From befa960a1e56c1d97b81b8a432464c9b19c7914e Mon Sep 17 00:00:00 2001
From: paulfantom <pawel@krupa.net.pl>
Date: Mon, 23 Nov 2020 11:26:47 +0100
Subject: [PATCH] jsonnet/kube-prometheus: kube-rbac-proxy should run as UID
 65532

---
 jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet  | 4 +++-
 .../kube-prometheus/node-exporter/node-exporter.libsonnet    | 5 +++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet b/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet
index fa85f0cf..724087d6 100644
--- a/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet
+++ b/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet
@@ -41,7 +41,9 @@
               { name: krp.config.kubeRbacProxy.securePortName, containerPort: krp.config.kubeRbacProxy.securePort },
             ],
             securityContext: {
-              runAsUser: 65534,
+              runAsUser: 65532,
+              runAsGroup: 65532,
+              runAsNonRoot: true,
             },
           }],
         },
diff --git a/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet b/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
index 2865deca..c2288ce7 100644
--- a/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
@@ -103,6 +103,11 @@
           { name: 'https', containerPort: $._config.nodeExporter.port, hostPort: $._config.nodeExporter.port },
         ],
         resources: $._config.resources['kube-rbac-proxy'],
+        securityContext: {
+          runAsUser: 65532,
+          runAsGroup: 65532,
+          runAsNonRoot: true,
+        },
       };
 
       {
-- 
GitLab