[prometheus-thanos] add default security context (#465)

* [prometheus-thanos] upgrade thanos and add security context Signed-off-by: Ihor Horak <ihor.horak@zapier.com> * [prometheus-thanos] upgrade docs Signed-off-by: Ihor Horak <ihor.horak@zapier.com> --------- Signed-off-by: Ihor Horak <ihor.horak@zapier.com>
kiwigrid · Oct 19, 2023 · 01c942a · 01c942a
1 parent cbd6f7c
commit 01c942a
Show file tree

Hide file tree

Showing 10 changed files with 143 additions and 18 deletions.
diff --git a/charts/prometheus-thanos/Chart.yaml b/charts/prometheus-thanos/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v1
-appVersion: "0.27.0"
+appVersion: "0.32.4"
 description: A Helm chart for thanos monitoring components
 name: prometheus-thanos
-version: 4.9.4
+version: 5.0.0
 home: https://github.com/thanos-io/thanos
 sources:
 - https://github.com/thanos-io/thanos

diff --git a/charts/prometheus-thanos/README.md b/charts/prometheus-thanos/README.md
@@ -114,6 +114,8 @@ The following table lists the configurable parameters of the prometheus-thanos c
 | `bucketWebInterface.replicaCount` | Replica count for bucket web interface | `1` |
 | `bucketWebInterface.resources` | Resources | `{}` |
 | `bucketWebInterface.tolerations` | Tolerations | `[]` |
+| `bucketWebInterface.podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | <br> `runAsUser: 1001` <br> `runAsGroup: 1001` <br> `fsGroup: 1001` |
+| `bucketWebInterface.containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | <br> `runAsNonRoot: true` <br> `allowPrivilegeEscalation: false` <br> `capabilities:` <br> `drop:` <br> `- ALL` <br> `privileged: false` |
 | `bucketWebInterface.updateStrategy` | Deployment update strategy | `type: RollingUpdate` |
 | `bucketWebInterface.volumeMounts` | Additional volume mounts | `nil` |
 | `bucketWebInterface.volumes` |Additional volumes | `nil` |
@@ -148,6 +150,8 @@ The following table lists the configurable parameters of the prometheus-thanos c
 | `compact.retentionResolution5m` | Retention for 5m buckets | `30d` |
 | `compact.retentionResolution1h` | Retention for 1h buckets | `10y` |
 | `compact.tolerations` | Tolerations | `[]` |
+| `compact.podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | <br> `runAsUser: 1001` <br> `runAsGroup: 1001` <br> `fsGroup: 1001` |
+| `compact.containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | <br> `runAsNonRoot: true` <br> `allowPrivilegeEscalation: false` <br> `capabilities:` <br> `drop:` <br> `- ALL` <br> `privileged: false` |
 | `compact.updateStrategy` | StatefulSet update strategy | `type: RollingUpdate` |
 | `compact.volumeMounts` | Additional volume mounts | `nil` |
 | `compact.volumes` | Additional volumes | `nil` |
@@ -183,6 +187,8 @@ The following table lists the configurable parameters of the prometheus-thanos c
 | `querier.resources` | Resources | `{}` |
 | `querier.stores` | List of stores [see](https://github.com/thanos-io/thanos/blob/master/docs/components/query.md) | `[]` |
 | `querier.tolerations` | Tolerations | `[]` |
+| `querier.podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | <br> `runAsUser: 1001` <br> `runAsGroup: 1001` <br> `fsGroup: 1001` |
+| `querier.containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | <br> `runAsNonRoot: true` <br> `allowPrivilegeEscalation: false` <br> `capabilities:` <br> `drop:` <br> `- ALL` <br> `privileged: false` |
 | `querier.updateStrategy` | Deployment update strategy | `type: RollingUpdate` |
 | `querier.volumeMounts` | Additional volume mounts | `nil` |
 | `querier.volumes` | Additional volumes | `nil` |
@@ -223,6 +229,8 @@ The following table lists the configurable parameters of the prometheus-thanos c
 | `queryFrontend.resources` | Resources | `{}` |
 | `queryFrontend.stores` | List of stores [see](https://github.com/thanos-io/thanos/blob/master/docs/components/query.md) | `[]` |
 | `queryFrontend.tolerations` | Tolerations | `[]` |
+| `queryFrontend.podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | <br> `runAsUser: 1001` <br> `runAsGroup: 1001` <br> `fsGroup: 1001` |
+| `queryFrontend.containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | <br> `runAsNonRoot: true` <br> `allowPrivilegeEscalation: false` <br> `capabilities:` <br> `drop:` <br> `- ALL` <br> `privileged: false` |
 | `queryFrontend.updateStrategy` | Deployment update strategy | `type: RollingUpdate` |
 | `queryFrontend.volumeMounts` | Additional volume mounts | `nil` |
 | `queryFrontend.volumes` | Additional volumes | `nil` |
@@ -263,6 +271,8 @@ The following table lists the configurable parameters of the prometheus-thanos c
