[kube-prometheus-stack] Fix issue prometheus-community#1038 (promethe…

…us-community#1045) * [kube-prometheus-stack] fix issue 1038 Make admission Web Hook Jobs securityContext configurable Signed-off-by: Dmitrii Ermakov <demonihin@gmail.com> * [kube-prometheus-stack] Fix incorrect formatting Signed-off-by: Dmitrii Ermakov <demonihin@gmail.com>
victorboissiere · Jun 6, 2021 · 3071d77 · 3071d77
1 parent 434ba32
commit 3071d77
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 7 deletions.
diff --git a/charts/kube-prometheus-stack/Chart.yaml b/charts/kube-prometheus-stack/Chart.yaml
@@ -18,7 +18,7 @@ name: kube-prometheus-stack
 sources:
   - https://github.com/prometheus-community/helm-charts
   - https://github.com/prometheus-operator/kube-prometheus
-version: 16.2.0
+version: 16.3.0
 appVersion: 0.48.0
 kubeVersion: ">=1.16.0-0"
 home: https://github.com/prometheus-operator/kube-prometheus

diff --git a/...us-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml b/...us-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml
@@ -58,8 +58,8 @@ spec:
       tolerations:
 {{ toYaml . | indent 8 }}
       {{- end }}
+{{- if .Values.prometheusOperator.admissionWebhooks.patch.securityContext }}
       securityContext:
-        runAsGroup: 2000
-        runAsNonRoot: true
-        runAsUser: 2000
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.patch.securityContext | indent 8 }}
+{{- end }}
 {{- end }}
diff --git a/...us-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-patchWebhook.yaml b/...us-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-patchWebhook.yaml
@@ -59,8 +59,8 @@ spec:
       tolerations:
 {{ toYaml . | indent 8 }}
       {{- end }}
+{{- if .Values.prometheusOperator.admissionWebhooks.patch.securityContext }}
       securityContext:
-        runAsGroup: 2000
-        runAsNonRoot: true
-        runAsUser: 2000
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.patch.securityContext | indent 8 }}
+{{- end }}
 {{- end }}
diff --git a/charts/kube-prometheus-stack/values.yaml b/charts/kube-prometheus-stack/values.yaml
@@ -1365,6 +1365,16 @@ prometheusOperator:
       nodeSelector: {}
       affinity: {}
       tolerations: []
+
+      ## SecurityContext holds pod-level security attributes and common container settings.
+      ## This defaults to non root user with uid 2000 and gid 2000.	*v1.PodSecurityContext	false
+      ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+      ##
+      securityContext:
+        runAsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000
+
     # Use certmanager to generate webhook certs
     certManager:
       enabled: false