From 3071d77b9127d900de4f930890b059ac7d3cfc33 Mon Sep 17 00:00:00 2001 From: Dmitrii Ermakov Date: Sun, 6 Jun 2021 19:05:38 +0300 Subject: [PATCH] [kube-prometheus-stack] Fix issue #1038 (#1045) * [kube-prometheus-stack] fix issue 1038 Make admission Web Hook Jobs securityContext configurable Signed-off-by: Dmitrii Ermakov * [kube-prometheus-stack] Fix incorrect formatting Signed-off-by: Dmitrii Ermakov --- charts/kube-prometheus-stack/Chart.yaml | 2 +- .../admission-webhooks/job-patch/job-createSecret.yaml | 6 +++--- .../admission-webhooks/job-patch/job-patchWebhook.yaml | 6 +++--- charts/kube-prometheus-stack/values.yaml | 10 ++++++++++ 4 files changed, 17 insertions(+), 7 deletions(-) diff --git a/charts/kube-prometheus-stack/Chart.yaml b/charts/kube-prometheus-stack/Chart.yaml index acade1c4d9cc..963ae07a510c 100644 --- a/charts/kube-prometheus-stack/Chart.yaml +++ b/charts/kube-prometheus-stack/Chart.yaml @@ -18,7 +18,7 @@ name: kube-prometheus-stack sources: - https://github.com/prometheus-community/helm-charts - https://github.com/prometheus-operator/kube-prometheus -version: 16.2.0 +version: 16.3.0 appVersion: 0.48.0 kubeVersion: ">=1.16.0-0" home: https://github.com/prometheus-operator/kube-prometheus diff --git a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml index f8afcb854ccb..de819744218d 100644 --- a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml +++ b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml @@ -58,8 +58,8 @@ spec: tolerations: {{ toYaml . | indent 8 }} {{- end }} +{{- if .Values.prometheusOperator.admissionWebhooks.patch.securityContext }} securityContext: - runAsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 +{{ toYaml .Values.prometheusOperator.admissionWebhooks.patch.securityContext | indent 8 }} +{{- end }} {{- end }} diff --git a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-patchWebhook.yaml index b2d8912f889c..23dc9f43c677 100644 --- a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-patchWebhook.yaml +++ b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -59,8 +59,8 @@ spec: tolerations: {{ toYaml . | indent 8 }} {{- end }} +{{- if .Values.prometheusOperator.admissionWebhooks.patch.securityContext }} securityContext: - runAsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 +{{ toYaml .Values.prometheusOperator.admissionWebhooks.patch.securityContext | indent 8 }} +{{- end }} {{- end }} diff --git a/charts/kube-prometheus-stack/values.yaml b/charts/kube-prometheus-stack/values.yaml index 7a327961ce51..caa43d7f933a 100644 --- a/charts/kube-prometheus-stack/values.yaml +++ b/charts/kube-prometheus-stack/values.yaml @@ -1365,6 +1365,16 @@ prometheusOperator: nodeSelector: {} affinity: {} tolerations: [] + + ## SecurityContext holds pod-level security attributes and common container settings. + ## This defaults to non root user with uid 2000 and gid 2000. *v1.PodSecurityContext false + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## + securityContext: + runAsGroup: 2000 + runAsNonRoot: true + runAsUser: 2000 + # Use certmanager to generate webhook certs certManager: enabled: false