mirror of
https://github.com/prometheus-operator/prometheus-operator.git
synced 2025-04-14 08:16:31 +00:00
50d4801b57
* Make the Prometheus Operator Docker image run as `nobody` by default. * Disallow privilege escalation via K8s * Enforce read only root filesystem
44 lines
1.2 KiB
YAML
44 lines
1.2 KiB
YAML
apiVersion: apps/v1beta2
|
|
kind: Deployment
|
|
metadata:
|
|
labels:
|
|
k8s-app: prometheus-operator
|
|
name: prometheus-operator
|
|
namespace: monitoring
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
k8s-app: prometheus-operator
|
|
template:
|
|
metadata:
|
|
labels:
|
|
k8s-app: prometheus-operator
|
|
spec:
|
|
containers:
|
|
- args:
|
|
- --kubelet-service=kube-system/kubelet
|
|
- -logtostderr=true
|
|
- --config-reloader-image=quay.io/coreos/configmap-reload:v0.0.1
|
|
- --prometheus-config-reloader=quay.io/coreos/prometheus-config-reloader:v0.22.0
|
|
image: quay.io/coreos/prometheus-operator:v0.22.0
|
|
name: prometheus-operator
|
|
ports:
|
|
- containerPort: 8080
|
|
name: http
|
|
resources:
|
|
limits:
|
|
cpu: 200m
|
|
memory: 100Mi
|
|
requests:
|
|
cpu: 100m
|
|
memory: 50Mi
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
nodeSelector:
|
|
beta.kubernetes.io/os: linux
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 65534
|
|
serviceAccountName: prometheus-operator
|