diff --git a/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet b/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
index 5ec0e55f3393b1cc818937468d174705005091d0..775e3c660e6abdfd3da4aefe333dd6af411cc6be 100644
--- a/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
@@ -169,10 +169,12 @@ function(params) {
securityContext: if bb._config.privileged then {
runAsNonRoot: false,
capabilities: { drop: ['ALL'], add: ['NET_RAW'] },
+ readOnlyRootFilesystem: true,
} else {
runAsNonRoot: true,
runAsUser: 65534,
allowPrivilegeEscalation: false,
+ readOnlyRootFilesystem: true,
},
volumeMounts: [{
mountPath: '/etc/blackbox_exporter/',
@@ -193,6 +195,7 @@ function(params) {
runAsNonRoot: true,
runAsUser: 65534,
allowPrivilegeEscalation: false,
+ readOnlyRootFilesystem: true,
},
terminationMessagePath: '/dev/termination-log',
terminationMessagePolicy: 'FallbackToLogsOnError',
diff --git a/jsonnet/kube-prometheus/components/grafana.libsonnet b/jsonnet/kube-prometheus/components/grafana.libsonnet
index ef9ff016e0a1a04ab11d08b44cbf950cd0fb2d83..5ce0bddede635502f826d41425d3147dbe813424 100644
--- a/jsonnet/kube-prometheus/components/grafana.libsonnet
+++ b/jsonnet/kube-prometheus/components/grafana.libsonnet
@@ -84,8 +84,9 @@ function(params)
},
},
- // FIXME(ArthurSens): The override adding 'allowPrivilegeEscalation: false' can be deleted when
- // https://github.com/brancz/kubernetes-grafana/pull/128 gets merged.
+ // FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged
+ // 'allowPrivilegeEscalation: false' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/128 gets merged.
+ // 'readOnlyRootFilesystem: true' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/129 gets merged.
deployment+: {
spec+: {
template+: {
@@ -93,6 +94,7 @@ function(params)
containers: std.map(function(c) c {
securityContext+: {
allowPrivilegeEscalation: false,
+ readOnlyRootFilesystem: true,
},
}, super.containers),
},
diff --git a/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet b/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet
index b63e9d1092ee6e678825b6ca637f9c0a86640ca4..f852f143dd90bd229e0a47822a502d7f177cb6e9 100644
--- a/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet
+++ b/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet
@@ -62,5 +62,6 @@ function(params) {
runAsGroup: 65532,
runAsNonRoot: true,
allowPrivilegeEscalation: false,
+ readOnlyRootFilesystem: true,
},
}
diff --git a/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet b/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
index c15605d3ca4fb847289af3886c50f00f3d0bc9f9..63c9bbf60b102b764950a9b1159e6ba38afadcd7 100644
--- a/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
+++ b/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
@@ -118,8 +118,9 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
image: ksm._config.kubeRbacProxyImage,
}),
- // FIXME(ArthurSens): The override adding 'allowPrivilegeEscalation: false' can be deleted when
- // https://github.com/kubernetes/kube-state-metrics/pull/1668 gets merged.
+ // FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged
+ // 'allowPrivilegeEscalation: false' can be deleted when https://github.com/kubernetes/kube-state-metrics/pull/1668 gets merged.
+ // 'readOnlyRootFilesystem: true' can be deleted when https://github.com/kubernetes/kube-state-metrics/pull/1671 gets merged.
deployment+: {
spec+: {
template+: {
@@ -137,6 +138,7 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
resources: ksm._config.resources,
securityContext+: {
allowPrivilegeEscalation: false,
+ readOnlyRootFilesystem: true,
},
}, super.containers) + [kubeRbacProxyMain, kubeRbacProxySelf],
},
diff --git a/jsonnet/kube-prometheus/components/node-exporter.libsonnet b/jsonnet/kube-prometheus/components/node-exporter.libsonnet
index 07661e9e77e14657962875511dd43b42738be5dc..a351bf4088770f80f308fe8303670b97335f55f9 100644
--- a/jsonnet/kube-prometheus/components/node-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/components/node-exporter.libsonnet
@@ -183,6 +183,7 @@ function(params) {
resources: ne._config.resources,
securityContext: {
allowPrivilegeEscalation: false,
+ readOnlyRootFilesystem: true,
},
};
diff --git a/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet b/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
index 3004bdf7c983ace9a313f167cdd8c6ed15bf9ba8..aa1273620d9889933e44df12f0b1f524c9077e4b 100644
--- a/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
+++ b/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
@@ -228,6 +228,7 @@ function(params) {
],
securityContext: {
allowPrivilegeEscalation: false,
+ readOnlyRootFilesystem: true,
},
};
diff --git a/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet b/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet
index b2e97acc67efde0c9237dacee584ebf6ef9b2130..3ffdac24d47cc3c654d2e325e8f69a5e67d73148 100644
--- a/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet
+++ b/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet
@@ -125,11 +125,17 @@ function(params)
image: po._config.kubeRbacProxyImage,
}),
+ // FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged
+ // 'readOnlyRootFilesystem: true' can be deleted when https://github.com/prometheus-operator/prometheus-operator/pull/4531 gets merged.
