diff --git a/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-daemonset.yaml b/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-daemonset.yaml index 3a1cfd805..f71407250 100644 --- a/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-daemonset.yaml +++ b/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-daemonset.yaml @@ -139,6 +139,11 @@ spec: value: "{{ .Values.AzureMonitorMetrics.OpenTelemetryMetricsPort }}" securityContext: privileged: false + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE volumeMounts: - mountPath: /etc/config/settings name: settings-vol-config @@ -152,9 +157,6 @@ spec: - name: host-log-containers readOnly: true mountPath: /var/log/containers - - name: host-log-pods - readOnly: true - mountPath: /var/log/pods - mountPath: /anchors/mariner name: anchors-mariner readOnly: true @@ -248,7 +250,7 @@ spec: - operator: "Exists" effect: "NoExecute" - operator: "Exists" - effect: "PreferNoSchedule" + effect: "PreferNoSchedule" {{- end }} - key: "node-role.kubernetes.io/control-plane" operator: "Exists" @@ -284,9 +286,6 @@ spec: - name: host-log-containers hostPath: path: /var/log/containers - - name: host-log-pods - hostPath: - path: /var/log/pods - name: anchors-mariner hostPath: path: /etc/pki/ca-trust/anchors/ @@ -412,6 +411,11 @@ spec: value: "{{ .Values.AzureMonitorMetrics.OpenTelemetryMetricsPort }}" securityContext: privileged: false + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE volumeMounts: - mountPath: /etc/config/settings name: settings-vol-config @@ -425,9 +429,6 @@ spec: - name: host-log-containers readOnly: true mountPath: /var/log/containers - - name: host-log-pods - readOnly: true - mountPath: /var/log/pods livenessProbe: exec: command: @@ -447,7 +448,7 @@ spec: - --token-server-listening-port=7777 - --health-server-listening-port=9999 image: "mcr.microsoft.com{{ .Values.AzureMonitorMetrics.AddonTokenAdapter.ImageRepositoryWin }}:{{ .Values.AzureMonitorMetrics.AddonTokenAdapter.ImageTagWin }}" - imagePullPolicy: Always + imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /healthz @@ -461,9 +462,11 @@ spec: cpu: 100m memory: 100Mi securityContext: - capabilities: - add: - - NET_ADMIN + capabilities: + drop: + - ALL + add: + - NET_ADMIN affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -501,7 +504,4 @@ spec: secret: secretName: ama-metrics-mtls-secret optional: true - - name: host-log-pods - hostPath: - path: /var/log/pods {{- end }} diff --git a/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-deployment.yaml b/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-deployment.yaml index 903f8c2b1..5d7a4b4ea 100644 --- a/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-deployment.yaml +++ b/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-deployment.yaml @@ -163,6 +163,11 @@ spec: value: "true" # only supported value is the string "true" securityContext: privileged: false + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE volumeMounts: - mountPath: /etc/config/settings name: settings-vol-config @@ -176,9 +181,6 @@ spec: - name: host-log-containers readOnly: true mountPath: /var/log/containers - - name: host-log-pods - readOnly: true - mountPath: /var/log/pods - mountPath: /anchors/mariner name: anchors-mariner readOnly: true @@ -320,9 +322,6 @@ spec: - name: host-log-containers hostPath: path: /var/log/containers - - name: host-log-pods - hostPath: - path: /var/log/pods - name: anchors-mariner hostPath: path: /etc/pki/ca-trust/anchors/ diff --git a/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-ksm-deployment.yaml b/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-ksm-deployment.yaml index 61b7b058a..8b8377e3c 100644 --- a/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-ksm-deployment.yaml +++ b/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-ksm-deployment.yaml @@ -75,6 +75,10 @@ spec: requests: cpu: 5m memory: 50Mi + securityContext: + capabilities: + drop: + - ALL ports: - containerPort: 8080 name: "http" diff --git a/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-targetallocator.yaml b/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-targetallocator.yaml index 739edd612..4d4d43c15 100644 --- a/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-targetallocator.yaml +++ b/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-targetallocator.yaml @@ -64,6 +64,10 @@ spec: value: {{ .Values.AzureMonitorMetrics.ImageTagTargetAllocator }} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File + securityContext: + capabilities: + drop: + - ALL volumeMounts: - mountPath: /conf name: ta-config-shared @@ -154,6 +158,10 @@ spec: readOnly: true - mountPath: /ta-configuration name: ta-config-shared + securityContext: + capabilities: + drop: + - ALL livenessProbe: exec: command: @@ -167,7 +175,6 @@ spec: dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler - securityContext: {} serviceAccount: ama-metrics-serviceaccount serviceAccountName: ama-metrics-serviceaccount terminationGracePeriodSeconds: 30