Merge pull request #1668 from ArthurSens/privilege-escalation

k8s-ci-robot · web-flow · commit d9254d7c280a · 2022-01-25T01:26:30.000-08:00
jsonnet: explicitly forbid privilege escalation
diff --git a/examples/autosharding/statefulset.yaml b/examples/autosharding/statefulset.yaml
@@ -54,6 +54,7 @@ spec:
           initialDelaySeconds: 5
           timeoutSeconds: 5
         securityContext:
+          allowPrivilegeEscalation: false
           runAsUser: 65534
       nodeSelector:
         kubernetes.io/os: linux
diff --git a/examples/standard/deployment.yaml b/examples/standard/deployment.yaml
@@ -41,6 +41,7 @@ spec:
           initialDelaySeconds: 5
           timeoutSeconds: 5
         securityContext:
+          allowPrivilegeEscalation: false
           runAsUser: 65534
       nodeSelector:
         kubernetes.io/os: linux
diff --git a/jsonnet/kube-state-metrics/kube-state-metrics.libsonnet b/jsonnet/kube-state-metrics/kube-state-metrics.libsonnet
@@ -163,7 +163,7 @@
         { name: 'http-metrics', containerPort: 8080 },
         { name: 'telemetry', containerPort: 8081 },
       ],
-      securityContext: { runAsUser: 65534 },
+      securityContext: { runAsUser: 65534, allowPrivilegeEscalation: false },
       livenessProbe: { timeoutSeconds: 5, initialDelaySeconds: 5, httpGet: {
         port: 8080,
         path: '/healthz',
