From b60b302499b94eb80ccad2b1ec166c8f818c1868 Mon Sep 17 00:00:00 2001
From: Arthur Silva Sens <arthursens2005@gmail.com>
Date: Thu, 20 Jan 2022 22:11:54 +0000
Subject: [PATCH] Explicitly declare allowPrivilegeEscalation to false
Although containers that do not run as privileged already have this set to false by kubernetes
Kubespace [asks us](https://hub.armo.cloud/docs/c-0016) to explicitly declare it to false where not needed.
Signed-off-by: Arthur Silva Sens <arthursens2005@gmail.com>
---
.../components/blackbox-exporter.libsonnet | 7 ++++++-
.../kube-prometheus/components/grafana.libsonnet | 16 ++++++++++++++++
.../components/kube-rbac-proxy.libsonnet | 1 +
.../components/kube-state-metrics.libsonnet | 5 +++++
.../components/node-exporter.libsonnet | 3 +++
.../components/prometheus-adapter.libsonnet | 3 +++
manifests/blackboxExporter-deployment.yaml | 3 +++
manifests/grafana-deployment.yaml | 2 ++
manifests/kubeStateMetrics-deployment.yaml | 3 +++
manifests/nodeExporter-daemonset.yaml | 3 +++
manifests/prometheusAdapter-deployment.yaml | 2 ++
manifests/prometheusOperator-deployment.yaml | 1 +
12 files changed, 48 insertions(+), 1 deletion(-)
diff --git a/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet b/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
index 3272f391..5ec0e55f 100644
--- a/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
@@ -172,6 +172,7 @@ function(params) {
} else {
runAsNonRoot: true,
runAsUser: 65534,
+ allowPrivilegeEscalation: false,
},
volumeMounts: [{
mountPath: '/etc/blackbox_exporter/',
@@ -188,7 +189,11 @@ function(params) {
'--volume-dir=/etc/blackbox_exporter/',
],
resources: bb._config.resources,
- securityContext: { runAsNonRoot: true, runAsUser: 65534 },
+ securityContext: {
+ runAsNonRoot: true,
+ runAsUser: 65534,
+ allowPrivilegeEscalation: false,
+ },
terminationMessagePath: '/dev/termination-log',
terminationMessagePolicy: 'FallbackToLogsOnError',
volumeMounts: [{
diff --git a/jsonnet/kube-prometheus/components/grafana.libsonnet b/jsonnet/kube-prometheus/components/grafana.libsonnet
index a46b0845..ef9ff016 100644
--- a/jsonnet/kube-prometheus/components/grafana.libsonnet
+++ b/jsonnet/kube-prometheus/components/grafana.libsonnet
@@ -83,4 +83,20 @@ function(params)
}],
},
},
+
+ // FIXME(ArthurSens): The override adding 'allowPrivilegeEscalation: false' can be deleted when
+ // https://github.com/brancz/kubernetes-grafana/pull/128 gets merged.
+ deployment+: {
+ spec+: {
+ template+: {
+ spec+: {
+ containers: std.map(function(c) c {
+ securityContext+: {
+ allowPrivilegeEscalation: false,
+ },
+ }, super.containers),
+ },
+ },
+ },
+ },
}
diff --git a/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet b/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet
index d4a71914..b63e9d10 100644
--- a/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet
+++ b/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet
@@ -61,5 +61,6 @@ function(params) {
runAsUser: 65532,
runAsGroup: 65532,
runAsNonRoot: true,
+ allowPrivilegeEscalation: false,
},
}
diff --git a/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet b/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
index 186069f5..c15605d3 100644
--- a/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
+++ b/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
@@ -118,6 +118,8 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
image: ksm._config.kubeRbacProxyImage,
}),
+ // FIXME(ArthurSens): The override adding 'allowPrivilegeEscalation: false' can be deleted when
+ // https://github.com/kubernetes/kube-state-metrics/pull/1668 gets merged.
