diff --git a/Dockerfile-poller b/Dockerfile-poller index 36dc4e34..53f1b41c 100644 --- a/Dockerfile-poller +++ b/Dockerfile-poller @@ -22,8 +22,10 @@ COPY package*.json ./ COPY autoscaler-config.schema.json ./ RUN npm config set update-notifier false RUN npm install --omit=dev +RUN find /usr/src/app/ -type d -exec chmod a+x '{}' ';' +RUN find /usr/src/app/ -type f -name '*.js*' -exec chmod a+r '{}' ';' -FROM gcr.io/distroless/nodejs${NODE_VERSION}:latest +FROM gcr.io/distroless/nodejs${NODE_VERSION}:nonroot COPY --from=build-env /usr/src/app /usr/src/app WORKDIR /usr/src/app/ diff --git a/Dockerfile-scaler b/Dockerfile-scaler index d34a542e..4dbe496f 100644 --- a/Dockerfile-scaler +++ b/Dockerfile-scaler @@ -21,8 +21,10 @@ COPY src/scaler/ src/scaler/ COPY package*.json ./ RUN npm config set update-notifier false RUN npm install --omit=dev +RUN find /usr/src/app/ -type d -exec chmod a+x '{}' ';' +RUN find /usr/src/app/ -type f -name '*.js*' -exec chmod a+r '{}' ';' -FROM gcr.io/distroless/nodejs${NODE_VERSION}:latest +FROM gcr.io/distroless/nodejs${NODE_VERSION}:nonroot COPY --from=build-env /usr/src/app /usr/src/app WORKDIR /usr/src/app/ diff --git a/Dockerfile-unified b/Dockerfile-unified index 82825f1d..ff821112 100644 --- a/Dockerfile-unified +++ b/Dockerfile-unified @@ -24,8 +24,10 @@ COPY package*.json ./ COPY autoscaler-config.schema.json ./ RUN npm config set update-notifier false RUN npm install --omit=dev +RUN find /usr/src/app/ -type d -exec chmod a+x '{}' ';' +RUN find /usr/src/app/ -type f -name '*.js*' -exec chmod a+r '{}' ';' -FROM gcr.io/distroless/nodejs${NODE_VERSION}:latest +FROM gcr.io/distroless/nodejs${NODE_VERSION}:nonroot COPY --from=build-env /usr/src/app /usr/src/app WORKDIR /usr/src/app/ diff --git a/kubernetes/decoupled/autoscaler-pkg/otel-collector/otel-collector.yaml b/kubernetes/decoupled/autoscaler-pkg/otel-collector/otel-collector.yaml index 55a59bf9..af2a64a9 100644 --- a/kubernetes/decoupled/autoscaler-pkg/otel-collector/otel-collector.yaml +++ b/kubernetes/decoupled/autoscaler-pkg/otel-collector/otel-collector.yaml @@ -27,6 +27,13 @@ spec: args: - --config - /etc/otel/config.yaml + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - all volumeMounts: - mountPath: /etc/otel/ name: otel-config diff --git a/kubernetes/decoupled/autoscaler-pkg/poller/poller-hourly.yaml b/kubernetes/decoupled/autoscaler-pkg/poller/poller-hourly.yaml index 573a8658..4f7cdd41 100644 --- a/kubernetes/decoupled/autoscaler-pkg/poller/poller-hourly.yaml +++ b/kubernetes/decoupled/autoscaler-pkg/poller/poller-hourly.yaml @@ -47,6 +47,13 @@ spec: value: "http://otel-collector:4317/" - name: OTEL_IS_LONG_RUNNING_PROCESS value: "false" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - all volumeMounts: - name: config-volume mountPath: /etc/autoscaler-config diff --git a/kubernetes/decoupled/autoscaler-pkg/poller/poller.yaml b/kubernetes/decoupled/autoscaler-pkg/poller/poller.yaml index f499fe1e..85efe858 100644 --- a/kubernetes/decoupled/autoscaler-pkg/poller/poller.yaml +++ b/kubernetes/decoupled/autoscaler-pkg/poller/poller.yaml @@ -45,6 +45,13 @@ spec: value: "http://otel-collector:4317/" - name: OTEL_IS_LONG_RUNNING_PROCESS value: "false" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - all volumeMounts: - name: config-volume mountPath: /etc/autoscaler-config diff --git a/kubernetes/decoupled/autoscaler-pkg/scaler/scaler.yaml b/kubernetes/decoupled/autoscaler-pkg/scaler/scaler.yaml index 50fe14a7..ab48eeb7 100644 --- a/kubernetes/decoupled/autoscaler-pkg/scaler/scaler.yaml +++ b/kubernetes/decoupled/autoscaler-pkg/scaler/scaler.yaml @@ -51,6 +51,13 @@ spec: value: "http://otel-collector:4317/" - name: OTEL_IS_LONG_RUNNING_PROCESS value: "true" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - all nodeSelector: iam.gke.io/gke-metadata-server-enabled: "true" serviceAccountName: scaler-sa diff --git a/kubernetes/unified/autoscaler-pkg/otel-collector/otel-collector.yaml b/kubernetes/unified/autoscaler-pkg/otel-collector/otel-collector.yaml index 55a59bf9..af2a64a9 100644 --- a/kubernetes/unified/autoscaler-pkg/otel-collector/otel-collector.yaml +++ b/kubernetes/unified/autoscaler-pkg/otel-collector/otel-collector.yaml @@ -27,6 +27,13 @@ spec: args: - --config - /etc/otel/config.yaml + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - all volumeMounts: - mountPath: /etc/otel/ name: otel-config diff --git a/kubernetes/unified/autoscaler-pkg/scaler/scaler-hourly.yaml b/kubernetes/unified/autoscaler-pkg/scaler/scaler-hourly.yaml index 720c9bbd..2c21d0ac 100644 --- a/kubernetes/unified/autoscaler-pkg/scaler/scaler-hourly.yaml +++ b/kubernetes/unified/autoscaler-pkg/scaler/scaler-hourly.yaml @@ -47,6 +47,13 @@ spec: value: "http://otel-collector:4317/" - name: OTEL_IS_LONG_RUNNING_PROCESS value: "false" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - all volumeMounts: - name: config-volume mountPath: /etc/autoscaler-config diff --git a/kubernetes/unified/autoscaler-pkg/scaler/scaler.yaml b/kubernetes/unified/autoscaler-pkg/scaler/scaler.yaml index cff49f3b..8055df29 100644 --- a/kubernetes/unified/autoscaler-pkg/scaler/scaler.yaml +++ b/kubernetes/unified/autoscaler-pkg/scaler/scaler.yaml @@ -45,6 +45,13 @@ spec: value: "http://otel-collector:4317/" - name: OTEL_IS_LONG_RUNNING_PROCESS value: "false" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - all volumeMounts: - name: config-volume mountPath: /etc/autoscaler-config