Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding container level securityContext for all thanos components #1348

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Adding container level securityContext for all thanos components #1348

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion thanos/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ keywords:
sources:
- https://github.com/thanos-io/thanos
- https://github.com/banzaicloud/banzai-charts/tree/master/thanos
version: 0.4.9
version: 0.4.10
icon: https://raw.githubusercontent.com/thanos-io/thanos/master/docs/img/Thanos-logo_fullmedium.png
maintainers:
- name: Banzai Cloud
Expand Down
75 changes: 38 additions & 37 deletions thanos/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,43 +146,44 @@ This section describes the values available

These setting applicable to nearly all components.

|Name|Description| Default Value|
|----|-----------|--------------|
| $component.labels | Additional labels to the Pod | {} |
| $component.annotations | Additional annotations to the Pod | {} |
| $component.deploymentLabels | Additional labels to the deployment | {} |
| $component.deploymentAnnotations | Additional annotations to the deployment | {} |
| $component.extraEnv | Add extra environment variables | [] |
| $component.strategy | Kubernetes [deployment update strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) object | {} |
| $component.updateStrategy | Kubernetes [statefulset update strategy](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies) object | {} |
| $component.metrics.annotations.enabled | Prometheus annotation for component | false |
| $component.metrics.serviceMonitor.enabled | Prometheus ServiceMonitor definition for component | false |
| $component.securityContext | SecurityContext for Pod | {} |
| $component.resources | Resource definition for container | {} |
| $component.tolerations | [Node tolerations for server scheduling to nodes with taints](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/) | {} |
| $component.nodeSelector | [Node labels for compact pod assignment](https://kubernetes.io/docs/user-guide/node-selection/) | {} |
| $component.affinity | [Pod affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity) | {} |
| $component.grpc.port | grpc listen port number | 10901 |
| $component.grpc.service.annotations | Service definition for grpc service | {} |
| $component.grpc.service.matchLabels | Pod label selector to match grpc service on. | `{}` |
| $component.grpc.ingress.enabled | Set up ingress for the grpc service | false |
| $component.grpc.ingress.defaultBackend | Set up default backend for ingress | false |
| $component.grpc.ingress.annotations | Add annotations to ingress | {} |
| $component.grpc.ingress.labels | Add labels to ingress | {} |
| $component.grpc.ingress.path | Ingress path | "/" |
| $component.grpc.ingress.hosts | Ingress hosts | [] |
| $component.grpc.ingress.tls | Ingress TLS configuration | [] |
| $component.http.port | http listen port number | 10902 |
| $component.http.service.annotations | Service definition for http service | {} |
| $component.http.service.matchLabels | Pod label selector to match http service on. | `{}` |
| $component.http.ingress.enabled | Set up ingress for the http service | false |
| $component.http.ingress.apiVersion | Set API version for ingress | extensions/v1beta1 |
| $component.http.ingress.defaultBackend | Set up default backend for ingress | false |
| $component.http.ingress.annotations | Add annotations to ingress | {} |
| $component.http.ingress.labels | Add labels to ingress | {} |
| $component.http.ingress.path | Ingress path | "/" |
| $component.http.ingress.hosts | Ingress hosts | [] |
| $component.http.ingress.tls | Ingress TLS configuration | [] |
| Name | Description | Default Value|
|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------|--------------|
| $component.labels | Additional labels to the Pod | {} |
| $component.annotations | Additional annotations to the Pod | {} |
| $component.deploymentLabels | Additional labels to the deployment | {} |
| $component.deploymentAnnotations | Additional annotations to the deployment | {} |
| $component.extraEnv | Add extra environment variables | [] |
| $component.strategy | Kubernetes [deployment update strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) object | {} |
| $component.updateStrategy | Kubernetes [statefulset update strategy](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies) object | {} |
| $component.metrics.annotations.enabled | Prometheus annotation for component | false |
| $component.metrics.serviceMonitor.enabled | Prometheus ServiceMonitor definition for component | false |
| $component.securityContext | SecurityContext for Pod | {} |
| $component.containerSecurityContext | SecurityContext for Container | {} |
| $component.resources | Resource definition for container | {} |
| $component.tolerations | [Node tolerations for server scheduling to nodes with taints](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/) | {} |
| $component.nodeSelector | [Node labels for compact pod assignment](https://kubernetes.io/docs/user-guide/node-selection/) | {} |
| $component.affinity | [Pod affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity) | {} |
| $component.grpc.port | grpc listen port number  | 10901 |
| $component.grpc.service.annotations | Service definition for grpc service | {} |
| $component.grpc.service.matchLabels | Pod label selector to match grpc service on. | `{}` |
| $component.grpc.ingress.enabled | Set up ingress for the grpc service | false |
| $component.grpc.ingress.defaultBackend | Set up default backend for ingress | false |
| $component.grpc.ingress.annotations | Add annotations to ingress | {} |
| $component.grpc.ingress.labels | Add labels to ingress | {} |
| $component.grpc.ingress.path | Ingress path | "/" |
| $component.grpc.ingress.hosts | Ingress hosts | [] |
| $component.grpc.ingress.tls | Ingress TLS configuration | [] |
| $component.http.port | http listen port number  | 10902 |
| $component.http.service.annotations | Service definition for http service | {} |
| $component.http.service.matchLabels | Pod label selector to match http service on. | `{}` |
| $component.http.ingress.enabled | Set up ingress for the http service | false |
| $component.http.ingress.apiVersion | Set API version for ingress | extensions/v1beta1 |
| $component.http.ingress.defaultBackend | Set up default backend for ingress | false |
| $component.http.ingress.annotations | Add annotations to ingress | {} |
| $component.http.ingress.labels | Add labels to ingress | {} |
| $component.http.ingress.path | Ingress path | "/" |
| $component.http.ingress.hosts | Ingress hosts | [] |
| $component.http.ingress.tls | Ingress TLS configuration | [] |

