diff --git a/Makefile b/Makefile
index 543aca7f709702265b3f5ef3e682021bf5e6d1d1..d328293925e837111d1798679d739a1e23642299 100644
--- a/Makefile
+++ b/Makefile
@@ -66,7 +66,7 @@ kubeconform: crdschemas manifests $(KUBECONFORM_BIN)
.PHONY: kubescape
kubescape: $(KUBESCAPE_BIN) ## Runs a security analysis on generated manifests - failing if risk score is above 40%
- $(KUBESCAPE_BIN) scan -s framework -t 40 nsa manifests/*.yaml
+ $(KUBESCAPE_BIN) scan -s framework -t 30 nsa manifests/*.yaml
.PHONY: fmt
fmt: $(JSONNETFMT_BIN)
diff --git a/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet b/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
index 3272f391bc3b120977532405c7124603e34b76d1..5ec0e55f3393b1cc818937468d174705005091d0 100644
--- a/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
@@ -172,6 +172,7 @@ function(params) {
} else {
runAsNonRoot: true,
runAsUser: 65534,
+ allowPrivilegeEscalation: false,
},
volumeMounts: [{
mountPath: '/etc/blackbox_exporter/',
@@ -188,7 +189,11 @@ function(params) {
'--volume-dir=/etc/blackbox_exporter/',
],
resources: bb._config.resources,
- securityContext: { runAsNonRoot: true, runAsUser: 65534 },
+ securityContext: {
+ runAsNonRoot: true,
+ runAsUser: 65534,
+ allowPrivilegeEscalation: false,
+ },
terminationMessagePath: '/dev/termination-log',
terminationMessagePolicy: 'FallbackToLogsOnError',
volumeMounts: [{
diff --git a/jsonnet/kube-prometheus/components/grafana.libsonnet b/jsonnet/kube-prometheus/components/grafana.libsonnet
index a46b0845919625505b619dc9a1370856048717e5..ef9ff016e0a1a04ab11d08b44cbf950cd0fb2d83 100644
--- a/jsonnet/kube-prometheus/components/grafana.libsonnet
+++ b/jsonnet/kube-prometheus/components/grafana.libsonnet
@@ -83,4 +83,20 @@ function(params)
}],
},
},
+
+ // FIXME(ArthurSens): The override adding 'allowPrivilegeEscalation: false' can be deleted when
+ // https://github.com/brancz/kubernetes-grafana/pull/128 gets merged.
+ deployment+: {
+ spec+: {
+ template+: {
+ spec+: {
+ containers: std.map(function(c) c {
+ securityContext+: {
+ allowPrivilegeEscalation: false,
+ },
+ }, super.containers),
+ },
+ },
+ },
+ },
}
diff --git a/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet b/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet
index d4a71914665f16f9f753675e82faa248dab2c42d..b63e9d1092ee6e678825b6ca637f9c0a86640ca4 100644
--- a/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet
+++ b/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet
@@ -61,5 +61,6 @@ function(params) {
runAsUser: 65532,
runAsGroup: 65532,
runAsNonRoot: true,
+ allowPrivilegeEscalation: false,
},
}
diff --git a/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet b/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
index 186069f5c9805c62a09f8a7fd56bea7a678cbfd7..c15605d3ca4fb847289af3886c50f00f3d0bc9f9 100644
--- a/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
+++ b/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
@@ -118,6 +118,8 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
image: ksm._config.kubeRbacProxyImage,
}),
+ // FIXME(ArthurSens): The override adding 'allowPrivilegeEscalation: false' can be deleted when
+ // https://github.com/kubernetes/kube-state-metrics/pull/1668 gets merged.
