Add pod security policies for prometheus components #15055
Conversation
helm-bot
added
the
Contribution Allowed
helm-bot
added
the
size/L
|
Hi @wfernandes. Thanks for your PR. I'm waiting for a helm member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-ok-to-test
|
@gianrubio @mgoodness As mentioned in the description, this PR is a duplicate of #12825 which was approved but it just had a merge conflict which I believe has been resolved. |
|
/ok-to-test |
|
@wfernandes: Cannot trigger testing until a trusted user reviews the PR and leaves an In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@gianrubio @mgoodness As mentioned in the description, this PR is a duplicate of #12825 which was approved but it just had a merge conflict which I believe has been resolved. |
stable/prometheus/values.yaml
Outdated
| @@ -1,5 +1,7 @@ | |||
| rbac: | |||
| create: true | |||
| podSecurityPolicy: | |||
There was a problem hiding this comment.
I'm not sure enabling PSP is an RBAC related thing, so it probably doesn't belong inside the rbac structure here?
stable/prometheus/Chart.yaml
Outdated
| @@ -1,6 +1,6 @@ | |||
| apiVersion: v1 | |||
| name: prometheus | |||
| version: 8.14.3 | |||
| version: 8.14.4 | |||
There was a problem hiding this comment.
It's adding a new feature, so i would bump version to 8.15.0
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
and removed
needs-ok-to-test
Benjamintf1
force-pushed
the
prometheus-psps
branch
2 times, most recently
from
d455386
to
92db526
Compare
|
We pulled PSP enablement outside of rbac, and upped to 9.0.0 (because moving psp property from under node-exporter to a global property is a breaking change). |
| @@ -1,5 +1,5 @@ | |||
| {{- if and .Values.nodeExporter.enabled .Values.rbac.create }} | |||
| {{- if .Values.nodeExporter.podSecurityPolicy.enabled }} | |||
| {{- if .Values.podSecurityPolicy.enabled }} | |||
There was a problem hiding this comment.
what if we did {{- if or (default .Values.nodeExporter.podSecurityPolicy.enabled false) (.Values.podSecurityPolicy.enabled) }} for these checks, and then put a deprecation message in the NOTES.txt ?
that way its not yet a breaking change, but is also preparing people for deprecation of the old value ?
There was a problem hiding this comment.
or if we want the breaking change we could error if .Values.nodeExporter.podSecurityPolicy.enabled is set with a error message with upgrade instructions.
dtimm
force-pushed
the
prometheus-psps
branch
2 times, most recently
from
ab6f016
to
69b34f1
Compare
- deprecate nodeExporter.podSecurityPolicy.enabled Signed-off-by: David Timm <dtimm@pivotal.io> Co-authored-by: David Timm <dtimm@pivotal.io>
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: paulczar, wfernandes The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
- deprecate nodeExporter.podSecurityPolicy.enabled Signed-off-by: David Timm <dtimm@pivotal.io> Co-authored-by: David Timm <dtimm@pivotal.io>
- deprecate nodeExporter.podSecurityPolicy.enabled Signed-off-by: David Timm <dtimm@pivotal.io> Co-authored-by: David Timm <dtimm@pivotal.io> Signed-off-by: Roland Gritzer <gritzer.roland@gmail.com>
- deprecate nodeExporter.podSecurityPolicy.enabled Signed-off-by: David Timm <dtimm@pivotal.io> Co-authored-by: David Timm <dtimm@pivotal.io>
|
This PR seems to have introduced a bug whereas the following error occurs if Which seems to be caused by creating a ClusterRole without rules here: https://github.com/helm/charts/pull/15055/files#diff-055e5eaaea98daeb77e0619ee5effa11R9 |
|
@nico-ulbricht ahh, that makes sense. It should probubly encompase the entire clusterrole. (at least, until another rule is added). |
- deprecate nodeExporter.podSecurityPolicy.enabled Signed-off-by: David Timm <dtimm@pivotal.io> Co-authored-by: David Timm <dtimm@pivotal.io>
What this PR does / why we need it:
This PR adds basic Pod Security Policies for the promethues components. This will allow this chart to be installed in an environment that has the PSP admission controller enabled.
Interestingly, there was a PSP included just for the node-exporter job. We just mimicked that PSP and added some for the other jobs.
Special notes for your reviewer:
This is a duplicate of #12825 which as already been approved. Unfortunately, it got stale and the bot closed the PR.
Checklist
[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]