Add securityContext items and add pod security labes

prometheus-operator · May 31, 2023 · a95f7b9 · a95f7b9
1 parent 3fff8b5
commit a95f7b9
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 0 deletions.
diff --git a/jsonnet/kube-prometheus/addons/pyrra.libsonnet b/jsonnet/kube-prometheus/addons/pyrra.libsonnet
@@ -80,6 +80,9 @@
         securityContext: {
           allowPrivilegeEscalation: false,
           readOnlyRootFilesystem: true,
+          runAsNonRoot: true,
+          capabilities: { drop: ['ALL'] },
+          seccompProfile: { type: 'RuntimeDefault' },  
         },
       };
 

diff --git a/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet b/jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet
@@ -64,5 +64,6 @@ function(params) {
     allowPrivilegeEscalation: false,
     readOnlyRootFilesystem: true,
     capabilities: { drop: ['ALL'] },
+    seccompProfile: { type: 'RuntimeDefault' },
   },
 }
diff --git a/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet b/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
@@ -276,7 +276,9 @@ function(params) {
       securityContext: {
         allowPrivilegeEscalation: false,
         readOnlyRootFilesystem: true,
+        runAsNonRoot: true,
         capabilities: { drop: ['ALL'] },
+        seccompProfile: { type: 'RuntimeDefault' },
       },
     };
 

diff --git a/jsonnet/kube-prometheus/main.libsonnet b/jsonnet/kube-prometheus/main.libsonnet
@@ -150,6 +150,10 @@ local utils = import './lib/utils.libsonnet';
       kind: 'Namespace',
       metadata: {
         name: $.values.common.namespace,
+        labels: {
+          'pod-security.kubernetes.io/warn': 'privileged',
+          'pod-security.kubernetes.io/warn-version': 'latest',
+        },
       },
     },
   },