Don't run Prometheus and Alertmanager as root. (#244)

* Don't run Prometheus and Alertmanager as root.

Signed-off-by: Tom Wilkie <[email protected]>

* Actually don't run alertmanager as root.

Signed-off-by: Tom Wilkie <[email protected]>

Author: tomwilkie

prometheus-ksonnet/lib/alertmanager.libsonnet

@@ -121,14 +121,24 @@
     ], self.alertmanager_pvc) +
     statefulset.mixin.spec.withServiceName('alertmanager') +
     statefulset.mixin.spec.template.metadata.withAnnotations({ 'prometheus.io.path': '%smetrics' % $._config.alertmanager_path }) +
-    statefulset.mixin.spec.template.spec.securityContext.withRunAsUser(0) +
-    statefulset.mixin.spec.template.spec.securityContext.withFsGroup(0) +
     $.util.configVolumeMount('alertmanager-config', '/etc/alertmanager/config') +
     $.util.podPriority('critical')
   else {},
 
+  local service = $.core.v1.service,
+  local servicePort = service.mixin.spec.portsType,
+
   // Do not create service in clusters without any alertmanagers.
-  alertmanager_service: if replicas > 0 then
-    $.util.serviceFor($.alertmanager_statefulset)
-  else {},
+  alertmanager_service:
+    if replicas == 0
+    then {}
+    else
+      $.util.serviceFor($.alertmanager_statefulset) +
+      service.mixin.spec.withPortsMixin([
+        servicePort.newNamed(
+          name='http',
+          port=80,
+          targetPort=$._config.alertmanager_port,
+        ),
+      ]),
 }

prometheus-ksonnet/lib/config.libsonnet

@@ -36,13 +36,13 @@
     prometheus_insecure_skip_verify: self.insecureSkipVerify,
     prometheus_external_hostname: 'http://prometheus.%(namespace)s.svc.%(cluster_dns_suffix)s' % self,
     prometheus_path: '/prometheus/',
-    prometheus_port: 80,
+    prometheus_port: 9090,
     prometheus_web_route_prefix: $._config.prometheus_path,
 
     // Alertmanager config options.
     alertmanager_external_hostname: 'http://alertmanager.%(namespace)s.svc.%(cluster_dns_suffix)s' % self,
     alertmanager_path: '/alertmanager/',
-    alertmanager_port: 80,
+    alertmanager_port: 9093,
     alertmanager_gossip_port: 9094,
     // Description of how many alertmanager replicas to run where. All
     // clusters with `'global': true` are participating in one global

prometheus-ksonnet/lib/prometheus.libsonnet

@@ -34,7 +34,7 @@
       local _config = self._config;
 
       container.new('prometheus', $._images.prometheus) +
-      container.withPorts($.core.v1.containerPort.new('http-metrics', 80)) +
+      container.withPorts($.core.v1.containerPort.new('http-metrics', _config.prometheus_port)) +
       container.withArgs([
         '--config.file=/etc/prometheus/prometheus.yml',
         '--web.listen-address=:%s' % _config.prometheus_port,
@@ -91,12 +91,26 @@
       statefulset.mixin.spec.template.metadata.withAnnotations({
         'prometheus.io.path': '%smetrics' % _config.prometheus_web_route_prefix,
       }) +
-      statefulset.mixin.spec.template.spec.securityContext.withRunAsUser(0) +
       statefulset.mixin.spec.template.spec.withServiceAccount(self.name) +
+      statefulset.mixin.spec.template.spec.securityContext.withFsGroup(2000) +
+      statefulset.mixin.spec.template.spec.securityContext.withRunAsUser(1000) +
+      statefulset.mixin.spec.template.spec.securityContext.withRunAsNonRoot(true) +
       $.util.podPriority('critical'),
 
+    local service = $.core.v1.service,
+    local servicePort = service.mixin.spec.portsType,
+
     prometheus_service:
-      $.util.serviceFor(self.prometheus_statefulset),
+      local _config = self._config;
+
+      $.util.serviceFor(self.prometheus_statefulset) +
+      service.mixin.spec.withPortsMixin([
+        servicePort.newNamed(
+          name='http',
+          port=80,
+          targetPort=_config.prometheus_port,
+        ),
+      ]),
   },
 
   main_prometheus: $.prometheus { name: 'prometheus' },