From 50d4801b5794b35a12b607400ec573cd11c093bb Mon Sep 17 00:00:00 2001
From: Max Inden <IndenML@gmail.com>
Date: Tue, 17 Jul 2018 15:11:46 +0200
Subject: [PATCH] security: Enforce nobody user and read only / (#1393)

* Make the Prometheus Operator Docker image run as `nobody` by default.
* Disallow privilege escalation via K8s
* Enforce read only root filesystem
---
 Dockerfile                                                   | 3 +++
 Documentation/user-guides/cluster-monitoring.md              | 4 ++++
 Documentation/user-guides/getting-started.md                 | 4 ++++
 bundle.yaml                                                  | 4 ++++
 .../manifests/0prometheus-operator-deployment.yaml           | 4 ++++
 example/non-rbac/prometheus-operator.yaml                    | 4 ++++
 .../prometheus-operator/prometheus-operator-deployment.yaml  | 4 ++++
 jsonnet/prometheus-operator/prometheus-operator.libsonnet    | 5 +++++
 8 files changed, 32 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 73333b9ae..ed47fa8de 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,4 +2,7 @@ FROM quay.io/prometheus/busybox:latest
 
 ADD operator /bin/operator
 
+# On busybox 'nobody' has uid `65534'
+USER 65534
+
 ENTRYPOINT ["/bin/operator"]
diff --git a/Documentation/user-guides/cluster-monitoring.md b/Documentation/user-guides/cluster-monitoring.md
index 8dad3ff3a..4cc8c7ac8 100644
--- a/Documentation/user-guides/cluster-monitoring.md
+++ b/Documentation/user-guides/cluster-monitoring.md
@@ -59,6 +59,7 @@ spec:
       containers:
       - args:
         - --kubelet-service=kube-system/kubelet
+        - -logtostderr=true
         - --config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1
         - --prometheus-config-reloader=quay.io/coreos/prometheus-config-reloader:v0.22.0
         image: quay.io/coreos/prometheus-operator:v0.22.0
@@ -73,6 +74,9 @@ spec:
           requests:
             cpu: 100m
             memory: 50Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
       nodeSelector:
         beta.kubernetes.io/os: linux
       securityContext:
diff --git a/Documentation/user-guides/getting-started.md b/Documentation/user-guides/getting-started.md
index d88cd5f63..2f8975441 100644
--- a/Documentation/user-guides/getting-started.md
+++ b/Documentation/user-guides/getting-started.md
@@ -115,6 +115,7 @@ spec:
       containers:
       - args:
         - --kubelet-service=kube-system/kubelet
+        - -logtostderr=true
         - --config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1
         - --prometheus-config-reloader=quay.io/coreos/prometheus-config-reloader:v0.22.0
         image: quay.io/coreos/prometheus-operator:v0.22.0
@@ -129,6 +130,9 @@ spec:
           requests:
             cpu: 100m
             memory: 50Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
       nodeSelector:
         beta.kubernetes.io/os: linux
       securityContext:
diff --git a/bundle.yaml b/bundle.yaml
index 408bd2597..15611eca2 100644
--- a/bundle.yaml
+++ b/bundle.yaml
@@ -97,6 +97,7 @@ spec:
       containers:
       - args:
         - --kubelet-service=kube-system/kubelet
+        - -logtostderr=true
         - --config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1
         - --prometheus-config-reloader=quay.io/coreos/prometheus-config-reloader:v0.22.0
         image: quay.io/coreos/prometheus-operator:v0.22.0
@@ -111,6 +112,9 @@ spec:
           requests:
             cpu: 100m
             memory: 50Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
       nodeSelector:
         beta.kubernetes.io/os: linux
       securityContext:
diff --git a/contrib/kube-prometheus/manifests/0prometheus-operator-deployment.yaml b/contrib/kube-prometheus/manifests/0prometheus-operator-deployment.yaml
index faca5a844..5a193a35d 100644
