jsonnet: explicitly forbid privilege escalation

Signed-off-by: ArthurSens <arthursens2005@gmail.com>
2022-01-21 20:31:28 +00:00 · 2022-01-21 20:31:28 +00:00 · 8d2587a6a1
parent 98c833322c
commit 8d2587a6a1
3 changed files with 3 additions and 1 deletions
--- a/examples/autosharding/statefulset.yaml
+++ b/examples/autosharding/statefulset.yaml
@ -54,6 +54,7 @@ spec:
          initialDelaySeconds: 5
          timeoutSeconds: 5
        securityContext:
+          allowPrivilegeEscalation: false
          runAsUser: 65534
      nodeSelector:
        kubernetes.io/os: linux
--- a/examples/standard/deployment.yaml
+++ b/examples/standard/deployment.yaml
@ -41,6 +41,7 @@ spec:
          initialDelaySeconds: 5
          timeoutSeconds: 5
        securityContext:
+          allowPrivilegeEscalation: false
          runAsUser: 65534
      nodeSelector:
        kubernetes.io/os: linux
--- a/jsonnet/kube-state-metrics/kube-state-metrics.libsonnet
+++ b/jsonnet/kube-state-metrics/kube-state-metrics.libsonnet
@ -163,7 +163,7 @@
        { name: 'http-metrics', containerPort: 8080 },
        { name: 'telemetry', containerPort: 8081 },
      ],
-      securityContext: { runAsUser: 65534 },
+      securityContext: { runAsUser: 65534, allowPrivilegeEscalation: false },
      livenessProbe: { timeoutSeconds: 5, initialDelaySeconds: 5, httpGet: {
        port: 8080,
        path: '/healthz',