deployment+: {
spec+: {
template+: {
@@ -133,6 +135,9 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
readinessProbe:: null,
args: ['--host=127.0.0.1', '--port=8081', '--telemetry-host=127.0.0.1', '--telemetry-port=8082'],
resources: ksm._config.resources,
+ securityContext+: {
+ allowPrivilegeEscalation: false,
+ },
}, super.containers) + [kubeRbacProxyMain, kubeRbacProxySelf],
},
},
diff --git a/jsonnet/kube-prometheus/components/node-exporter.libsonnet b/jsonnet/kube-prometheus/components/node-exporter.libsonnet
index 863cd12b..07661e9e 100644
--- a/jsonnet/kube-prometheus/components/node-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/components/node-exporter.libsonnet
@@ -181,6 +181,9 @@ function(params) {
{ name: 'root', mountPath: '/host/root', mountPropagation: 'HostToContainer', readOnly: true },
],
resources: ne._config.resources,
+ securityContext: {
+ allowPrivilegeEscalation: false,
+ },
};
local kubeRbacProxy = krp({
diff --git a/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet b/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
index be633f0c..3004bdf7 100644
--- a/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
+++ b/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
@@ -226,6 +226,9 @@ function(params) {
{ name: 'volume-serving-cert', mountPath: '/var/run/serving-cert', readOnly: false },
{ name: 'config', mountPath: '/etc/adapter', readOnly: false },
],
+ securityContext: {
+ allowPrivilegeEscalation: false,
+ },
};
{
diff --git a/manifests/blackboxExporter-deployment.yaml b/manifests/blackboxExporter-deployment.yaml
index e47166bd..8de0d1ef 100644
--- a/manifests/blackboxExporter-deployment.yaml
+++ b/manifests/blackboxExporter-deployment.yaml
@@ -42,6 +42,7 @@ spec:
cpu: 10m
memory: 20Mi
securityContext:
+ allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 65534
volumeMounts:
@@ -61,6 +62,7 @@ spec:
cpu: 10m
memory: 20Mi
securityContext:
+ allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 65534
terminationMessagePath: /dev/termination-log
@@ -87,6 +89,7 @@ spec:
cpu: 10m
memory: 20Mi
securityContext:
+ allowPrivilegeEscalation: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
diff --git a/manifests/grafana-deployment.yaml b/manifests/grafana-deployment.yaml
index 14cbaaea..b433ea61 100644
--- a/manifests/grafana-deployment.yaml
+++ b/manifests/grafana-deployment.yaml
@@ -45,6 +45,8 @@ spec:
requests:
cpu: 100m
memory: 100Mi
+ securityContext:
+ allowPrivilegeEscalation: false
volumeMounts:
- mountPath: /var/lib/grafana
name: grafana-storage
diff --git a/manifests/kubeStateMetrics-deployment.yaml b/manifests/kubeStateMetrics-deployment.yaml
index 77a7f2ce..c069b8ac 100644
--- a/manifests/kubeStateMetrics-deployment.yaml
+++ b/manifests/kubeStateMetrics-deployment.yaml
@@ -41,6 +41,7 @@ spec:
cpu: 10m
memory: 190Mi
securityContext:
+ allowPrivilegeEscalation: false
runAsUser: 65534
- args:
- --logtostderr
@@ -60,6 +61,7 @@ spec:
cpu: 20m
memory: 20Mi
securityContext:
+ allowPrivilegeEscalation: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
@@ -81,6 +83,7 @@ spec:
cpu: 10m
memory: 20Mi
securityContext:
+ allowPrivilegeEscalation: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
diff --git a/manifests/nodeExporter-daemonset.yaml b/manifests/nodeExporter-daemonset.yaml
index e3901b06..30285e5e 100644
--- a/manifests/nodeExporter-daemonset.yaml
+++ b/manifests/nodeExporter-daemonset.yaml
@@ -43,6 +43,8 @@ spec:
requests:
cpu: 102m
memory: 180Mi
+ securityContext:
+ allowPrivilegeEscalation: false
volumeMounts:
- mountPath: /host/sys
mountPropagation: HostToContainer
@@ -76,6 +78,7 @@ spec:
cpu: 10m
memory: 20Mi
securityContext:
+ allowPrivilegeEscalation: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
diff --git a/manifests/prometheusAdapter-deployment.yaml b/manifests/prometheusAdapter-deployment.yaml
index 159ca06c..f971b023 100644
--- a/manifests/prometheusAdapter-deployment.yaml
+++ b/manifests/prometheusAdapter-deployment.yaml
@@ -47,6 +47,8 @@ spec:
requests:
cpu: 102m
memory: 180Mi
+ securityContext:
+ allowPrivilegeEscalation: false
volumeMounts:
- mountPath: /tmp
name: tmpfs
diff --git a/manifests/prometheusOperator-deployment.yaml b/manifests/prometheusOperator-deployment.yaml
index 1a10d66d..fa89a727 100644
--- a/manifests/prometheusOperator-deployment.yaml
+++ b/manifests/prometheusOperator-deployment.yaml
@@ -61,6 +61,7 @@ spec:
cpu: 10m
memory: 20Mi
securityContext:
+ allowPrivilegeEscalation: false
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
--
GitLab