheus/components/node-exporter.libsonnet index 07661e9e..a351bf40 100644 --- a/jsonnet/kube-prometheus/components/node-exporter.libsonnet +++ b/jsonnet/kube-prometheus/components/node-exporter.libsonnet @@ -183,6 +183,7 @@ function(params) { resources: ne._config.resources, securityContext: { allowPrivilegeEscalation: false, + readOnlyRootFilesystem: true, }, }; diff --git a/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet b/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet index 3004bdf7..aa127362 100644 --- a/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet +++ b/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet @@ -228,6 +228,7 @@ function(params) { ], securityContext: { allowPrivilegeEscalation: false, + readOnlyRootFilesystem: true, }, }; diff --git a/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet b/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet index b2e97acc..3ffdac24 100644 --- a/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet +++ b/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet @@ -125,11 +125,17 @@ function(params) image: po._config.kubeRbacProxyImage, }), + // FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged + // 'readOnlyRootFilesystem: true' can be deleted when https://github.com/prometheus-operator/prometheus-operator/pull/4531 gets merged. deployment+: { spec+: { template+: { spec+: { - containers+: [kubeRbacProxy], + containers: std.map(function(c) c { + securityContext+: { + readOnlyRootFilesystem: true, + }, + }, super.containers) + [kubeRbacProxy], }, }, }, diff --git a/manifests/blackboxExporter-deployment.yaml b/manifests/blackboxExporter-deployment.yaml index 8de0d1ef..13877ada 100644 --- a/manifests/blackboxExporter-deployment.yaml +++ b/manifests/blackboxExporter-deployment.yaml @@ -43,6 +43,7 @@ spec: memory: 20Mi securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 65534 volumeMounts: @@ -63,6 +64,7 @@ spec: memory: 20Mi securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 65534 terminationMessagePath: /dev/termination-log @@ -90,6 +92,7 @@ spec: memory: 20Mi securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 diff --git a/manifests/grafana-deployment.yaml b/manifests/grafana-deployment.yaml index 186c2caa..10bd28b0 100644 --- a/manifests/grafana-deployment.yaml +++ b/manifests/grafana-deployment.yaml @@ -47,6 +47,7 @@ spec: memory: 100Mi securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /var/lib/grafana name: grafana-storage diff --git a/manifests/kubeStateMetrics-deployment.yaml b/manifests/kubeStateMetrics-deployment.yaml index 89822788..365d56e8 100644 --- a/manifests/kubeStateMetrics-deployment.yaml +++ b/manifests/kubeStateMetrics-deployment.yaml @@ -43,6 +43,7 @@ spec: memory: 190Mi securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true runAsUser: 65534 - args: - --logtostderr @@ -63,6 +64,7 @@ spec: memory: 20Mi securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 @@ -85,6 +87,7 @@ spec: memory: 20Mi securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 diff --git a/manifests/nodeExporter-daemonset.yaml b/manifests/nodeExporter-daemonset.yaml index 30285e5e..d5d386fe 100644 --- a/manifests/nodeExporter-daemonset.yaml +++ b/manifests/nodeExporter-daemonset.yaml @@ -45,6 +45,7 @@ spec: memory: 180Mi securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /host/sys mountPropagation: HostToContainer @@ -79,6 +80,7 @@ spec: memory: 20Mi securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 diff --git a/manifests/prometheusAdapter-deployment.yaml b/manifests/prometheusAdapter-deployment.yaml index f971b023..37337d82 100644 --- a/manifests/prometheusAdapter-deployment.yaml +++ b/manifests/prometheusAdapter-deployment.yaml @@ -49,6 +49,7 @@ spec: memory: 180Mi securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - mountPath: /tmp name: tmpfs diff --git a/manifests/prometheusOperator-deployment.yaml b/manifests/prometheusOperator-deployment.yaml index 83221490..915170fc 100644 --- a/manifests/prometheusOperator-deployment.yaml +++ b/manifests/prometheusOperator-deployment.yaml @@ -44,6 +44,7 @@ spec: memory: 100Mi securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true - args: - --logtostderr - --secure-listen-address=:8443 @@ -63,6 +64,7 @@ spec: memory: 20Mi securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532