 | `receiver.serviceAccount.create` | Create service account | `true` |
 | `receiver.serviceAccount.annotations` | Service account annotations | `nil` |
 | `receiver.tolerations` | Tolerations | `[]` |
+| `receiver.podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | <br> `runAsUser: 1001` <br> `runAsGroup: 1001` <br> `fsGroup: 1001` |
+| `receiver.containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | <br> `runAsNonRoot: true` <br> `allowPrivilegeEscalation: false` <br> `capabilities:` <br> `drop:` <br> `- ALL` <br> `privileged: false` |
 | `receiver.tsdbRetention` | The period to retain TSDB blocks in the receiver | `1d` |
 | `receiver.updateStrategy` | StatefulSet update strategy | `type: RollingUpdate` |
 | `receiver.volumeMounts` | Additional volume mounts | `nil` |
@@ -314,6 +324,8 @@ The following table lists the configurable parameters of the prometheus-thanos c
 | `ruler.sidecar.enabled` | Enable configmap watcher sidecar | `false` |
 | `ruler.sidecar.watchLabel` | Label for configmaps to watch | `thanos_alert_config` |
 | `ruler.tolerations` | Tolerations | `[]` |
+| `ruler.podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | <br> `runAsUser: 1001` <br> `runAsGroup: 1001` <br> `fsGroup: 1001` |
+| `ruler.containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | <br> `runAsNonRoot: true` <br> `allowPrivilegeEscalation: false` <br> `capabilities:` <br> `drop:` <br> `- ALL` <br> `privileged: false` |
 | `ruler.updateStrategy` | StatefulSet update strategy | `type: RollingUpdate` |
 | `ruler.volumeMounts` | Additional volume mounts | `nil` |
 | `ruler.volumes` | Additional volumes | `nil` |
@@ -382,6 +394,8 @@ The following table lists the configurable parameters of the prometheus-thanos c
 | `storeGateway.serviceAccount.create` | Create service account | `true` |
 | `storeGateway.serviceAccount.annotations` | Service account annotations | `nil` |
 | `storeGateway.tolerations` | Tolerations | `[]` |
+| `storeGateway.podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | <br> `runAsUser: 1001` <br> `runAsGroup: 1001` <br> `fsGroup: 1001` |
+| `storeGateway.containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | <br> `runAsNonRoot: true` <br> `allowPrivilegeEscalation: false` <br> `capabilities:` <br> `drop:` <br> `- ALL` <br> `privileged: false` |
 | `storeGateway.updateStrategy` | StatefulSet update strategy | `type: RollingUpdate` |
 | `storeGateway.volumeMounts` | Additional volume mounts | `nil` |
 | `storeGateway.volumes` |Additional volumes | `nil` |
@@ -392,4 +406,4 @@ Specify each parameter using the `--set key=value[,key=value]` argument to `helm
 helm install --name prometheus-thanos --set ingress.enabled=false kiwigrid/prometheus-thanos
 ```
 
-Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart.
+Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart.
diff --git a/charts/prometheus-thanos/templates/bucket-web/deployment.yaml b/charts/prometheus-thanos/templates/bucket-web/deployment.yaml
@@ -67,6 +67,8 @@ spec:
           {{- end }}
           resources:
             {{- toYaml .Values.bucketWebInterface.resources | nindent 12 }}
+          securityContext:
+            {{- toYaml .Values.bucketWebInterface.containerSecurityContext | nindent 12 }}
           {{- with .Values.bucketWebInterface.volumeMounts }}
           volumeMounts:
             {{- toYaml . | nindent 14 }}
@@ -83,6 +85,10 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
     {{- end }}
+    {{- with .Values.bucketWebInterface.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
     {{- with .Values.bucketWebInterface.volumes }}
       volumes:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/prometheus-thanos/templates/compactor/statefulset.yaml b/charts/prometheus-thanos/templates/compactor/statefulset.yaml
@@ -73,6 +73,8 @@ spec:
           {{- end }}
           resources:
             {{- toYaml .Values.compact.resources | nindent 12 }}
+          securityContext:
+            {{- toYaml .Values.compact.containerSecurityContext | nindent 12 }}
           volumeMounts:
             - mountPath: /data
               name: storage-volume
@@ -91,6 +93,10 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.compact.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       volumes:
         {{- with .Values.compact.volumes }}
         {{- toYaml . | nindent 8 }}

diff --git a/charts/prometheus-thanos/templates/querier/deployment.yaml b/charts/prometheus-thanos/templates/querier/deployment.yaml
@@ -84,6 +84,8 @@ spec:
             timeoutSeconds: {{ .Values.querier.readinessProbe.timeoutSeconds }}
