config-reloader: change to non-root user

CHANGELOG.md

@@ -747,6 +747,8 @@ v0.35.0 (2023-07-18)
 
 - Add deployment spec options to describe operator's Prometheus Config Reloader image. (@alekseybb197)
 
+- `config-reloader` container in agent no longer runs as root. (@rootmout)
+
 - Update `module.git` with basic and SSH key authentication support. (@djcode)
 
 - Support `clustering` block in `prometheus.operator.servicemonitors` and `prometheus.operator.podmonitors` components to distribute

pkg/operator/resources_pod_template.go

@@ -207,14 +207,20 @@ func generatePodTemplate(
 		imagePathConfigReloader = *d.Agent.Spec.ConfigReloaderImage
 	}
 
+	boolFalse := false
+	boolTrue := true
 	operatorContainers := []core_v1.Container{
 		{
 			Name:         "config-reloader",
 			Image:        imagePathConfigReloader,
 			VolumeMounts: volumeMounts,
 			Env:          envVars,
 			SecurityContext: &core_v1.SecurityContext{
-				RunAsUser: pointer.Int64(0),
+				AllowPrivilegeEscalation: &boolFalse,
+				ReadOnlyRootFilesystem:   &boolTrue,
+				Capabilities: &core_v1.Capabilities{
+					Drop: []core_v1.Capability{"ALL"},
+				},
 			},
 			Args: []string{
 				"--config-file=/var/lib/grafana-agent/config-in/agent.yml",

pkg/operator/resources_pod_template_test.go

@@ -98,6 +98,12 @@ func Test_generatePodTemplate(t *testing.T) {
 			assert.False(t, tmpl.Spec.Containers[i].SecurityContext.Privileged != nil &&
 				*tmpl.Spec.Containers[i].SecurityContext.Privileged,
 				"privileged is not required. Fargate cannot schedule privileged containers.")
+			assert.False(t, tmpl.Spec.Containers[i].SecurityContext.RunAsUser != nil &&
+				*tmpl.Spec.Containers[i].SecurityContext.RunAsUser == int64(0),
+				"force the container to run as root is not required.")
+			assert.False(t, tmpl.Spec.Containers[i].SecurityContext.AllowPrivilegeEscalation != nil &&
+				*tmpl.Spec.Containers[i].SecurityContext.AllowPrivilegeEscalation,
+				"allow privilege escalation is not required.")
 		}
 	})
 
@@ -110,9 +116,24 @@ func Test_generatePodTemplate(t *testing.T) {
 
 		tmpl, _, err := generatePodTemplate(cfg, "agent", deploy, podTemplateOptions{Privileged: true})
 		require.NoError(t, err)
-		assert.True(t, tmpl.Spec.Containers[1].SecurityContext.Privileged != nil &&
-			*tmpl.Spec.Containers[1].SecurityContext.Privileged,
-			"privileged is needed if pod options say so.")
+		for i := range tmpl.Spec.Containers {
+			// only grafana-agent container is supposed to be privileged
+			if tmpl.Spec.Containers[i].Name == "grafana-agent" {
+				assert.True(t, tmpl.Spec.Containers[i].SecurityContext.Privileged != nil &&
+					*tmpl.Spec.Containers[i].SecurityContext.Privileged,
+					"privileged is needed for grafana-agent if pod options say so.")
+			} else {
+				assert.False(t, tmpl.Spec.Containers[i].SecurityContext.Privileged != nil &&
+					*tmpl.Spec.Containers[i].SecurityContext.Privileged,
+					"privileged is not required for other containers.")
+				assert.False(t, tmpl.Spec.Containers[i].SecurityContext.RunAsUser != nil &&
+					*tmpl.Spec.Containers[i].SecurityContext.RunAsUser == int64(0),
+					"force the container to run as root is not required for other containers.")
+				assert.False(t, tmpl.Spec.Containers[i].SecurityContext.AllowPrivilegeEscalation != nil &&
+					*tmpl.Spec.Containers[i].SecurityContext.AllowPrivilegeEscalation,
+					"allow privilege escalation is not required for other containers.")
+			}
+		}
 	})
 
 	t.Run("runtimeclassname set if passed in", func(t *testing.T) {