diff --git a/jsonnet/kube-prometheus/addons/pyrra.libsonnet b/jsonnet/kube-prometheus/addons/pyrra.libsonnet
index 1980b22004202b6feb3956560808e5769f28b810..18621853bbdab1399af5199d94dbd4b96a04422c 100644
--- a/jsonnet/kube-prometheus/addons/pyrra.libsonnet
+++ b/jsonnet/kube-prometheus/addons/pyrra.libsonnet
@@ -80,6 +80,9 @@
securityContext: {
allowPrivilegeEscalation: false,
readOnlyRootFilesystem: true,
+ runAsNonRoot: true,
+ capabilities: { drop: ['ALL'] },
+ seccompProfile: { type: 'RuntimeDefault' },
},
};
diff --git a/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet b/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet
index bb1c15a2ef9c84939761b872a6bc7d4e338ac18f..7055c30890470920d3eb47b9aa4cf96f4998765a 100644
--- a/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet
+++ b/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet
@@ -63,5 +63,6 @@ function(params) {
allowPrivilegeEscalation: false,
readOnlyRootFilesystem: true,
capabilities: { drop: ['ALL'] },
+ seccompProfile: { type: 'RuntimeDefault' },
},
}
diff --git a/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet b/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
index 78541d2c3d494bb19ff129078281c40d09962aba..af8172627b61124f1b70ef58d9005124a307d8c1 100644
--- a/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
+++ b/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
@@ -280,7 +280,9 @@ function(params) {
securityContext: {
allowPrivilegeEscalation: false,
readOnlyRootFilesystem: true,
+ runAsNonRoot: true,
capabilities: { drop: ['ALL'] },
+ seccompProfile: { type: 'RuntimeDefault' },
},
};
diff --git a/jsonnet/kube-prometheus/main.libsonnet b/jsonnet/kube-prometheus/main.libsonnet
index 3405c8f3e36c4c3a734b44a616ebbbc29b63f0b6..969a893b88396920802cbe198050525a04859e2a 100644
--- a/jsonnet/kube-prometheus/main.libsonnet
+++ b/jsonnet/kube-prometheus/main.libsonnet
@@ -150,6 +150,10 @@ local utils = import './lib/utils.libsonnet';
kind: 'Namespace',
metadata: {
name: $.values.common.namespace,
+ labels: {
+ 'pod-security.kubernetes.io/warn': 'privileged',
+ 'pod-security.kubernetes.io/warn-version': 'latest',
+ },
},
},
},
diff --git a/manifests/blackboxExporter-deployment.yaml b/manifests/blackboxExporter-deployment.yaml
index 0f471c4e97e6670e1629b278749edc4b50f0f0ce..3c3b61b00db10378e606c457559a2d03a5e272f5 100644
--- a/manifests/blackboxExporter-deployment.yaml
+++ b/manifests/blackboxExporter-deployment.yaml
@@ -105,6 +105,8 @@ spec:
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
+ seccompProfile:
+ type: RuntimeDefault
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: blackbox-exporter
diff --git a/manifests/kubeStateMetrics-deployment.yaml b/manifests/kubeStateMetrics-deployment.yaml
index aa609edb21898014424b129cea67afd299f67554..a8c62717c8af584ae21029b6fc431dafccc6a9ec 100644
--- a/manifests/kubeStateMetrics-deployment.yaml
+++ b/manifests/kubeStateMetrics-deployment.yaml
@@ -76,6 +76,8 @@ spec:
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
+ seccompProfile:
+ type: RuntimeDefault
- args:
- --secure-listen-address=:9443
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
@@ -101,6 +103,8 @@ spec:
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
+ seccompProfile:
+ type: RuntimeDefault
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: kube-state-metrics
diff --git a/manifests/nodeExporter-daemonset.yaml b/manifests/nodeExporter-daemonset.yaml
index 133afed558635d1449e9f821da1cc3fee6050bb1..0b37775aac19be4946bc849e1694ba3a913bc69a 100644
--- a/manifests/nodeExporter-daemonset.yaml
+++ b/manifests/nodeExporter-daemonset.yaml
@@ -94,6 +94,8 @@ spec:
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
+ seccompProfile:
+ type: RuntimeDefault
hostNetwork: true
hostPID: true
nodeSelector:
diff --git a/manifests/prometheusAdapter-deployment.yaml b/manifests/prometheusAdapter-deployment.yaml
index 09caa2d7f6a947d1eacd06dcc92a77b2a6f80bd1..7c852d529ba41f759f6f3b091359f15018c6f1c4 100644
--- a/manifests/prometheusAdapter-deployment.yaml
+++ b/manifests/prometheusAdapter-deployment.yaml
@@ -70,6 +70,9 @@ spec:
drop:
- ALL
readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
startupProbe:
failureThreshold: 18
httpGet:
diff --git a/manifests/prometheusOperator-deployment.yaml b/manifests/prometheusOperator-deployment.yaml
index de65dcae880aaa2930cff0c217f93b6e952d9414..89a58ca048b0f44cb9ebebd5f826c42d563309d7 100644
--- a/manifests/prometheusOperator-deployment.yaml
+++ b/manifests/prometheusOperator-deployment.yaml
@@ -73,6 +73,8 @@ spec:
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
+ seccompProfile:
+ type: RuntimeDefault
nodeSelector:
kubernetes.io/os: linux
securityContext:
diff --git a/manifests/setup/namespace.yaml b/manifests/setup/namespace.yaml
index d32523606f28187cc65fbb56387a78011a1e9425..5ca07c8edcb33479ad5399607e409651e093ec9d 100644
--- a/manifests/setup/namespace.yaml
+++ b/manifests/setup/namespace.yaml
@@ -1,4 +1,7 @@
apiVersion: v1
kind: Namespace
metadata:
+ labels:
+ pod-security.kubernetes.io/warn: privileged
+ pod-security.kubernetes.io/warn-version: latest
name: monitoring