MON-3479: update Prometheus operator assets to v0.69.1

This commit also pins the prometheus-operator jsonnet to the current
stable release branch of the operator. The reason is that pinning to the
main branch has the drawback of pulling CRD changes which are not yet
supported by the downstream operator.

The commit also updates the different jsonnet dependencies to their
latest versions and makes adjustments to the CMO jsonnet to be
compatible with OCP requirements (in particular to the security contexts
of node_exporter and thanos-querier).

Signed-off-by: Simon Pasquier <spasquie@redhat.com>

assets/control-plane/prometheus-rule.yaml

@@ -530,7 +530,7 @@ spec:
       labels:
         namespace: kube-system
         severity: critical
-  - name: k8s.rules
+  - name: k8s.rules.container_cpu_usage_seconds_total
     rules:
     - expr: |
         sum by (cluster, namespace, pod, container) (
@@ -539,30 +539,40 @@ spec:
           1, max by(cluster, namespace, pod, node) (kube_pod_info{node!=""})
         )
       record: node_namespace_pod_container:container_cpu_usage_seconds_total:sum_irate
+  - name: k8s.rules.container_memory_working_set_bytes
+    rules:
     - expr: |
         container_memory_working_set_bytes{job="kubelet", metrics_path="/metrics/cadvisor", image!=""}
         * on (cluster, namespace, pod) group_left(node) topk by(cluster, namespace, pod) (1,
           max by(cluster, namespace, pod, node) (kube_pod_info{node!=""})
         )
       record: node_namespace_pod_container:container_memory_working_set_bytes
+  - name: k8s.rules.container_memory_rss
+    rules:
     - expr: |
         container_memory_rss{job="kubelet", metrics_path="/metrics/cadvisor", image!=""}
         * on (cluster, namespace, pod) group_left(node) topk by(cluster, namespace, pod) (1,
           max by(cluster, namespace, pod, node) (kube_pod_info{node!=""})
         )
       record: node_namespace_pod_container:container_memory_rss
+  - name: k8s.rules.container_memory_cache
+    rules:
     - expr: |
         container_memory_cache{job="kubelet", metrics_path="/metrics/cadvisor", image!=""}
         * on (cluster, namespace, pod) group_left(node) topk by(cluster, namespace, pod) (1,
           max by(cluster, namespace, pod, node) (kube_pod_info{node!=""})
         )
       record: node_namespace_pod_container:container_memory_cache
+  - name: k8s.rules.container_memory_swap
+    rules:
     - expr: |
         container_memory_swap{job="kubelet", metrics_path="/metrics/cadvisor", image!=""}
         * on (cluster, namespace, pod) group_left(node) topk by(cluster, namespace, pod) (1,
           max by(cluster, namespace, pod, node) (kube_pod_info{node!=""})
         )
       record: node_namespace_pod_container:container_memory_swap
+  - name: k8s.rules.container_resource
+    rules:
     - expr: |
         kube_pod_container_resource_requests{resource="memory",job="kube-state-metrics"}  * on (namespace, pod, cluster)
         group_left() max by (namespace, pod, cluster) (
@@ -631,6 +641,8 @@ spec:
             )
         )
       record: namespace_cpu:kube_pod_container_resource_limits:sum
+  - name: k8s.rules.pod_owner
+    rules:
     - expr: |
         max by (cluster, namespace, workload, pod) (
           label_replace(

assets/node-exporter/daemonset.yaml

@@ -110,6 +110,8 @@ spec:
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
+          seccompProfile:
+            type: RuntimeDefault
         terminationMessagePolicy: FallbackToLogsOnError
         volumeMounts:
         - mountPath: /etc/tls/private

assets/node-exporter/security-context-constraints.yaml

@@ -17,4 +17,6 @@ runAsUser:
   type: RunAsAny
 seLinuxContext:
   type: RunAsAny
+seccompProfiles:
+- runtime/default
 users: []

assets/prometheus-adapter/deployment.yaml

@@ -81,6 +81,9 @@ spec:
             drop:
             - ALL
           readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
         startupProbe:
           failureThreshold: 18
           httpGet:

assets/prometheus-k8s/prometheus.yaml

@@ -188,6 +188,8 @@ spec:
     matchLabels:
       openshift.io/cluster-monitoring: "true"
   ruleSelector: {}
+  scrapeConfigNamespaceSelector: null
+  scrapeConfigSelector: null
   secrets:
   - prometheus-k8s-tls
   - prometheus-k8s-proxy

assets/prometheus-user-workload/prometheus.yaml

@@ -223,6 +223,8 @@ spec:
   ruleSelector:
     matchLabels:
       openshift.io/prometheus-rule-evaluation-scope: leaf-prometheus
+  scrapeConfigNamespaceSelector: null
+  scrapeConfigSelector: null
   secrets:
   - prometheus-user-workload-tls
   - prometheus-user-workload-thanos-sidecar-tls

