mirrors/prometheus-operator
mirrors/prometheus-operator
1
0
Fork 0
mirror of https://github.com/prometheus-operator/prometheus-operator.git synced 2025-04-06 17:14:13 +00:00
Code Activity

security: Enforce nobody user and read only / (#1393)

Browse source 
* Make the Prometheus Operator Docker image run as `nobody` by default.
* Disallow privilege escalation via K8s
* Enforce read only root filesystem
This commit is contained in:
Max Inden 2018-07-17 15:11:46 +02:00 committed by GitHub
parent 1df9a0c28f
commit 50d4801b57
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 32 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
Dockerfile
View file

@ -2,4 +2,7 @@ FROM quay.io/prometheus/busybox:latest
ADD operator /bin/operator
# On busybox 'nobody' has uid `65534'
USER 65534
ENTRYPOINT ["/bin/operator"]

4
Documentation/user-guides/cluster-monitoring.md
View file

@ -59,6 +59,7 @@ spec:
containers:
- args:
- --kubelet-service=kube-system/kubelet
- -logtostderr=true
- --config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1
- --prometheus-config-reloader=quay.io/coreos/prometheus-config-reloader:v0.22.0
image: quay.io/coreos/prometheus-operator:v0.22.0
@ -73,6 +74,9 @@ spec:
requests:
cpu: 100m
memory: 50Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
nodeSelector:
beta.kubernetes.io/os: linux
securityContext:

4
Documentation/user-guides/getting-started.md
View file

@ -115,6 +115,7 @@ spec:
containers:
- args:
- --kubelet-service=kube-system/kubelet
- -logtostderr=true
- --config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1
- --prometheus-config-reloader=quay.io/coreos/prometheus-config-reloader:v0.22.0
image: quay.io/coreos/prometheus-operator:v0.22.0
@ -129,6 +130,9 @@ spec:
requests:
cpu: 100m
memory: 50Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
nodeSelector:
beta.kubernetes.io/os: linux
securityContext:

4
bundle.yaml
View file

@ -97,6 +97,7 @@ spec:
containers:
- args:
- --kubelet-service=kube-system/kubelet
- -logtostderr=true
- --config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1
- --prometheus-config-reloader=quay.io/coreos/prometheus-config-reloader:v0.22.0
image: quay.io/coreos/prometheus-operator:v0.22.0
@ -111,6 +112,9 @@ spec:
requests:
cpu: 100m
memory: 50Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
nodeSelector:
beta.kubernetes.io/os: linux
securityContext:

4
contrib/kube-prometheus/manifests/0prometheus-operator-deployment.yaml
View file

@ -18,6 +18,7 @@ spec:
containers:
- args:
- --kubelet-service=kube-system/kubelet
- -logtostderr=true
- --config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1
- --prometheus-config-reloader=quay.io/coreos/prometheus-config-reloader:v0.22.0
image: quay.io/coreos/prometheus-operator:v0.22.0
@ -32,6 +33,9 @@ spec:
requests:
cpu: 100m
memory: 50Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
nodeSelector:
beta.kubernetes.io/os: linux
securityContext:

4
example/non-rbac/prometheus-operator.yaml
View file

@ -18,6 +18,7 @@ spec:
containers:
- args:
- --kubelet-service=kube-system/kubelet
- -logtostderr=true
- --config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1
- --prometheus-config-reloader=quay.io/coreos/prometheus-config-reloader:v0.22.0
image: quay.io/coreos/prometheus-operator:v0.22.0
@ -32,6 +33,9 @@ spec:
requests:
cpu: 100m
memory: 50Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
nodeSelector:
beta.kubernetes.io/os: linux
securityContext:

4
example/rbac/prometheus-operator/prometheus-operator-deployment.yaml
View file

@ -18,6 +18,7 @@ spec:
containers:
- args:
- --kubelet-service=kube-system/kubelet
- -logtostderr=true
- --config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1
- --prometheus-config-reloader=quay.io/coreos/prometheus-config-reloader:v0.22.0
image: quay.io/coreos/prometheus-operator:v0.22.0
@ -32,6 +33,9 @@ spec:
requests:
cpu: 100m
memory: 50Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
nodeSelector:
beta.kubernetes.io/os: linux
securityContext:

5
jsonnet/prometheus-operator/prometheus-operator.libsonnet
View file

@ -119,9 +119,14 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
container.withPorts(containerPort.newNamed('http', targetPort)) +
container.withArgs([
'--kubelet-service=kube-system/kubelet',
# Prometheus Operator is run with a read-only root file system. By
# default glog saves logfiles to /tmp. Make it log to stderr instead.
'-logtostderr=true',
'--config-reloader-image=' + $._config.imageRepos.configmapReloader + ':' + $._config.versions.configmapReloader,
'--prometheus-config-reloader=' + $._config.imageRepos.prometheusConfigReloader + ':' + $._config.versions.prometheusOperator,
]) +
container.mixin.securityContext.withAllowPrivilegeEscalation(false) +
container.mixin.securityContext.withReadOnlyRootFilesystem(true) +
container.mixin.resources.withRequests({ cpu: '100m', memory: '50Mi' }) +
container.mixin.resources.withLimits({ cpu: '200m', memory: '100Mi' });