From c4561b320640fe678f2c5eaf51a1444f51ad8e66 Mon Sep 17 00:00:00 2001
From: Latch Mihay <9117804+latchmihay@users.noreply.github.com>
Date: Wed, 18 Mar 2020 02:52:26 -0400
Subject: [PATCH] adding security context to kube-rbac-proxy (#450)
* adding security context to kube-rbac-proxy
* make clean generate-in-docker
* Revert "make clean generate-in-docker"
This reverts commit ed136f1e37fde3289b9560493a585c6edefaba94.
* make clean generate-in-docker
Co-authored-by: Latch M <latch_mihaylov@homedepot.com>
---
jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet | 1 +
manifests/kube-state-metrics-deployment.yaml | 4 ++++
2 files changed, 5 insertions(+)
diff --git a/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet b/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet
index 8f70486c..c5934732 100644
--- a/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet
+++ b/jsonnet/kube-prometheus/kube-rbac-proxy/container.libsonnet
@@ -35,6 +35,7 @@ local containerPort = container.portsType;
spec+: {
containers+: [
container.new(krp.config.kubeRbacProxy.name, krp.config.kubeRbacProxy.image) +
+ container.mixin.securityContext.withRunAsUser(65534) +
container.withArgs([
'--logtostderr',
'--secure-listen-address=' + krp.config.kubeRbacProxy.secureListenAddress,
diff --git a/manifests/kube-state-metrics-deployment.yaml b/manifests/kube-state-metrics-deployment.yaml
index 7fdfc6f3..325e24b7 100644
--- a/manifests/kube-state-metrics-deployment.yaml
+++ b/manifests/kube-state-metrics-deployment.yaml
@@ -37,6 +37,8 @@ spec:
ports:
- containerPort: 8443
name: https-main
+ securityContext:
+ runAsUser: 65534
- args:
- --logtostderr
- --secure-listen-address=:9443
@@ -47,6 +49,8 @@ spec:
ports:
- containerPort: 9443
name: https-self
+ securityContext:
+ runAsUser: 65534
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: kube-state-metrics
--
GitLab