diff --git a/Makefile b/Makefile
index ca1097efef1e04bb5edd805d05f4b96aac6a6942..85d2e87979b0ac898574f323a679a4b0484e5156 100644
--- a/Makefile
+++ b/Makefile
@@ -66,7 +66,7 @@ kubeconform: crdschemas manifests $(KUBECONFORM_BIN)
.PHONY: kubescape
kubescape: $(KUBESCAPE_BIN) ## Runs a security analysis on generated manifests - failing if risk score is above threshold percentage 't'
- $(KUBESCAPE_BIN) scan -s framework -t 20 nsa manifests/*.yaml --exceptions 'kubescape-exceptions.json'
+ $(KUBESCAPE_BIN) scan -s framework -t 16 nsa manifests/*.yaml --exceptions 'kubescape-exceptions.json'
.PHONY: fmt
fmt: $(JSONNETFMT_BIN)
diff --git a/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet b/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
index 775e3c660e6abdfd3da4aefe333dd6af411cc6be..8a05beff286c1d8f4ae14724b8e3af9ee2242bb2 100644
--- a/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
@@ -175,6 +175,7 @@ function(params) {
runAsUser: 65534,
allowPrivilegeEscalation: false,
readOnlyRootFilesystem: true,
+ capabilities: { drop: ['ALL'] },
},
volumeMounts: [{
mountPath: '/etc/blackbox_exporter/',
@@ -196,6 +197,7 @@ function(params) {
runAsUser: 65534,
allowPrivilegeEscalation: false,
readOnlyRootFilesystem: true,
+ capabilities: { drop: ['ALL'] },
},
terminationMessagePath: '/dev/termination-log',
terminationMessagePolicy: 'FallbackToLogsOnError',
diff --git a/jsonnet/kube-prometheus/components/grafana.libsonnet b/jsonnet/kube-prometheus/components/grafana.libsonnet
index 5ce0bddede635502f826d41425d3147dbe813424..2ba9518c87d1134184860a214f9c0f2d8a342897 100644
--- a/jsonnet/kube-prometheus/components/grafana.libsonnet
+++ b/jsonnet/kube-prometheus/components/grafana.libsonnet
@@ -87,6 +87,7 @@ function(params)
// FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged
// 'allowPrivilegeEscalation: false' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/128 gets merged.
// 'readOnlyRootFilesystem: true' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/129 gets merged.
+ // 'capabilities: { drop: ['ALL'] }' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/130 gets merged.
deployment+: {
spec+: {
template+: {
@@ -95,6 +96,7 @@ function(params)
securityContext+: {
allowPrivilegeEscalation: false,
readOnlyRootFilesystem: true,
+ capabilities: { drop: ['ALL'] },
},
}, super.containers),
},
diff --git a/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet b/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet
index f852f143dd90bd229e0a47822a502d7f177cb6e9..bcc9f97f8f35660f484575308a22adfeb2f825dd 100644
--- a/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet
+++ b/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet
@@ -63,5 +63,6 @@ function(params) {
runAsNonRoot: true,
allowPrivilegeEscalation: false,
readOnlyRootFilesystem: true,
+ capabilities: { drop: ['ALL'] },
},
}
diff --git a/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet b/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
index 186069f5c9805c62a09f8a7fd56bea7a678cbfd7..cd925c0b82f240ab69ceb47c874d0fe0081c86db 100644
--- a/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
+++ b/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
@@ -118,6 +118,8 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
image: ksm._config.kubeRbacProxyImage,
}),
+ // FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged
+ // 'capabilities: { drop: ['ALL'] },' can be deleted when https://github.com/kubernetes/kube-state-metrics/pull/1674 gets merged.
deployment+: {
spec+: {
template+: {
@@ -133,6 +135,9 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
readinessProbe:: null,
args: ['--host=127.0.0.1', '--port=8081', '--telemetry-host=127.0.0.1', '--telemetry-port=8082'],
resources: ksm._config.resources,
+ securityContext+: {
+ capabilities: { drop: ['ALL'] },
+ },
}, super.containers) + [kubeRbacProxyMain, kubeRbacProxySelf],
},
},
diff --git a/jsonnet/kube-prometheus/components/node-exporter.libsonnet b/jsonnet/kube-prometheus/components/node-exporter.libsonnet
index a351bf4088770f80f308fe8303670b97335f55f9..c9dd2d2fc7c9c112b89b7f6ad9afd56b5ff3baa7 100644
--- a/jsonnet/kube-prometheus/components/node-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/components/node-exporter.libsonnet
@@ -184,6 +184,7 @@ function(params) {
securityContext: {
allowPrivilegeEscalation: false,
readOnlyRootFilesystem: true,
+ capabilities: { drop: ['ALL'], add: ['CAP_SYS_TIME'] },
},
};
diff --git a/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet b/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
index aa1273620d9889933e44df12f0b1f524c9077e4b..b0cf3a4bddf294e5a9c188cb2f8191c18e97edd9 100644
--- a/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
+++ b/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
@@ -229,6 +229,7 @@ function(params) {
securityContext: {
allowPrivilegeEscalation: false,
readOnlyRootFilesystem: true,
+ capabilities: { drop: ['ALL'] },
},
};
diff --git a/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet b/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet
index b2e97acc67efde0c9237dacee584ebf6ef9b2130..b6139da1cb96cfc1af45918f4575a11893f1834e 100644
--- a/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet
+++ b/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet
@@ -125,11 +125,17 @@ function(params)
image: po._config.kubeRbacProxyImage,
}),
+ // FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged
+ // 'capabilities: { drop: ['ALL'] },' can be deleted when https://github.com/prometheus-operator/prometheus-operator/pull/4546 gets merged.