## Store

Expand Down
1 change: 1 addition & 0 deletions thanos/templates/bucket-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ spec:
mountPath: /etc/config
readOnly: true
resources: {{ toYaml .Values.bucket.resources | nindent 10 }}
securityContext: {{ toYaml .Values.bucket.containerSecurityContext | nindent 10 }}
volumes:
- name: config-volume
secret:
Expand Down
1 change: 1 addition & 0 deletions thanos/templates/compact-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ spec:
- name: data-volume
mountPath: /var/thanos/compact
resources: {{ toYaml .Values.compact.resources | nindent 10 }}
securityContext: {{ toYaml .Values.compact.containerSecurityContext | nindent 10 }}
volumes:
- name: data-volume
{{- if .Values.compact.dataVolume.backend }}
Expand Down
2 changes: 2 additions & 0 deletions thanos/templates/query-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,8 @@ spec:
containerPort: {{ .Values.query.grpc.port }}
resources:
{{ toYaml .Values.query.resources | nindent 10 }}
securityContext:
{ { toYaml .Values.query.containerSecurityContext | nindent 10 } }
volumeMounts:
{{- range .Values.query.serviceDiscoveryFileConfigMaps }}
- mountPath: /etc/query/{{ . }}
Expand Down
2 changes: 2 additions & 0 deletions thanos/templates/query-frontend-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,8 @@ spec:
containerPort: {{ .Values.queryFrontend.grpc.port }}
resources:
{{ toYaml .Values.queryFrontend.resources | nindent 10 }}
securityContext:
{ { toYaml .Values.queryFrontend.containerSecurityContext | nindent 10 } }
volumeMounts:
{{- range .Values.queryFrontend.serviceDiscoveryFileConfigMaps }}
- mountPath: /etc/query-frontend/{{ . }}
Expand Down
1 change: 1 addition & 0 deletions thanos/templates/rule-statefulset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ spec:
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
resources: {{ toYaml .Values.rule.resources | nindent 10 }}
securityContext: {{ toYaml .Values.rule.containerSecurityContext | nindent 10 }}
{{- with .Values.rule.extraEnv }}
env: {{ toYaml . | nindent 8 }}
{{- end }}
Expand Down
2 changes: 2 additions & 0 deletions thanos/templates/store-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,8 @@ spec:
{{- end }}
resources:
{{ toYaml $root.Values.store.resources | nindent 10 }}
securityContext:
{ { toYaml $root.Values.store.containerSecurityContext | nindent 10 } }
volumes:
- name: data
{{- if $root.Values.store.dataVolume.backend }}
Expand Down
12 changes: 12 additions & 0 deletions thanos/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,8 @@ store:
# - chart-example.local
# Optional securityContext
securityContext: {}
# Optional containerSecurityContext
containerSecurityContext: {}
resources: {}
# limits:
# cpu: 2000m
Expand Down Expand Up @@ -378,6 +380,8 @@ query:

# Optional securityContext
securityContext: {}
# Optional containerSecurityContext
containerSecurityContext: { }
resources: {}
# limits:
# cpu: 2000m
Expand Down Expand Up @@ -597,6 +601,8 @@ queryFrontend:

# Optional securityContext
securityContext: {}
# Optional containerSecurityContext
containerSecurityContext: { }
resources: {}
# limits:
# cpu: 2000m
Expand Down Expand Up @@ -713,6 +719,8 @@ compact:

# Optional securityContext
securityContext: {}
# Optional containerSecurityContext
containerSecurityContext: { }
resources: {}
# limits:
# cpu: 2000m
Expand Down Expand Up @@ -824,6 +832,8 @@ bucket:

# Optional securityContext
securityContext: {}
# Optional containerSecurityContext
containerSecurityContext: { }
resources: {}
# limits:
# cpu: 2000m
Expand Down Expand Up @@ -1056,6 +1066,8 @@ rule:

# Optional securityContext
securityContext: {}
# Optional containerSecurityContext
containerSecurityContext: { }
resources: {}
# limits:
# cpu: 2000m
Expand Down