From 546a2e6ac6f9ff5ff216a8edffc7f03a4a76577a Mon Sep 17 00:00:00 2001
From: Frederic Branczyk <fbranczyk@gmail.com>
Date: Mon, 22 Jan 2018 14:42:15 +0100
Subject: [PATCH] *: Use non-root
---
grafana-image/Dockerfile | 15 +++++++++++++++
grafana-image/Makefile | 2 ++
grafana-image/config.toml | 2 ++
.../templates/grafana-deployment-template.yaml | 7 +++++--
manifests/grafana/grafana-deployment.yaml | 7 +++++--
.../node-exporter/node-exporter-daemonset.yaml | 3 +++
6 files changed, 32 insertions(+), 4 deletions(-)
create mode 100644 grafana-image/Dockerfile
create mode 100644 grafana-image/Makefile
create mode 100644 grafana-image/config.toml
diff --git a/grafana-image/Dockerfile b/grafana-image/Dockerfile
new file mode 100644
index 00000000..bac01b59
--- /dev/null
+++ b/grafana-image/Dockerfile
@@ -0,0 +1,15 @@
+FROM debian:9.3-slim
+
+RUN apt-get update && apt-get install -qq -y wget tar sqlite && \
+ wget -O /tmp/grafana.tar.gz https://s3-us-west-2.amazonaws.com/grafana-releases/release/grafana-4.6.3.linux-x64.tar.gz && \
+ tar -zxvf /tmp/grafana.tar.gz -C /tmp && mv /tmp/grafana-4.6.3 /grafana && \
+ rm -rf /tmp/grafana.tar.gz
+
+ADD config.toml /grafana/conf/config.toml
+
+USER nobody
+EXPOSE 3000
+VOLUME [ "/data" ]
+WORKDIR /grafana
+ENTRYPOINT [ "/grafana/bin/grafana-server" ]
+CMD [ "-config=/grafana/conf/config.toml" ]
diff --git a/grafana-image/Makefile b/grafana-image/Makefile
new file mode 100644
index 00000000..12fc7b81
--- /dev/null
+++ b/grafana-image/Makefile
@@ -0,0 +1,2 @@
+container:
+ docker build . -t quay.io/coreos/monitoring-grafana:4.6.3-non-root
diff --git a/grafana-image/config.toml b/grafana-image/config.toml
new file mode 100644
index 00000000..7ed992c6
--- /dev/null
+++ b/grafana-image/config.toml
@@ -0,0 +1,2 @@
+[database]
+path = /data/grafana.db
diff --git a/hack/grafana-dashboards-configmap-generator/templates/grafana-deployment-template.yaml b/hack/grafana-dashboards-configmap-generator/templates/grafana-deployment-template.yaml
index 8a7b8c02..091d4e80 100644
--- a/hack/grafana-dashboards-configmap-generator/templates/grafana-deployment-template.yaml
+++ b/hack/grafana-dashboards-configmap-generator/templates/grafana-deployment-template.yaml
@@ -9,9 +9,12 @@ spec:
labels:
app: grafana
spec:
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 65534
containers:
- name: grafana
- image: grafana/grafana:4.6.3
+ image: quay.io/coreos/monitoring-grafana:4.6.3-non-root
env:
- name: GF_AUTH_BASIC_ENABLED
value: "true"
@@ -29,7 +32,7 @@ spec:
key: password
volumeMounts:
- name: grafana-storage
- mountPath: /var/grafana-storage
+ mountPath: /data
ports:
- name: web
containerPort: 3000
diff --git a/manifests/grafana/grafana-deployment.yaml b/manifests/grafana/grafana-deployment.yaml
index 29dd9022..d1b7c806 100644
--- a/manifests/grafana/grafana-deployment.yaml
+++ b/manifests/grafana/grafana-deployment.yaml
@@ -9,9 +9,12 @@ spec:
labels:
app: grafana
spec:
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 65534
containers:
- name: grafana
- image: grafana/grafana:4.6.3
+ image: quay.io/coreos/monitoring-grafana:4.6.3-non-root
env:
- name: GF_AUTH_BASIC_ENABLED
value: "true"
@@ -29,7 +32,7 @@ spec:
key: password
volumeMounts:
- name: grafana-storage
- mountPath: /var/grafana-storage
+ mountPath: /data
ports:
- name: web
containerPort: 3000
diff --git a/manifests/node-exporter/node-exporter-daemonset.yaml b/manifests/node-exporter/node-exporter-daemonset.yaml
index 250398bd..f92113e8 100644
--- a/manifests/node-exporter/node-exporter-daemonset.yaml
+++ b/manifests/node-exporter/node-exporter-daemonset.yaml
@@ -14,6 +14,9 @@ spec:
name: node-exporter
spec:
serviceAccountName: node-exporter
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 65534
hostNetwork: true
hostPID: true
containers:
--
GitLab