From f25e45851515b64f993a6d251de7fdcbe4f3ebba Mon Sep 17 00:00:00 2001 From: Rahul Khiyani Date: Mon, 18 Mar 2019 12:52:23 -0400 Subject: [PATCH] Prometheus: Add pod/container security context This updates the prometheus chart to include the pod security context on the pod template. This changes the pod's user from root to the nobody user instead This also adds the container security context to explicitly set allowPrivilegeEscalation to false and readOnlyRootFilesystem to true Change-Id: I2a3a4b77d9b25c086dc23b4fd66dca92872c422d --- prometheus/templates/statefulset.yaml | 8 ++++---- prometheus/values.yaml | 12 ++++++++++++ 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/prometheus/templates/statefulset.yaml b/prometheus/templates/statefulset.yaml index 468451ee0b..d31f6e9b4c 100644 --- a/prometheus/templates/statefulset.yaml +++ b/prometheus/templates/statefulset.yaml @@ -88,8 +88,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: - securityContext: - readOnlyRootFilesystem: true +{{ dict "envAll" $envAll "application" "prometheus" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "prometheus" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} @@ -101,8 +100,7 @@ spec: - name: prometheus-perms {{ tuple $envAll "prometheus" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.prometheus | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - securityContext: - runAsUser: 0 +{{ dict "envAll" $envAll "application" "prometheus" "container" "prometheus_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - chown - -R @@ -115,6 +113,7 @@ spec: - name: apache-proxy {{ tuple $envAll "apache_proxy" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.apache_proxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "prometheus" "container" "apache_proxy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/apache.sh - start @@ -146,6 +145,7 @@ spec: - name: prometheus {{ tuple $envAll "prometheus" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.prometheus | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "prometheus" "container" "prometheus" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/prometheus.sh - start diff --git a/prometheus/values.yaml b/prometheus/values.yaml index 34ad605a6b..138ef0d22a 100644 --- a/prometheus/values.yaml +++ b/prometheus/values.yaml @@ -43,6 +43,18 @@ labels: node_selector_value: enabled pod: + security_context: + prometheus: + pod: + runAsUser: 65534 + container: + prometheus_perms: + runAsUser: 0 + apache_proxy: + runAsUser: 0 + prometheus: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true affinity: anti: type: