Add pod security policies for prometheus components #15055
Conversation
Hi @wfernandes. Thanks for your PR. I'm waiting for a helm member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@gianrubio @mgoodness As mentioned in the description, this PR is a duplicate of #12825 which was approved but it just had a merge conflict which I believe has been resolved. |
/ok-to-test |
@wfernandes: Cannot trigger testing until a trusted user reviews the PR and leaves an In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@gianrubio @mgoodness As mentioned in the description, this PR is a duplicate of #12825 which was approved but it just had a merge conflict which I believe has been resolved. |
stable/prometheus/values.yaml
Outdated
@@ -1,5 +1,7 @@ | |||
rbac: | |||
create: true | |||
podSecurityPolicy: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure enabling PSP is an RBAC related thing, so it probably doesn't belong inside the rbac
structure here?
stable/prometheus/Chart.yaml
Outdated
@@ -1,6 +1,6 @@ | |||
apiVersion: v1 | |||
name: prometheus | |||
version: 8.14.3 | |||
version: 8.14.4 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's adding a new feature, so i would bump version to 8.15.0
/ok-to-test |
d455386
to
92db526
Compare
We pulled PSP enablement outside of rbac, and upped to 9.0.0 (because moving psp property from under node-exporter to a global property is a breaking change). |
@@ -1,5 +1,5 @@ | |||
{{- if and .Values.nodeExporter.enabled .Values.rbac.create }} | |||
{{- if .Values.nodeExporter.podSecurityPolicy.enabled }} | |||
{{- if .Values.podSecurityPolicy.enabled }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what if we did {{- if or (default .Values.nodeExporter.podSecurityPolicy.enabled false) (.Values.podSecurityPolicy.enabled) }}
for these checks, and then put a deprecation message in the NOTES.txt ?
that way its not yet a breaking change, but is also preparing people for deprecation of the old value ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
or if we want the breaking change we could error if .Values.nodeExporter.podSecurityPolicy.enabled
is set with a error message with upgrade instructions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done!
ab6f016
to
69b34f1
Compare
- deprecate nodeExporter.podSecurityPolicy.enabled Signed-off-by: David Timm <dtimm@pivotal.io> Co-authored-by: David Timm <dtimm@pivotal.io>
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: paulczar, wfernandes The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
- deprecate nodeExporter.podSecurityPolicy.enabled Signed-off-by: David Timm <dtimm@pivotal.io> Co-authored-by: David Timm <dtimm@pivotal.io>
- deprecate nodeExporter.podSecurityPolicy.enabled Signed-off-by: David Timm <dtimm@pivotal.io> Co-authored-by: David Timm <dtimm@pivotal.io> Signed-off-by: Roland Gritzer <gritzer.roland@gmail.com>
- deprecate nodeExporter.podSecurityPolicy.enabled Signed-off-by: David Timm <dtimm@pivotal.io> Co-authored-by: David Timm <dtimm@pivotal.io>
This PR seems to have introduced a bug whereas the following error occurs if
Which seems to be caused by creating a ClusterRole without rules here: https://github.com/helm/charts/pull/15055/files#diff-055e5eaaea98daeb77e0619ee5effa11R9 |
@nico-ulbricht ahh, that makes sense. It should probubly encompase the entire clusterrole. (at least, until another rule is added). |
- deprecate nodeExporter.podSecurityPolicy.enabled Signed-off-by: David Timm <dtimm@pivotal.io> Co-authored-by: David Timm <dtimm@pivotal.io>
What this PR does / why we need it:
This PR adds basic Pod Security Policies for the promethues components. This will allow this chart to be installed in an environment that has the PSP admission controller enabled.
Interestingly, there was a PSP included just for the node-exporter job. We just mimicked that PSP and added some for the other jobs.
Special notes for your reviewer:
This is a duplicate of #12825 which as already been approved. Unfortunately, it got stale and the bot closed the PR.
Checklist
[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]