*: Use non-root

Documentation/api.md

@@ -98,6 +98,8 @@ Specification of the desired behavior of the Alertmanager cluster. More info: ht
 | resources | Define resources requests and limits for single Pods. | [v1.ResourceRequirements](https://v1-6.docs.kubernetes.io/docs/api-reference/v1.6/#resourcerequirements-v1-core) | false |
 | affinity | If specified, the pod's scheduling constraints. | *v1.Affinity | false |
 | tolerations | If specified, the pod's tolerations. | []v1.Toleration | false |
+| SecurityContext | SecurityContext holds pod-level security attributes and common container settings. This defaults to non root user with uid 1000 and gid 2000. | *v1.PodSecurityContext | false |
+| serviceAccountName | ServiceAccountName is the name of the ServiceAccount to use to run the Prometheus Pods. | string | false |
 
 [Back to TOC](#table-of-contents)
 

Documentation/user-guides/cluster-monitoring.md

@@ -150,6 +150,9 @@ spec:
       name: node-exporter
     spec:
       serviceAccountName: node-exporter
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
       hostNetwork: true
       hostPID: true
       containers:

contrib/kube-prometheus/grafana-image/Dockerfile

@@ -0,0 +1,15 @@
+FROM debian:9.3-slim
+
+RUN apt-get update && apt-get install -qq -y wget tar sqlite && \
+    wget -O /tmp/grafana.tar.gz https://s3-us-west-2.amazonaws.com/grafana-releases/release/grafana-4.6.3.linux-x64.tar.gz && \
+    tar -zxvf /tmp/grafana.tar.gz -C /tmp && mv /tmp/grafana-4.6.3 /grafana && \
+    rm -rf /tmp/grafana.tar.gz
+
+ADD config.toml /grafana/conf/config.toml
+
+USER       nobody
+EXPOSE     3000
+VOLUME     [ "/data" ]
+WORKDIR    /grafana
+ENTRYPOINT [ "/grafana/bin/grafana-server" ]
+CMD        [ "-config=/grafana/conf/config.toml" ]

contrib/kube-prometheus/grafana-image/Makefile

@@ -0,0 +1,2 @@
+container:
+	docker build . -t quay.io/coreos/monitoring-grafana:4.6.3-non-root

contrib/kube-prometheus/grafana-image/config.toml

@@ -0,0 +1,2 @@
+[database]
+path = /data/grafana.db

contrib/kube-prometheus/hack/grafana-dashboards-configmap-generator/templates/grafana-deployment-template.yaml

@@ -9,9 +9,12 @@ spec:
       labels:
         app: grafana
     spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
       containers:
       - name: grafana
-        image: grafana/grafana:4.6.3
+        image: quay.io/coreos/monitoring-grafana:4.6.3-non-root
         env:
         - name: GF_AUTH_BASIC_ENABLED
           value: "true"
@@ -29,7 +32,7 @@ spec:
               key: password
         volumeMounts:
         - name: grafana-storage
-          mountPath: /var/grafana-storage
+          mountPath: /data
         ports:
         - name: web
           containerPort: 3000

contrib/kube-prometheus/manifests/grafana/grafana-deployment.yaml

@@ -9,9 +9,12 @@ spec:
       labels:
         app: grafana
     spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
       containers:
       - name: grafana
-        image: grafana/grafana:4.6.3
+        image: quay.io/coreos/monitoring-grafana:4.6.3-non-root
         env:
         - name: GF_AUTH_BASIC_ENABLED
           value: "true"
@@ -29,7 +32,7 @@ spec:
               key: password
         volumeMounts:
         - name: grafana-storage
-          mountPath: /var/grafana-storage
+          mountPath: /data
         ports:
         - name: web
           containerPort: 3000

contrib/kube-prometheus/manifests/node-exporter/node-exporter-daemonset.yaml

@@ -14,6 +14,9 @@ spec:
       name: node-exporter
     spec:
       serviceAccountName: node-exporter
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
       hostNetwork: true
       hostPID: true
       containers:

pkg/alertmanager/statefulset.go

@@ -221,6 +221,18 @@ func makeStatefulSetSpec(a *monitoringv1.Alertmanager, config Config) (*v1beta1.
 		amArgs = append(amArgs, fmt.Sprintf("-mesh.peer=%s-%d.%s.%s.svc", prefixedName(a.Name), i, governingServiceName, a.Namespace))
 	}
 
+	gid := int64(2000)
+	uid := int64(1000)
+	nr := true
+	securityContext := &v1.PodSecurityContext{
+		FSGroup:      &gid,
+		RunAsNonRoot: &nr,
+		RunAsUser:    &uid,
+	}
+	if a.Spec.SecurityContext != nil {
+		securityContext = a.Spec.SecurityContext
+	}
+
 	switch version.Major {
 	case 0:
 		if version.Minor >= 7 {
@@ -324,8 +336,10 @@ func makeStatefulSetSpec(a *monitoringv1.Alertmanager, config Config) (*v1beta1.
 						},
 					},
 				},
-				Tolerations: a.Spec.Tolerations,
-				Affinity:    a.Spec.Affinity,
+				ServiceAccountName: a.Spec.ServiceAccountName,
+				SecurityContext:    securityContext,
+				Tolerations:        a.Spec.Tolerations,
+				Affinity:           a.Spec.Affinity,
 			},
 		},
 	}, nil

pkg/client/monitoring/v1/types.go

@@ -389,6 +389,12 @@ type AlertmanagerSpec struct {
 	Affinity *v1.Affinity `json:"affinity,omitempty"`
 	// If specified, the pod's tolerations.
 	Tolerations []v1.Toleration `json:"tolerations,omitempty"`
+	// SecurityContext holds pod-level security attributes and common container settings.
+	// This defaults to non root user with uid 1000 and gid 2000.
+	SecurityContext *v1.PodSecurityContext
+	// ServiceAccountName is the name of the ServiceAccount to use to run the
+	// Prometheus Pods.
+	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 }
 
 // A list of Alertmanagers.

pkg/client/monitoring/v1/zz_generated.deepcopy.go

@@ -275,6 +275,15 @@ func (in *AlertmanagerSpec) DeepCopyInto(out *AlertmanagerSpec) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.SecurityContext != nil {
+		in, out := &in.SecurityContext, &out.SecurityContext
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(core_v1.PodSecurityContext)
+			(*in).DeepCopyInto(*out)
+		}
+	}
 	return
 }