deployment+: {
spec+: {
template+: {
spec+: {
- containers+: [kubeRbacProxy],
+ containers: std.map(function(c) c {
+ securityContext+: {
+ capabilities: { drop: ['ALL'] },
+ },
+ }, super.containers) + [kubeRbacProxy],
},
},
},
diff --git a/manifests/blackboxExporter-deployment.yaml b/manifests/blackboxExporter-deployment.yaml
index 13877adabf81aed53be7dc6f287110fba63ffc00..fed1d365dfbd890fed01a573e681d8057f852f55 100644
--- a/manifests/blackboxExporter-deployment.yaml
+++ b/manifests/blackboxExporter-deployment.yaml
@@ -43,6 +43,9 @@ spec:
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
@@ -64,6 +67,9 @@ spec:
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
@@ -92,6 +98,9 @@ spec:
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsNonRoot: true
diff --git a/manifests/grafana-deployment.yaml b/manifests/grafana-deployment.yaml
index 10bd28b0d862bd1948baee683f6a40e01f8a147d..a25a6cba6ca408345d0a5980d778a58bc12ca061 100644
--- a/manifests/grafana-deployment.yaml
+++ b/manifests/grafana-deployment.yaml
@@ -47,6 +47,9 @@ spec:
memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /var/lib/grafana
diff --git a/manifests/kubeStateMetrics-deployment.yaml b/manifests/kubeStateMetrics-deployment.yaml
index 365d56e8c417a6dea9dd844105ca228296ba8339..86ab4faa720ceabea75dbc478768f0fd868be199 100644
--- a/manifests/kubeStateMetrics-deployment.yaml
+++ b/manifests/kubeStateMetrics-deployment.yaml
@@ -43,6 +43,9 @@ spec:
memory: 190Mi
securityContext:
allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
readOnlyRootFilesystem: true
runAsUser: 65534
- args:
@@ -64,6 +67,9 @@ spec:
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsNonRoot: true
@@ -87,6 +93,9 @@ spec:
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsNonRoot: true
diff --git a/manifests/nodeExporter-daemonset.yaml b/manifests/nodeExporter-daemonset.yaml
index d5d386fe6252b4462370b78dc53cb8e8a7e47394..cec3b2654c123a266e9df77a68dda27d93d945fb 100644
--- a/manifests/nodeExporter-daemonset.yaml
+++ b/manifests/nodeExporter-daemonset.yaml
@@ -45,6 +45,11 @@ spec:
memory: 180Mi
securityContext:
allowPrivilegeEscalation: false
+ capabilities:
+ add:
+ - CAP_SYS_TIME
+ drop:
+ - ALL
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /host/sys
@@ -80,6 +85,9 @@ spec:
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsNonRoot: true
diff --git a/manifests/prometheusAdapter-deployment.yaml b/manifests/prometheusAdapter-deployment.yaml
index 37337d82140914e1aff25109fc1c7fd9f2896d25..8f2eeae6bd12054c3f76a2f642d625740c1d13b7 100644
--- a/manifests/prometheusAdapter-deployment.yaml
+++ b/manifests/prometheusAdapter-deployment.yaml
@@ -49,6 +49,9 @@ spec:
memory: 180Mi
securityContext:
allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /tmp
diff --git a/manifests/prometheusOperator-deployment.yaml b/manifests/prometheusOperator-deployment.yaml
index aa9ac1aba51cd682d47b0cd9781bb414f738f0d9..10317204def0aa19e7361b9e95d172767ba8a4e8 100644
--- a/manifests/prometheusOperator-deployment.yaml
+++ b/manifests/prometheusOperator-deployment.yaml
@@ -44,6 +44,9 @@ spec:
memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
readOnlyRootFilesystem: true
- args:
- --logtostderr
@@ -64,6 +67,9 @@ spec:
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsNonRoot: true