Skip to content

Helm: make PSP configurable #7190

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
Feb 8, 2024
Merged

Helm: make PSP configurable #7190

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
d5c67a1
Helm: make PSP configurable
QuantumEnigmaa Jan 23, 2024
7fee802
Merge branch 'main' of github.com:QuantumEnigmaa/mimir into helm-make…
QuantumEnigmaa Jan 23, 2024
d075200
fix changelog
QuantumEnigmaa Jan 23, 2024
8b56f71
fix psp rendering
QuantumEnigmaa Jan 29, 2024
1409eeb
Merge branch 'main' of github.com:QuantumEnigmaa/mimir into helm-make…
QuantumEnigmaa Jan 29, 2024
8796145
Merge branch 'main' of github.com:QuantumEnigmaa/mimir into helm-make…
QuantumEnigmaa Jan 31, 2024
5629c06
Merge branch 'main' of github.com:QuantumEnigmaa/mimir into helm-make…
QuantumEnigmaa Feb 6, 2024
b460331
Update operations/helm/charts/mimir-distributed/CHANGELOG.md
dimitarvdimitrov Feb 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions operations/helm/charts/mimir-distributed/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ Entries should include a reference to the Pull Request that introduced the chang
* [ENHANCEMENT] Query-frontend: configured `-shutdown-delay`, `-server.grpc.keepalive.max-connection-age` and termination grace period to reduce the likelihood of queries hitting terminated query-frontends. #7129
* [ENHANCEMENT] nginx, Gateway: set `proxy_http_version: 1.1` to proxy to HTTP 1.1. #5040
* [BUGFIX] Metamonitoring: update dashboards to drop unsupported `step` parameter in targets. #7157
* [ENHANCEMENT] Make the PSP template configurable via `rbac.podSecurityPolicy`. #7190

## 5.2.1

Expand Down
37 changes: 22 additions & 15 deletions operations/helm/charts/mimir-distributed/templates/podsecuritypolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,33 +6,40 @@ metadata:
labels:
{{- include "mimir.labels" (dict "ctx" .) | nindent 4 }}
annotations:
"seccomp.security.alpha.kubernetes.io/allowedProfileNames": runtime/default
"seccomp.security.alpha.kubernetes.io/allowedProfileNames": {{ .Values.rbac.podSecurityPolicy.seccompProfile }}
spec:
privileged: false
allowPrivilegeEscalation: false
privileged: {{ .Values.rbac.podSecurityPolicy.privileged }}
allowPrivilegeEscalation: {{ .Values.rbac.podSecurityPolicy.allowPrivilegeEscalation }}
volumes:
- 'configMap'
- 'emptyDir'
- 'persistentVolumeClaim'
- 'secret'
hostNetwork: false
hostIPC: false
hostPID: false
{{- range $volumes := .Values.rbac.podSecurityPolicy.additionalVolumes }}
- '{{ $volumes }}'
{{- end }}
hostNetwork: {{ .Values.rbac.podSecurityPolicy.hostNetwork }}
hostIPC: {{ .Values.rbac.podSecurityPolicy.hostIPC }}
hostPID: {{ .Values.rbac.podSecurityPolicy.hostPID }}
runAsUser:
rule: 'MustRunAsNonRoot'
rule: {{ .Values.rbac.podSecurityPolicy.runAsUser.rule }}
seLinux:
rule: 'RunAsAny'
rule: {{ .Values.rbac.podSecurityPolicy.seLinux.rule }}
supplementalGroups:
rule: 'MustRunAs'
rule: {{ .Values.rbac.podSecurityPolicy.supplementalGroups.rule }}
ranges:
- min: 1
max: 65535
{{- range $range := .Values.rbac.podSecurityPolicy.supplementalGroups.ranges }}
- min: {{ $range.min }}
max: {{ $range.max }}
{{- end }}
fsGroup:
rule: 'MustRunAs'
rule: {{ .Values.rbac.podSecurityPolicy.fsGroup.rule }}
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: true
{{- range $range := .Values.rbac.podSecurityPolicy.fsGroup.ranges }}
- min: {{ $range.min }}
max: {{ $range.max }}
{{- end }}
readOnlyRootFilesystem: {{ .Values.rbac.podSecurityPolicy.readOnlyRootFilesystem }}
requiredDropCapabilities:
- ALL
{{- end }}
26 changes: 25 additions & 1 deletion operations/helm/charts/mimir-distributed/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -459,9 +459,33 @@ runtimeConfig: {}

# RBAC configuration
rbac:
create: true
# -- If true, PodSecurityPolicy will be rendered by the chart on Kuberentes 1.24.
# By default the PodSecurityPolicy is not rendered on version 1.24.
create: true
# -- PSP configuration
podSecurityPolicy:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do you think we can put this under rbac? This is the place which enables the PSP and configured the pod security context. I think it will be easier if this is closer to there

