diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml
index 978a9fca9381fc2e1d42418b761446a56efdd748..34558f474a8416c11e46767f308de75a6d604b3c 100644
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@@ -1044,7 +1044,7 @@ gcp_pd_csi_resizer_image_tag: "v0.4.0-gke.0"
gcp_pd_csi_registrar_image_tag: "v1.2.0-gke.0"
dashboard_image_repo: "{{ docker_image_repo }}/kubernetesui/dashboard-{{ image_arch }}"
-dashboard_image_tag: "v2.6.1"
+dashboard_image_tag: "v2.7.0"
dashboard_metrics_scraper_repo: "{{ docker_image_repo }}/kubernetesui/metrics-scraper"
dashboard_metrics_scraper_tag: "v1.0.8"
diff --git a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2
index d75b2cd082103791f52c94a50e1d72f4f774e088..b0c3419269f3b320f7d23d1f3549ece25a24c8bb 100644
--- a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2
@@ -163,6 +163,9 @@ spec:
labels:
k8s-app: kubernetes-dashboard
spec:
+ securityContext:
+ seccompProfile:
+ type: RuntimeDefault
priorityClassName: system-cluster-critical
containers:
- name: kubernetes-dashboard
@@ -208,6 +211,11 @@ spec:
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ runAsUser: 1001
+ runAsGroup: 2001
volumes:
- name: kubernetes-dashboard-certs
secret:
@@ -293,6 +301,9 @@ spec:
labels:
k8s-app: kubernetes-metrics-scraper
spec:
+ securityContext:
+ seccompProfile:
+ type: RuntimeDefault
priorityClassName: system-cluster-critical
containers:
- name: kubernetes-metrics-scraper
@@ -307,6 +318,11 @@ spec:
port: 8000
initialDelaySeconds: 30
timeoutSeconds: 30
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ runAsUser: 1001
+ runAsGroup: 2001
volumeMounts:
- mountPath: /tmp
name: tmp-volume