assets/thanos-querier/deployment.yaml

@@ -76,6 +76,15 @@ spec:
           requests:
             cpu: 10m
             memory: 12Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
         terminationMessagePolicy: FallbackToLogsOnError
         volumeMounts:
         - mountPath: /etc/tls/grpc

jsonnet/components/node-exporter.libsonnet

@@ -140,6 +140,7 @@ function(params)
       seLinuxContext: {
         type: 'RunAsAny',
       },
+      seccompProfiles: ['runtime/default'],
       users: [],
     },
 

jsonnet/components/prometheus-user-workload.libsonnet

@@ -278,11 +278,6 @@ function(params)
         overrideHonorLabels: true,
         ignoreNamespaceSelectors: true,
         enforcedNamespaceLabel: 'namespace',
-        ruleSelector: {
-          matchLabels: {
-            'openshift.io/prometheus-rule-evaluation-scope': 'leaf-prometheus',
-          },
-        },
         arbitraryFSAccessThroughSMs+: {
           deny: true,
         },
@@ -327,11 +322,20 @@ function(params)
           $.kubeRbacProxyFederateSecret.metadata.name,
         ],
         configMaps: ['serving-certs-ca-bundle', 'metrics-client-ca'],
+        probeSelector: {},
         probeNamespaceSelector: cfg.namespaceSelector,
+        podMonitorSelector: {},
         podMonitorNamespaceSelector: cfg.namespaceSelector,
         serviceMonitorSelector: {},
         serviceMonitorNamespaceSelector: cfg.namespaceSelector,
+        ruleSelector: {
+          matchLabels: {
+            'openshift.io/prometheus-rule-evaluation-scope': 'leaf-prometheus',
+          },
+        },
         ruleNamespaceSelector: cfg.namespaceSelector,
+        scrapeConfigSelector: null,
+        scrapeConfigNamespaceSelector: null,
         listenLocal: true,
         priorityClassName: 'openshift-user-critical',
         containers: [

jsonnet/components/prometheus.libsonnet

@@ -350,6 +350,8 @@ function(params)
         serviceMonitorNamespaceSelector: cfg.namespaceSelector,
         ruleSelector: {},
         ruleNamespaceSelector: cfg.namespaceSelector,
+        scrapeConfigSelector: null,
+        scrapeConfigNamespaceSelector: null,
         listenLocal: true,
         priorityClassName: 'system-cluster-critical',
         additionalAlertRelabelConfigs: cfg.additionalRelabelConfigs,

jsonnet/jsonnetfile.json

@@ -26,7 +26,7 @@
           "subdir": "jsonnet/prometheus-operator"
         }
       },
-      "version": "main"
+      "version": "release-0.69"
     },
     {
       "source": {
@@ -68,4 +68,4 @@
     }
   ],
   "legacyImports": true
-}
+}