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I understood what you meant but I moved up the podSecurityPolicy right under rbac.create

seccompProfile: runtime/default
privileged: false
allowPrivilegeEscalation: false
hostNetwork: false
hostIPC: false
hostPID: false
readOnlyRootFilesystem: true
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
additionalVolumes: []
forcePSPOnKubernetes124: false
# -- For GKE/EKS/AKS use 'type: psp'. For OpenShift use 'type: scc'
type: psp
Expand Down
8 changes: 4 additions & 4 deletions ...ests/enterprise-https-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,16 +22,16 @@ spec:
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
rule: MustRunAsNonRoot
seLinux:
rule: 'RunAsAny'
rule: RunAsAny
supplementalGroups:
rule: 'MustRunAs'
rule: MustRunAs
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
rule: MustRunAs
ranges:
- min: 1
max: 65535
Expand Down
8 changes: 4 additions & 4 deletions ...ts/gateway-enterprise-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,16 +22,16 @@ spec:
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
rule: MustRunAsNonRoot
seLinux:
rule: 'RunAsAny'
rule: RunAsAny
supplementalGroups:
rule: 'MustRunAs'
rule: MustRunAs
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
rule: MustRunAs
ranges:
- min: 1
max: 65535
Expand Down
8 changes: 4 additions & 4 deletions ...m/tests/gateway-nginx-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,16 +22,16 @@ spec:
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
rule: MustRunAsNonRoot
seLinux:
rule: 'RunAsAny'
rule: RunAsAny
supplementalGroups:
rule: 'MustRunAs'
rule: MustRunAs
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
rule: MustRunAs
ranges:
- min: 1
max: 65535
Expand Down
8 changes: 4 additions & 4 deletions ...ests/graphite-enabled-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,16 +22,16 @@ spec:
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
rule: MustRunAsNonRoot
seLinux:
rule: 'RunAsAny'
rule: RunAsAny
supplementalGroups:
rule: 'MustRunAs'
rule: MustRunAs
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
rule: MustRunAs
ranges:
- min: 1
max: 65535
Expand Down
8 changes: 4 additions & 4 deletions ...ions/helm/tests/large-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,16 +22,16 @@ spec:
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
rule: MustRunAsNonRoot
seLinux:
rule: 'RunAsAny'
rule: RunAsAny
supplementalGroups:
rule: 'MustRunAs'
rule: MustRunAs
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
rule: MustRunAs
ranges:
- min: 1
max: 65535
Expand Down
8 changes: 4 additions & 4 deletions .../tests/metamonitoring-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,16 +22,16 @@ spec:
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
rule: MustRunAsNonRoot
seLinux:
rule: 'RunAsAny'
rule: RunAsAny
supplementalGroups:
rule: 'MustRunAs'
rule: MustRunAs
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
rule: MustRunAs
ranges:
- min: 1
max: 65535
Expand Down
8 changes: 4 additions & 4 deletions .../tests/scheduler-name-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,16 +22,16 @@ spec:
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
rule: MustRunAsNonRoot
seLinux:
rule: 'RunAsAny'
rule: RunAsAny
supplementalGroups:
rule: 'MustRunAs'
rule: MustRunAs
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
rule: MustRunAs
ranges:
- min: 1
max: 65535
Expand Down
8 changes: 4 additions & 4 deletions ...ions/helm/tests/small-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,16 +22,16 @@ spec:
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
rule: MustRunAsNonRoot
seLinux:
rule: 'RunAsAny'
rule: RunAsAny
supplementalGroups:
rule: 'MustRunAs'
rule: MustRunAs
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
rule: MustRunAs
ranges:
- min: 1
max: 65535
Expand Down
8 changes: 4 additions & 4 deletions ...-enterprise-configmap-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,16 +22,16 @@ spec:
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
rule: MustRunAsNonRoot
seLinux:
rule: 'RunAsAny'
rule: RunAsAny
supplementalGroups:
rule: 'MustRunAs'
rule: MustRunAs
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
rule: MustRunAs
ranges:
- min: 1
max: 65535
Expand Down
8 changes: 4 additions & 4 deletions ...terprise-legacy-label-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,16 +22,16 @@ spec:
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
rule: MustRunAsNonRoot
seLinux:
rule: 'RunAsAny'
rule: RunAsAny
supplementalGroups:
rule: 'MustRunAs'
rule: MustRunAs
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
rule: MustRunAs
ranges:
- min: 1
max: 65535
Expand Down
8 changes: 4 additions & 4 deletions ...tests/test-enterprise-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,16 +22,16 @@ spec:
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
rule: MustRunAsNonRoot
seLinux:
rule: 'RunAsAny'
rule: RunAsAny
supplementalGroups:
rule: 'MustRunAs'
rule: MustRunAs
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
rule: MustRunAs
ranges:
- min: 1
max: 65535
Expand Down
8 changes: 4 additions & 4 deletions ...lm/tests/test-ingress-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,16 +22,16 @@ spec:
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
rule: MustRunAsNonRoot
seLinux:
rule: 'RunAsAny'
rule: RunAsAny
supplementalGroups:
rule: 'MustRunAs'
rule: MustRunAs
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
rule: MustRunAs
ranges:
- min: 1
max: 65535
Expand Down
8 changes: 4 additions & 4 deletions ...oss-logical-multizone-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,16 +22,16 @@ spec:
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
rule: MustRunAsNonRoot
seLinux:
rule: 'RunAsAny'
rule: RunAsAny
supplementalGroups:
rule: 'MustRunAs'
rule: MustRunAs
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
rule: MustRunAs
ranges:
- min: 1
max: 65535
Expand Down
8 changes: 4 additions & 4 deletions ...ts/test-oss-multizone-values-generated/mimir-distributed/templates/podsecuritypolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,16 +22,16 @@ spec:
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
rule: MustRunAsNonRoot
seLinux:
rule: 'RunAsAny'
rule: RunAsAny
supplementalGroups:
rule: 'MustRunAs'
rule: MustRunAs
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
rule: MustRunAs
ranges:
- min: 1
max: 65535
Expand Down
Loading