diff --git a/jsonnet/kube-prometheus/alertmanager/alertmanager.libsonnet b/jsonnet/kube-prometheus/alertmanager/alertmanager.libsonnet
index e109b0adf7294867cf60b9a4650acce676c66ba4..347d9a3cbdec9951e2f12cd2d67f9f7f1d9294c6 100644
--- a/jsonnet/kube-prometheus/alertmanager/alertmanager.libsonnet
+++ b/jsonnet/kube-prometheus/alertmanager/alertmanager.libsonnet
@@ -113,6 +113,11 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
baseImage: $._config.imageRepos.alertmanager,
nodeSelector: { 'beta.kubernetes.io/os': 'linux' },
serviceAccountName: 'alertmanager-' + $._config.alertmanager.name,
+ securityContext: {
+ runAsUser: 1000,
+ runAsNonRoot: true,
+ fsGroup: 2000,
+ },
},
},
},
diff --git a/jsonnet/kube-prometheus/prometheus/prometheus.libsonnet b/jsonnet/kube-prometheus/prometheus/prometheus.libsonnet
index 8d19c4563b05f065bc7bc9b30b588dc60850c8d8..c745f1c46f47af07e2b0218ffc3bb35b1e04dab1 100644
--- a/jsonnet/kube-prometheus/prometheus/prometheus.libsonnet
+++ b/jsonnet/kube-prometheus/prometheus/prometheus.libsonnet
@@ -40,7 +40,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
service.new('prometheus-' + $._config.prometheus.name, { app: 'prometheus', prometheus: $._config.prometheus.name }, prometheusPort) +
service.mixin.metadata.withNamespace($._config.namespace) +
service.mixin.metadata.withLabels({ prometheus: $._config.prometheus.name }),
- [if $._config.prometheus.rules != null && $._config.prometheus.rules != {} then "rules"]:
+ [if $._config.prometheus.rules != null && $._config.prometheus.rules != {} then 'rules']:
{
apiVersion: 'monitoring.coreos.com/v1',
kind: 'PrometheusRule',
@@ -185,6 +185,11 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
},
],
},
+ securityContext: {
+ runAsUser: 1000,
+ runAsNonRoot: true,
+ fsGroup: 2000,
+ },
},
},
serviceMonitor: