Merge pull request #733 from kubecost/AjayTripathy-default-run-nonroot

default run as nonroot

cost-analyzer/charts/prometheus/values.yaml

@@ -277,10 +277,10 @@ alertmanager:
   ## Security context to be added to alertmanager pods
   ##
   securityContext:
-    runAsUser: 65534
+    runAsUser: 1001
     runAsNonRoot: true
-    runAsGroup: 65534
-    fsGroup: 65534
+    runAsGroup: 1001
+    fsGroup: 1001
 
   service:
     annotations: {}
@@ -856,10 +856,10 @@ server:
   ## Security context to be added to server pods
   ##
   securityContext:
-    runAsUser: 65534
+    runAsUser: 1001
     runAsNonRoot: true
-    runAsGroup: 65534
-    fsGroup: 65534
+    runAsGroup: 1001
+    fsGroup: 1001
 
   service:
     annotations: {}
@@ -1016,7 +1016,7 @@ pushgateway:
   ## Security context to be added to push-gateway pods
   ##
   securityContext:
-    runAsUser: 65534
+    runAsUser: 1001
     runAsNonRoot: true
 
   service:

cost-analyzer/charts/thanos/values.yaml

@@ -113,7 +113,11 @@ store:
       #    hosts:
       #      - chart-example.local
   # Optional securityContext
-  securityContext: {}
+  securityContext:
+    fsGroup: 1001
+    runAsNonRoot: true
+    runAsUser: 1001
+
   resources: {}
   #  limits:
   #    cpu: 2000m
@@ -265,7 +269,11 @@ queryFrontend:
       labels: {}
 
   # Optional securityContext
-  securityContext: {}
+  securityContext:
+    fsGroup: 1001
+    runAsNonRoot: true
+    runAsUser: 1001
+
   resources: {}
   #  limits:
   #    cpu: 2000m
@@ -424,7 +432,11 @@ query:
       labels: {}
 
   # Optional securityContext
-  securityContext: {}
+  securityContext:
+    fsGroup: 1001
+    runAsNonRoot: true
+    runAsUser: 1001
+
   resources: {}
   #  limits:
   #    cpu: 2000m
@@ -547,7 +559,11 @@ compact:
   serviceAccount: ""
 
   # Optional securityContext
-  securityContext: {}
+  securityContext:
+    fsGroup: 1001
+    runAsNonRoot: true
+    runAsUser: 1001
+
   resources: {}
   #  limits:
   #    cpu: 2000m
@@ -646,7 +662,11 @@ bucket:
     #  maxUnavailable: 50%
 
   # Optional securityContext
-  securityContext: {}
+  securityContext:
+    fsGroup: 1001
+    runAsNonRoot: true
+    runAsUser: 1001
+
   resources: {}
   #  limits:
   #    cpu: 2000m

cost-analyzer/templates/cost-analyzer-checks-template.yaml

@@ -59,5 +59,8 @@ spec:
           {{ toYaml .Values.imagePullSecrets | indent 2 }}
         {{- end }}
           restartPolicy: OnFailure
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1001
 {{- end -}}
 {{- end -}}

cost-analyzer/templates/cost-analyzer-psp.template.yaml

@@ -1,11 +1,9 @@
-{{- if .Values.podSecurityPolicy }}
-{{- if .Values.podSecurityPolicy.enabled }}
 apiVersion: {{ include "cost-analyzer.podSecurityPolicy.apiVersion" . }}
 kind: PodSecurityPolicy
 metadata:
     name: kubecost-cost-analyzer-psp
 spec:
-    privileged: true
+    privileged: false
     seLinux:
         rule: RunAsAny
     supplementalGroups:
@@ -16,5 +14,3 @@ spec:
         rule: RunAsAny
     volumes:
         - '*'
-{{- end }}
-{{- end }}

cost-analyzer/values-thanos.yaml

@@ -17,6 +17,9 @@ prometheus:
       storage.tsdb.min-block-duration: 2h
       storage.tsdb.max-block-duration: 2h
       storage.tsdb.retention: 2w
+    securityContext:
+      runAsNonRoot: true
+      runAsUser: 1001
     extraVolumes:
     - name: object-store-volume
       secret:
@@ -26,6 +29,9 @@ prometheus:
     sidecarContainers:
     - name: thanos-sidecar
       image: thanosio/thanos:v0.15.0
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1001
       args:
       - sidecar
       - --log.level=debug

cost-analyzer/values.yaml

@@ -481,7 +481,7 @@ prometheusRule:
   enabled: false
   additionalLabels: {}
 
-supportNFS: true
+supportNFS: false
 # initChownDataImage ensures all Kubecost filepath permissions on PV or local storage are set up correctly.
 initChownDataImage: "busybox" # Supports a fully qualified Docker image, e.g. registry.hub.docker.com/library/busybox:latest
 initChownData: