-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Explicitly declare allowPrivilegeEscalation to false in all components #1593
Conversation
@@ -118,6 +118,8 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube- | |||
image: ksm._config.kubeRbacProxyImage, | |||
}), | |||
|
|||
// The override adding 'allowPrivilegeEscalation: false' can be deleted when |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// The override adding 'allowPrivilegeEscalation: false' can be deleted when | |
// FIXME(ArthurSens): The override adding 'allowPrivilegeEscalation: false' can be deleted when |
nit: Let's just add FIXME
so it is easier to spot later ;)
@@ -83,4 +83,20 @@ function(params) | |||
}], | |||
}, | |||
}, | |||
|
|||
// The override adding 'allowPrivilegeEscalation: false' can be deleted when |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// The override adding 'allowPrivilegeEscalation: false' can be deleted when | |
// FIXME(ArthurSens): The override adding 'allowPrivilegeEscalation: false' can be deleted when |
nit: Let's just add FIXME so it is easier to spot later ;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm, just few minor nits 👍
Although containers that do not run as privileged already have this set to false by kubernetes Kubespace [asks us](https://hub.armo.cloud/docs/c-0016) to explicitly declare it to false where not needed. Signed-off-by: Arthur Silva Sens <[email protected]>
Signed-off-by: GitHub <[email protected]>
867eb8d
to
2d02121
Compare
Description
Looking at Kubernetes docs, if a container isn't running as privileged and don't have
CAP_SYS_ADMIN
capabilities, then Kubernetes already sets theallowPrivilegeEscalation
to false by default.Kubescape asks us to explicitly declare it false anyway, I believe the intention is to future-guard against the kubernetes behavior changes for some reason.
I've run kube-prometheus from this PR in kind, the whole stack was able to run smoothly without errors. Metrics are getting collected and scraped without problems as well.
The only thing I haven't tested by hand was the privileged blackbox-exporter since I don't use it, personally.
Fixes #1588
Type of change
What type of changes does your code introduce to the kube-prometheus? Put an
x
in the box that apply.CHANGE
(fix or feature that would cause existing functionality to not work as expected)FEATURE
(non-breaking change which adds functionality)BUGFIX
(non-breaking change which fixes an issue)ENHANCEMENT
(non-breaking change which improves existing functionality)NONE
(if none of the other choices apply. Example, tooling, build system, CI, docs, etc.)Changelog entry
Please put a one-line changelog entry below. Later this will be copied to the changelog file.