Alertmanager PodSecurityContext

[akorp]

It is not possible to define SecurityContext for Containers of Alermanager (only PodSecurityContext is available). Because of the missing Container SecurityContext it's not possible to setup important security limits for alermanager containers like readOnlyRootFilesystem: true (https://github.com/prometheus-operator/kube-prometheus/issues/314), privileged: false, allowPrivilegeEscalation: false.

SecurityContext can be hardcoded where possible with stricter security context or an option given to specify containerSecurityContext like it is, for example, in Grafana.

[philipgough]

If I understand correctly, this issue should be created in https://github.com/prometheus-operator/prometheus-operator/issues since the AlertManager CR manages the StatefulSet?

[simonpasquier]

could you achieve this by using a strategic merge patch at the container level? If the current SecurityContext needs better default values, it's also acceptable to change the pod template generated by the operator.

[ChrisFraun]

I just realized that the feature is already implemented. https://github.com/prometheus-community/helm-charts/blob/main/charts/kube-prometheus-stack/values.yaml#L1832-L1834 https://github.com/prometheus-community/helm-charts/blob/main/charts/kube-prometheus-stack/templates/prometheus-operator/deployment.yaml#L119

[sonali-rajput]

Is this issue still getting worked on?

[simonpasquier]

Because of the missing Container SecurityContext it's not possible to setup important security limits for alermanager containers like readOnlyRootFilesystem: true (https://github.com/prometheus-operator/kube-prometheus/issues/314), privileged: false, allowPrivilegeEscalation: false.

Since d46ae5145e, Prometheus operator will generate secure-by-default SecurityContexts for the containers it manages (e.g. alertmanager, prometheus, ...). If needed it is possible to use strategic merge patches to override the default values.