deployment+: {
spec+: {
template+: {
spec+: {
- containers+: [kubeRbacProxy],
+ containers: std.map(function(c) c {
+ securityContext+: {
+ readOnlyRootFilesystem: true,
+ },
+ }, super.containers) + [kubeRbacProxy],
},
},
},
diff --git a/manifests/blackboxExporter-deployment.yaml b/manifests/blackboxExporter-deployment.yaml
index 8de0d1ef170e5dfce0fe156a76e67e68c2b0d843..13877adabf81aed53be7dc6f287110fba63ffc00 100644
--- a/manifests/blackboxExporter-deployment.yaml
+++ b/manifests/blackboxExporter-deployment.yaml
@@ -43,6 +43,7 @@ spec:
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
volumeMounts:
@@ -63,6 +64,7 @@ spec:
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
terminationMessagePath: /dev/termination-log
@@ -90,6 +92,7 @@ spec:
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
diff --git a/manifests/grafana-deployment.yaml b/manifests/grafana-deployment.yaml
index 186c2caaf5a144b7f6b39e813565dc0c3b6ccec1..10bd28b0d862bd1948baee683f6a40e01f8a147d 100644
--- a/manifests/grafana-deployment.yaml
+++ b/manifests/grafana-deployment.yaml
@@ -47,6 +47,7 @@ spec:
memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /var/lib/grafana
name: grafana-storage
diff --git a/manifests/kubeStateMetrics-deployment.yaml b/manifests/kubeStateMetrics-deployment.yaml
index 8982278882d07859e5b0f634fab855a47bb2bc4d..365d56e8c417a6dea9dd844105ca228296ba8339 100644
--- a/manifests/kubeStateMetrics-deployment.yaml
+++ b/manifests/kubeStateMetrics-deployment.yaml
@@ -43,6 +43,7 @@ spec:
memory: 190Mi
securityContext:
allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
runAsUser: 65534
- args:
- --logtostderr
@@ -63,6 +64,7 @@ spec:
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
@@ -85,6 +87,7 @@ spec:
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
diff --git a/manifests/nodeExporter-daemonset.yaml b/manifests/nodeExporter-daemonset.yaml
index 30285e5e881922f73abde751a8618f1c7a97fdf8..d5d386fe6252b4462370b78dc53cb8e8a7e47394 100644
--- a/manifests/nodeExporter-daemonset.yaml
+++ b/manifests/nodeExporter-daemonset.yaml
@@ -45,6 +45,7 @@ spec:
memory: 180Mi
securityContext:
allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /host/sys
mountPropagation: HostToContainer
@@ -79,6 +80,7 @@ spec:
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
diff --git a/manifests/prometheusAdapter-deployment.yaml b/manifests/prometheusAdapter-deployment.yaml
index f971b023e852d34a4c20dbfc9e443fc1b51c0bb6..37337d82140914e1aff25109fc1c7fd9f2896d25 100644
--- a/manifests/prometheusAdapter-deployment.yaml
+++ b/manifests/prometheusAdapter-deployment.yaml
@@ -49,6 +49,7 @@ spec:
memory: 180Mi
securityContext:
allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /tmp
name: tmpfs
diff --git a/manifests/prometheusOperator-deployment.yaml b/manifests/prometheusOperator-deployment.yaml
index 83221490e8e0c38ad301e0abdc95a0dcb910a409..915170fc7f980efe5ed854c4a52e039bad6caec7 100644
--- a/manifests/prometheusOperator-deployment.yaml
+++ b/manifests/prometheusOperator-deployment.yaml
@@ -44,6 +44,7 @@ spec:
memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
- args:
- --logtostderr
- --secure-listen-address=:8443
@@ -63,6 +64,7 @@ spec:
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532