From efe686c0c09efd920ff6d60461842a8a1e2c48d9 Mon Sep 17 00:00:00 2001
From: Max Inden <IndenML@gmail.com>
Date: Tue, 17 Jul 2018 15:11:46 +0200
Subject: [PATCH] security: Enforce nobody user and read only / (#1393)

* Make the Prometheus Operator Docker image run as `nobody` by default.
* Disallow privilege escalation via K8s
* Enforce read only root filesystem
---
 manifests/0prometheus-operator-deployment.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/manifests/0prometheus-operator-deployment.yaml b/manifests/0prometheus-operator-deployment.yaml
index faca5a84..5a193a35 100644
--- a/manifests/0prometheus-operator-deployment.yaml
+++ b/manifests/0prometheus-operator-deployment.yaml
@@ -18,6 +18,7 @@ spec:
       containers:
       - args:
         - --kubelet-service=kube-system/kubelet
+        - -logtostderr=true
         - --config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1
         - --prometheus-config-reloader=quay.io/coreos/prometheus-config-reloader:v0.22.0
         image: quay.io/coreos/prometheus-operator:v0.22.0
@@ -32,6 +33,9 @@ spec:
           requests:
             cpu: 100m
             memory: 50Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
       nodeSelector:
         beta.kubernetes.io/os: linux
       securityContext:
-- 
GitLab