Merge pull request #1674 from ArthurSens/linux-hardening

k8s-ci-robot · web-flow · commit 34a1398f1c34 · 2022-02-01T04:42:19.000-08:00
jsonnet: Drop all Linux capabilities
diff --git a/examples/autosharding/statefulset.yaml b/examples/autosharding/statefulset.yaml
@@ -55,6 +55,9 @@ spec:
           timeoutSeconds: 5
         securityContext:
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
           readOnlyRootFilesystem: true
           runAsUser: 65534
       nodeSelector:
diff --git a/examples/standard/deployment.yaml b/examples/standard/deployment.yaml
@@ -42,6 +42,9 @@ spec:
           timeoutSeconds: 5
         securityContext:
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
           readOnlyRootFilesystem: true
           runAsUser: 65534
       nodeSelector:
diff --git a/jsonnet/kube-state-metrics/kube-state-metrics.libsonnet b/jsonnet/kube-state-metrics/kube-state-metrics.libsonnet
@@ -167,6 +167,7 @@
         runAsUser: 65534, 
         allowPrivilegeEscalation: false,        
         readOnlyRootFilesystem: true,
+        capabilities: { drop: ['ALL'] },
       },
       livenessProbe: { timeoutSeconds: 5, initialDelaySeconds: 5, httpGet: {
         port: 8080,
