Merge pull request #2178 from prometheus-operator/seccomp

Add securityContext items and add pod security labels

jsonnet/kube-prometheus/addons/pyrra.libsonnet

@@ -80,6 +80,9 @@
         securityContext: {
           allowPrivilegeEscalation: false,
           readOnlyRootFilesystem: true,
+          runAsNonRoot: true,
+          capabilities: { drop: ['ALL'] },
+          seccompProfile: { type: 'RuntimeDefault' },
         },
       };
 

jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet

@@ -63,5 +63,6 @@ function(params) {
     allowPrivilegeEscalation: false,
     readOnlyRootFilesystem: true,
     capabilities: { drop: ['ALL'] },
+    seccompProfile: { type: 'RuntimeDefault' },
   },
 }

jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet

@@ -280,7 +280,9 @@ function(params) {
       securityContext: {
         allowPrivilegeEscalation: false,
         readOnlyRootFilesystem: true,
+        runAsNonRoot: true,
         capabilities: { drop: ['ALL'] },
+        seccompProfile: { type: 'RuntimeDefault' },
       },
     };
 

jsonnet/kube-prometheus/main.libsonnet

@@ -150,6 +150,10 @@ local utils = import './lib/utils.libsonnet';
       kind: 'Namespace',
       metadata: {
         name: $.values.common.namespace,
+        labels: {
+          'pod-security.kubernetes.io/warn': 'privileged',
+          'pod-security.kubernetes.io/warn-version': 'latest',
+        },
       },
     },
   },

manifests/blackboxExporter-deployment.yaml

@@ -105,6 +105,8 @@ spec:
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
+          seccompProfile:
+            type: RuntimeDefault
       nodeSelector:
         kubernetes.io/os: linux
       serviceAccountName: blackbox-exporter

manifests/kubeStateMetrics-deployment.yaml

@@ -76,6 +76,8 @@ spec:
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
+          seccompProfile:
+            type: RuntimeDefault
       - args:
         - --secure-listen-address=:9443
         - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
@@ -101,6 +103,8 @@ spec:
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
+          seccompProfile:
+            type: RuntimeDefault
       nodeSelector:
         kubernetes.io/os: linux
       serviceAccountName: kube-state-metrics

manifests/nodeExporter-daemonset.yaml

@@ -94,6 +94,8 @@ spec:
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
+          seccompProfile:
+            type: RuntimeDefault
       hostNetwork: true
       hostPID: true
       nodeSelector:

manifests/prometheusAdapter-deployment.yaml

@@ -70,6 +70,9 @@ spec:
             drop:
             - ALL
           readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
         startupProbe:
           failureThreshold: 18
           httpGet:

manifests/prometheusOperator-deployment.yaml

@@ -73,6 +73,8 @@ spec:
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
+          seccompProfile:
+            type: RuntimeDefault
       nodeSelector:
         kubernetes.io/os: linux
       securityContext:

manifests/setup/namespace.yaml

@@ -1,4 +1,7 @@
 apiVersion: v1
 kind: Namespace
 metadata:
+  labels:
+    pod-security.kubernetes.io/warn: privileged
+    pod-security.kubernetes.io/warn-version: latest
   name: monitoring