           resources:
             {{- toYaml .Values.querier.resources | nindent 12 }}
+          securityContext:
+            {{- toYaml .Values.querier.containerSecurityContext | nindent 12 }}
           {{- with .Values.querier.volumeMounts }}
           volumeMounts:
             {{- toYaml . | nindent 14 }}
@@ -100,6 +102,10 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
     {{- end }}
+    {{- with .Values.querier.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
     {{- with .Values.querier.volumes }}
       volumes:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/prometheus-thanos/templates/query-frontend/deployment.yaml b/charts/prometheus-thanos/templates/query-frontend/deployment.yaml
@@ -91,6 +91,8 @@ spec:
             timeoutSeconds: {{ .Values.queryFrontend.readinessProbe.timeoutSeconds }}
           resources:
             {{- toYaml .Values.queryFrontend.resources | nindent 12 }}
+          securityContext:
+            {{- toYaml .Values.queryFrontend.containerSecurityContext | nindent 12 }}
           {{- with .Values.queryFrontend.volumeMounts }}
           volumeMounts:
             {{- toYaml . | nindent 14 }}
@@ -107,6 +109,10 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
     {{- end }}
+    {{- with .Values.queryFrontend.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
     {{- with .Values.queryFrontend.volumes }}
       volumes:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/prometheus-thanos/templates/receiver/statefulset.yaml b/charts/prometheus-thanos/templates/receiver/statefulset.yaml
@@ -90,7 +90,6 @@ spec:
             - name: http-rw
               containerPort: {{ .Values.service.receiver.httpRemoteWrite.port }}
               protocol: TCP
-
           env:
             - name: K8S_NAMESPACE
               valueFrom:
@@ -102,11 +101,9 @@ spec:
                   fieldPath: metadata.name
             - name: K8S_SERVICE
               value: {{ include "prometheus-thanos.fullname" . }}-receiver
-
             {{- if .Values.receiver.extraEnv }}
             {{- toYaml .Values.receiver.extraEnv | nindent 12 }}
             {{- end }}
-
           livenessProbe:
             httpGet:
               path: /-/healthy
@@ -123,10 +120,10 @@ spec:
             periodSeconds: {{ .Values.receiver.readinessProbe.periodSeconds }}
             successThreshold: {{ .Values.receiver.readinessProbe.successThreshold }}
             timeoutSeconds: {{ .Values.receiver.readinessProbe.timeoutSeconds }}
-
           resources:
             {{- toYaml .Values.receiver.resources | nindent 12 }}
-
+          securityContext:
+            {{- toYaml .Values.receiver.containerSecurityContext | nindent 12 }}
           volumeMounts:
           - mountPath: /data
             name: storage-volume
@@ -148,6 +145,10 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.receiver.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       volumes:
         {{- with .Values.receiver.volumes }}
         {{- toYaml . | nindent 8 }}

diff --git a/charts/prometheus-thanos/templates/ruler/statefulset.yaml b/charts/prometheus-thanos/templates/ruler/statefulset.yaml
@@ -106,6 +106,8 @@ spec:
             timeoutSeconds: {{ .Values.ruler.readinessProbe.timeoutSeconds }}
           resources:
             {{- toYaml .Values.ruler.resources | nindent 12 }}
+          securityContext:
+            {{- toYaml .Values.ruler.containerSecurityContext | nindent 12 }}
           volumeMounts:
           - mountPath: /etc/thanos-ruler
             name: config
@@ -156,6 +158,10 @@ spec:
       tolerations:
       {{- toYaml . | nindent 6 }}
       {{- end }}
+      {{- with .Values.ruler.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       volumes:
       - name: external-config-volume
         emptyDir: {}

diff --git a/charts/prometheus-thanos/templates/store-gateway/statefulset.yaml b/charts/prometheus-thanos/templates/store-gateway/statefulset.yaml
@@ -95,6 +95,8 @@ spec:
             timeoutSeconds: {{ .Values.storeGateway.readinessProbe.timeoutSeconds }}
           resources:
             {{- toYaml .Values.storeGateway.resources | nindent 12 }}
+          securityContext:
+            {{- toYaml .Values.storeGateway.containerSecurityContext | nindent 12 }}
           volumeMounts:
             - mountPath: /data
               name: storage-volume
@@ -113,6 +115,10 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.storeGateway.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       volumes:
         {{- with .Values.storeGateway.volumes }}
         {{- toYaml . | nindent 8 }}