From 3071d77b9127d900de4f930890b059ac7d3cfc33 Mon Sep 17 00:00:00 2001
From: Dmitrii Ermakov
Date: Sun, 6 Jun 2021 19:05:38 +0300
Subject: [PATCH] [kube-prometheus-stack] Fix issue #1038 (#1045)
* [kube-prometheus-stack] fix issue 1038
Make admission Web Hook Jobs securityContext configurable
Signed-off-by: Dmitrii Ermakov
* [kube-prometheus-stack] Fix incorrect formatting
Signed-off-by: Dmitrii Ermakov
---
charts/kube-prometheus-stack/Chart.yaml | 2 +-
.../admission-webhooks/job-patch/job-createSecret.yaml | 6 +++---
.../admission-webhooks/job-patch/job-patchWebhook.yaml | 6 +++---
charts/kube-prometheus-stack/values.yaml | 10 ++++++++++
4 files changed, 17 insertions(+), 7 deletions(-)
diff --git a/charts/kube-prometheus-stack/Chart.yaml b/charts/kube-prometheus-stack/Chart.yaml
index acade1c4d9cc..963ae07a510c 100644
--- a/charts/kube-prometheus-stack/Chart.yaml
+++ b/charts/kube-prometheus-stack/Chart.yaml
@@ -18,7 +18,7 @@ name: kube-prometheus-stack
sources:
- https://github.com/prometheus-community/helm-charts
- https://github.com/prometheus-operator/kube-prometheus
-version: 16.2.0
+version: 16.3.0
appVersion: 0.48.0
kubeVersion: ">=1.16.0-0"
home: https://github.com/prometheus-operator/kube-prometheus
diff --git a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml
index f8afcb854ccb..de819744218d 100644
--- a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml
+++ b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml
@@ -58,8 +58,8 @@ spec:
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
+{{- if .Values.prometheusOperator.admissionWebhooks.patch.securityContext }}
securityContext:
- runAsGroup: 2000
- runAsNonRoot: true
- runAsUser: 2000
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.patch.securityContext | indent 8 }}
+{{- end }}
{{- end }}
diff --git a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-patchWebhook.yaml
index b2d8912f889c..23dc9f43c677 100644
--- a/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-patchWebhook.yaml
+++ b/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-patchWebhook.yaml
@@ -59,8 +59,8 @@ spec:
tolerations:
{{ toYaml . | indent 8 }}
{{- end }}
+{{- if .Values.prometheusOperator.admissionWebhooks.patch.securityContext }}
securityContext:
- runAsGroup: 2000
- runAsNonRoot: true
- runAsUser: 2000
+{{ toYaml .Values.prometheusOperator.admissionWebhooks.patch.securityContext | indent 8 }}
+{{- end }}
{{- end }}
diff --git a/charts/kube-prometheus-stack/values.yaml b/charts/kube-prometheus-stack/values.yaml
index 7a327961ce51..caa43d7f933a 100644
--- a/charts/kube-prometheus-stack/values.yaml
+++ b/charts/kube-prometheus-stack/values.yaml
@@ -1365,6 +1365,16 @@ prometheusOperator:
nodeSelector: {}
affinity: {}
tolerations: []
+
+ ## SecurityContext holds pod-level security attributes and common container settings.
+ ## This defaults to non root user with uid 2000 and gid 2000. *v1.PodSecurityContext false
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ ##
+ securityContext:
+ runAsGroup: 2000
+ runAsNonRoot: true
+ runAsUser: 2000
+
# Use certmanager to generate webhook certs
certManager:
enabled: false