--- a/contrib/kube-prometheus/manifests/0prometheus-operator-deployment.yaml
+++ b/contrib/kube-prometheus/manifests/0prometheus-operator-deployment.yaml
@@ -18,6 +18,7 @@ spec:
       containers:
       - args:
         - --kubelet-service=kube-system/kubelet
+        - -logtostderr=true
         - --config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1
         - --prometheus-config-reloader=quay.io/coreos/prometheus-config-reloader:v0.22.0
         image: quay.io/coreos/prometheus-operator:v0.22.0
@@ -32,6 +33,9 @@ spec:
           requests:
             cpu: 100m
             memory: 50Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
       nodeSelector:
         beta.kubernetes.io/os: linux
       securityContext:
diff --git a/example/non-rbac/prometheus-operator.yaml b/example/non-rbac/prometheus-operator.yaml
index f4c61458a..2b61a12c8 100644
--- a/example/non-rbac/prometheus-operator.yaml
+++ b/example/non-rbac/prometheus-operator.yaml
@@ -18,6 +18,7 @@ spec:
       containers:
       - args:
         - --kubelet-service=kube-system/kubelet
+        - -logtostderr=true
         - --config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1
         - --prometheus-config-reloader=quay.io/coreos/prometheus-config-reloader:v0.22.0
         image: quay.io/coreos/prometheus-operator:v0.22.0
@@ -32,6 +33,9 @@ spec:
           requests:
             cpu: 100m
             memory: 50Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
       nodeSelector:
         beta.kubernetes.io/os: linux
       securityContext:
diff --git a/example/rbac/prometheus-operator/prometheus-operator-deployment.yaml b/example/rbac/prometheus-operator/prometheus-operator-deployment.yaml
index cc6d2428b..da6bc1a5a 100644
--- a/example/rbac/prometheus-operator/prometheus-operator-deployment.yaml
+++ b/example/rbac/prometheus-operator/prometheus-operator-deployment.yaml
@@ -18,6 +18,7 @@ spec:
       containers:
       - args:
         - --kubelet-service=kube-system/kubelet
+        - -logtostderr=true
         - --config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1
         - --prometheus-config-reloader=quay.io/coreos/prometheus-config-reloader:v0.22.0
         image: quay.io/coreos/prometheus-operator:v0.22.0
@@ -32,6 +33,9 @@ spec:
           requests:
             cpu: 100m
             memory: 50Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
       nodeSelector:
         beta.kubernetes.io/os: linux
       securityContext:
diff --git a/jsonnet/prometheus-operator/prometheus-operator.libsonnet b/jsonnet/prometheus-operator/prometheus-operator.libsonnet
index 303d37a11..3f1fca62f 100644
--- a/jsonnet/prometheus-operator/prometheus-operator.libsonnet
+++ b/jsonnet/prometheus-operator/prometheus-operator.libsonnet
@@ -119,9 +119,14 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
         container.withPorts(containerPort.newNamed('http', targetPort)) +
         container.withArgs([
           '--kubelet-service=kube-system/kubelet',
+          # Prometheus Operator is run with a read-only root file system. By
+          # default glog saves logfiles to /tmp. Make it log to stderr instead.
+          '-logtostderr=true',
           '--config-reloader-image=' + $._config.imageRepos.configmapReloader + ':' + $._config.versions.configmapReloader,
           '--prometheus-config-reloader=' + $._config.imageRepos.prometheusConfigReloader + ':' + $._config.versions.prometheusOperator,
         ]) +
+        container.mixin.securityContext.withAllowPrivilegeEscalation(false) +
+        container.mixin.securityContext.withReadOnlyRootFilesystem(true) +
         container.mixin.resources.withRequests({ cpu: '100m', memory: '50Mi' }) +
         container.mixin.resources.withLimits({ cpu: '200m', memory: '100Mi' });