diff --git a/Documentation/user-guides/cluster-monitoring.md b/Documentation/user-guides/cluster-monitoring.md
index 0cbd1f563..c6ff1e7b8 100644
--- a/Documentation/user-guides/cluster-monitoring.md
+++ b/Documentation/user-guides/cluster-monitoring.md
@@ -68,6 +68,9 @@ spec:
requests:
cpu: 100m
memory: 50Mi
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 65534
serviceAccountName: prometheus-operator
```
@@ -238,6 +241,9 @@ spec:
app: kube-state-metrics
spec:
serviceAccountName: kube-state-metrics
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 65534
containers:
- name: kube-rbac-proxy-main
image: quay.io/brancz/kube-rbac-proxy:v0.2.0
@@ -298,9 +304,9 @@ spec:
- /pod_nanny
- --container=kube-state-metrics
- --cpu=100m
- - --extra-cpu=1m
- - --memory=100Mi
- - --extra-memory=2Mi
+ - --extra-cpu=2m
+ - --memory=150Mi
+ - --extra-memory=30Mi
- --threshold=5
- --deployment=kube-state-metrics
```
@@ -348,7 +354,7 @@ metadata:
prometheus: k8s
spec:
replicas: 2
- version: v2.0.0
+ version: v2.1.0
serviceAccountName: prometheus-k8s
serviceMonitorSelector:
matchExpressions:
diff --git a/Documentation/user-guides/getting-started.md b/Documentation/user-guides/getting-started.md
index 66d65bb96..715c62764 100644
--- a/Documentation/user-guides/getting-started.md
+++ b/Documentation/user-guides/getting-started.md
@@ -113,6 +113,9 @@ spec:
requests:
cpu: 100m
memory: 50Mi
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 65534
serviceAccountName: prometheus-operator
```
diff --git a/bundle.yaml b/bundle.yaml
index 83d354e47..e16804e13 100644
--- a/bundle.yaml
+++ b/bundle.yaml
@@ -98,4 +98,7 @@ spec:
requests:
cpu: 100m
memory: 50Mi
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 65534
serviceAccountName: prometheus-operator
diff --git a/contrib/kube-prometheus/manifests/prometheus-operator/prometheus-operator.yaml b/contrib/kube-prometheus/manifests/prometheus-operator/prometheus-operator.yaml
index b773021ce..71af2d7d2 100644
--- a/contrib/kube-prometheus/manifests/prometheus-operator/prometheus-operator.yaml
+++ b/contrib/kube-prometheus/manifests/prometheus-operator/prometheus-operator.yaml
@@ -27,4 +27,7 @@ spec:
requests:
cpu: 100m
memory: 50Mi
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 65534
serviceAccountName: prometheus-operator
diff --git a/example/non-rbac/prometheus-operator.yaml b/example/non-rbac/prometheus-operator.yaml
index baee74772..6c25e9eba 100644
--- a/example/non-rbac/prometheus-operator.yaml
+++ b/example/non-rbac/prometheus-operator.yaml
@@ -27,3 +27,6 @@ spec:
requests:
cpu: 100m
memory: 50Mi
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 65534
diff --git a/example/rbac/prometheus-operator/prometheus-operator.yaml b/example/rbac/prometheus-operator/prometheus-operator.yaml
index 13a81291b..71af2d7d2 100644
--- a/example/rbac/prometheus-operator/prometheus-operator.yaml
+++ b/example/rbac/prometheus-operator/prometheus-operator.yaml
@@ -23,11 +23,11 @@ spec:
resources:
limits:
cpu: 200m
- memory: 300Mi
+ memory: 100Mi
requests:
cpu: 100m
memory: 50Mi
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 65534
serviceAccountName: prometheus-operator
- securityContext:
- runAsNonRoot: true
- runAsUser: 65534
diff --git a/hack/generate/prometheus-operator.jsonnet b/hack/generate/prometheus-operator.jsonnet
index 7c744711f..edf6ec4eb 100644
--- a/hack/generate/prometheus-operator.jsonnet
+++ b/hack/generate/prometheus-operator.jsonnet
@@ -20,6 +20,8 @@ local operatorContainer =
container.mixin.resources.limits({cpu: "200m", memory: "100Mi"});
local operatorDeployment = deployment.new("prometheus-operator", 1, operatorContainer, podLabels) +
- deployment.mixin.metadata.labels(podLabels);
+ deployment.mixin.metadata.labels(podLabels) +
+ deployment.mixin.spec.template.spec.securityContext.runAsNonRoot(true) +
+ deployment.mixin.spec.template.spec.securityContext.runAsUser(65534);
operatorDeployment