deployment+: {
spec+: {
template+: {
@@ -133,6 +135,9 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
readinessProbe:: null,
args: ['--host=127.0.0.1', '--port=8081', '--telemetry-host=127.0.0.1', '--telemetry-port=8082'],
resources: ksm._config.resources,
+ securityContext+: {
+ allowPrivilegeEscalation: false,
+ },
}, super.containers) + [kubeRbacProxyMain, kubeRbacProxySelf],
},
},
diff --git a/jsonnet/kube-prometheus/components/node-exporter.libsonnet b/jsonnet/kube-prometheus/components/node-exporter.libsonnet
index 863cd12bf8e550f4438525f5822dc6d711d685a5..07661e9e77e14657962875511dd43b42738be5dc 100644
--- a/jsonnet/kube-prometheus/components/node-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/components/node-exporter.libsonnet
@@ -181,6 +181,9 @@ function(params) {
{ name: 'root', mountPath: '/host/root', mountPropagation: 'HostToContainer', readOnly: true },
],
resources: ne._config.resources,
+ securityContext: {
+ allowPrivilegeEscalation: false,
+ },
};
local kubeRbacProxy = krp({
diff --git a/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet b/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
index be633f0c5507e73452328fb5a012478e1bc41de8..3004bdf7c983ace9a313f167cdd8c6ed15bf9ba8 100644
--- a/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
+++ b/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
@@ -226,6 +226,9 @@ function(params) {
{ name: 'volume-serving-cert', mountPath: '/var/run/serving-cert', readOnly: false },
{ name: 'config', mountPath: '/etc/adapter', readOnly: false },
],
+ securityContext: {
+ allowPrivilegeEscalation: false,
+ },
};
{
diff --git a/manifests/blackboxExporter-deployment.yaml b/manifests/blackboxExporter-deployment.yaml
index e47166bdb4e6c7ab47c260199e964192949aa714..8de0d1ef170e5dfce0fe156a76e67e68c2b0d843 100644
--- a/manifests/blackboxExporter-deployment.yaml
+++ b/manifests/blackboxExporter-deployment.yaml
@@ -42,6 +42,7 @@ spec:
cpu: 10m
memory: 20Mi
securityContext:
+ allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 65534
volumeMounts:
@@ -61,6 +62,7 @@ spec:
cpu: 10m
memory: 20Mi
securityContext:
+ allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 65534
terminationMessagePath: /dev/termination-log
@@ -87,6 +89,7 @@ spec:
cpu: 10m
memory: 20Mi
securityContext:
+ allowPrivilegeEscalation: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
diff --git a/manifests/grafana-deployment.yaml b/manifests/grafana-deployment.yaml
index d359cfe39a0e23a3aa6ca8e11fc0fd7164c4aef9..186c2caaf5a144b7f6b39e813565dc0c3b6ccec1 100644
--- a/manifests/grafana-deployment.yaml
+++ b/manifests/grafana-deployment.yaml
@@ -45,6 +45,8 @@ spec:
requests:
cpu: 100m
memory: 100Mi
+ securityContext:
+ allowPrivilegeEscalation: false
volumeMounts:
- mountPath: /var/lib/grafana
name: grafana-storage
diff --git a/manifests/kubeStateMetrics-deployment.yaml b/manifests/kubeStateMetrics-deployment.yaml
index 8a967425d80ce1a1039fe251add723d71e7c7a52..8982278882d07859e5b0f634fab855a47bb2bc4d 100644
--- a/manifests/kubeStateMetrics-deployment.yaml
+++ b/manifests/kubeStateMetrics-deployment.yaml
@@ -42,6 +42,7 @@ spec:
cpu: 10m
memory: 190Mi
securityContext:
+ allowPrivilegeEscalation: false
runAsUser: 65534
- args:
- --logtostderr
@@ -61,6 +62,7 @@ spec:
cpu: 20m
memory: 20Mi
securityContext:
+ allowPrivilegeEscalation: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
@@ -82,6 +84,7 @@ spec:
cpu: 10m
memory: 20Mi
securityContext:
+ allowPrivilegeEscalation: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
diff --git a/manifests/nodeExporter-daemonset.yaml b/manifests/nodeExporter-daemonset.yaml
index e3901b06f56152d965fb0e64f0de168d99964526..30285e5e881922f73abde751a8618f1c7a97fdf8 100644
--- a/manifests/nodeExporter-daemonset.yaml
+++ b/manifests/nodeExporter-daemonset.yaml
@@ -43,6 +43,8 @@ spec:
requests:
cpu: 102m
memory: 180Mi
+ securityContext:
+ allowPrivilegeEscalation: false
volumeMounts:
- mountPath: /host/sys
mountPropagation: HostToContainer
@@ -76,6 +78,7 @@ spec:
cpu: 10m
memory: 20Mi
securityContext:
+ allowPrivilegeEscalation: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
diff --git a/manifests/prometheusAdapter-deployment.yaml b/manifests/prometheusAdapter-deployment.yaml
index 159ca06cd92a60935b44794ae25b1346bbaae560..f971b023e852d34a4c20dbfc9e443fc1b51c0bb6 100644
--- a/manifests/prometheusAdapter-deployment.yaml
+++ b/manifests/prometheusAdapter-deployment.yaml
@@ -47,6 +47,8 @@ spec:
requests:
cpu: 102m
memory: 180Mi
+ securityContext:
+ allowPrivilegeEscalation: false
volumeMounts:
- mountPath: /tmp
name: tmpfs
diff --git a/manifests/prometheusOperator-deployment.yaml b/manifests/prometheusOperator-deployment.yaml
index e3ea867ff9052f16336d3362da4420f7f40a1ab7..83221490e8e0c38ad301e0abdc95a0dcb910a409 100644
--- a/manifests/prometheusOperator-deployment.yaml
+++ b/manifests/prometheusOperator-deployment.yaml
@@ -62,6 +62,7 @@ spec:
cpu: 10m
memory: 20Mi
securityContext:
+ allowPrivilegeEscalation: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532