jsonnet/jsonnetfile.lock.json

@@ -18,8 +18,8 @@
           "subdir": "contrib/mixin"
         }
       },
-      "version": "01a0d8ba839120fab607fdc258cb8b0437565507",
-      "sum": "LTbR+JGJ0gW3AdJQRl24VIKyKnPlPFaB+d+iysj4IU0="
+      "version": "c0bb57a3d46dab144bd02ee27192006b2bd4f72c",
+      "sum": "xuUBd2vqF7asyVDe5CE08uPT/RxAdy8O75EjFJoMXXU="
     },
     {
       "source": {
@@ -58,8 +58,8 @@
           "subdir": "gen/grafonnet-v10.0.0"
         }
       },
-      "version": "e85299323fd8808187d30865cc5c7a38a347399a",
-      "sum": "uJCTMGtY/7c5HSLQ7UQD38TOPmuSYrIKLIKmdSF/Htk="
+      "version": "9e217263ac4b922ca2e00bc5cc36ada2311bb5a6",
+      "sum": "gj/20VIGucG2vDGjG7YdHLC4yUUfrpuaneUYaRmymOM="
     },
     {
       "source": {
@@ -68,8 +68,8 @@
           "subdir": "grafana-builder"
         }
       },
-      "version": "4ef571d6a729989dec2f7dd3ba63b664988d0a3f",
-      "sum": "xEFMv4+ObwP5L1Wu0XK5agWci4AJzNApys6iKAQxLlQ="
+      "version": "a7647832fd3eaae70411bc9f697fa7504b04796c",
+      "sum": "aCN8uCrs2PDLR0SzRAuwZ6C5hiKt1KggCUCT7/F8yZ0="
     },
     {
       "source": {
@@ -78,8 +78,8 @@
           "subdir": "doc-util"
         }
       },
-      "version": "fd8de9039b3c06da77d635a3a8289809a5bfb542",
-      "sum": "mFebrE9fhyAKW4zbnidcjVFupziN5LPA/Z7ii94uCzs="
+      "version": "503e5c8fe96d6b55775037713ac10b184709ad93",
+      "sum": "BY4u0kLF3Qf/4IB4HnX9S5kEQIpHb4MUrppp6WLDtlU="
     },
     {
       "source": {
@@ -88,8 +88,8 @@
           "subdir": ""
         }
       },
-      "version": "0256a910ac71f0f842696d7bca0bf01ea77eb654",
-      "sum": "zBOpb1oTNvXdq9RF6yzTHill5r1YTJLBBoqyx4JYtAg="
+      "version": "c1a315a7dbead0335a5e0486acc5583395b22a24",
+      "sum": "UVdL+uuFI8BSQgLfMJEJk2WDKsQXNT3dRHcr2Ti9rLI="
     },
     {
       "source": {
@@ -109,8 +109,8 @@
           "subdir": ""
         }
       },
-      "version": "31169fd115654ca023c03cd7b45b9c96704a87e2",
-      "sum": "KJZ5QCtsPm3NofFURHO315rd4pnKc5+trU6ihuE64P8="
+      "version": "bcf8426b9c5ee85fdf8a6d9c62708f94e0367b21",
+      "sum": "1pCIS5kwa2b5JniHr3WV5wwiau29gM0fNQmqO2mXiCQ="
     },
     {
       "source": {
@@ -119,7 +119,7 @@
           "subdir": "jsonnet/kube-state-metrics"
         }
       },
-      "version": "b91dd311397047f15aae4f6dacba0708f24cf446",
+      "version": "4e431f6d149abbb547cefdd884274c1e9a6c5c9f",
       "sum": "+dOzAK+fwsFf97uZpjcjTcEJEC1H8hh/j8f5uIQK/5g="
     },
     {
@@ -129,7 +129,7 @@
           "subdir": "jsonnet/kube-state-metrics-mixin"
         }
       },
-      "version": "b91dd311397047f15aae4f6dacba0708f24cf446",
+      "version": "4e431f6d149abbb547cefdd884274c1e9a6c5c9f",
       "sum": "qclI7LwucTjBef3PkGBkKxF0mfZPbHnn4rlNWKGtR4c="
     },
     {
@@ -139,7 +139,7 @@
           "subdir": "jsonnet"
         }
       },
-      "version": "774cb2ff4b9e21c452650643528c6fa190c7885a",
+      "version": "899188df28b0e495026833c606e16f8fc6b239cf",
       "sum": "9/dHjMKxPKGTAPV1fMAV0RuBck0O+Xyj/FkZjlN7DMs=",
       "name": "openshift-state-metrics"
     },
@@ -150,7 +150,7 @@
           "subdir": "jsonnet/telemeter"
         }
       },
-      "version": "5923762c315758d64e0a3ebebb15943ebf0c2a80",
+      "version": "8f091e8e7ecd3052566bd9dd20eb6991abf762c5",
       "sum": "C8wxoobehWU7ykPDhCMiCmSWTe/8jGjOJvcS+rxzp2U=",
       "name": "telemeter-client"
     },
@@ -161,8 +161,8 @@
           "subdir": "jsonnet/kube-prometheus"
         }
       },
-      "version": "1706065791862d17f8c09a229d47197663eeebf8",
-      "sum": "YiEeMxGeDyf6F0BMvLQgE1/Dlc71tMMycL8ucPUJzyI="
+      "version": "ddff48cd49b7ea6273800e2ebb62a65025608aef",
+      "sum": "AS00RR9bozYYCHHfMsa+VREZdcHGE1AlCzISj7iMeOI="
     },
     {
       "source": {
@@ -171,7 +171,7 @@
           "subdir": "jsonnet/mixin"
         }
       },
-      "version": "dec6461ac4af1d712e75c756d44a7ec5a4085beb",
+      "version": "fa22f77273f034ff49f364c0cdeb33bfed2cc019",
       "sum": "n3flMIzlADeyygb0uipZ4KPp2uNSjdtkrwgHjTC7Ca4=",
       "name": "prometheus-operator-mixin"
     },
@@ -182,8 +182,8 @@
           "subdir": "jsonnet/prometheus-operator"
         }
       },
-      "version": "dec6461ac4af1d712e75c756d44a7ec5a4085beb",
-      "sum": "gl4yvv+WLjt+CaTW4/urKAMx8fs9I4K8PgZ4PyOMD58="
+      "version": "941b9e98d4ae5faa952af250e23c31c56cc1190c",
+      "sum": "RlttLdc+7oWRlxrwsazL2LgvudcSsSAHvy0oqKAc+Mw="
     },
     {
       "source": {
@@ -192,7 +192,7 @@
           "subdir": "doc/alertmanager-mixin"
         }
       },
-      "version": "e92d29d8618b2c7c291a86d79ed46a42c0035e8a",
+      "version": "ce6efba023b0397cb522d64e910684e48d12455f",
       "sum": "1d7ZKYArJKacAWXLUz0bRC1uOkozee/PPw97/W5zGhc=",
       "name": "alertmanager"
     },
@@ -203,7 +203,7 @@
           "subdir": "docs/node-mixin"
         }
       },
-      "version": "7dd2f0dc4f632f7778be134ace0e7c8ecdfe279a",
+      "version": "ed1b8e3d88851806627e4f8262ee26232ca56c2c",
       "sum": "By6n6U10hYDogUsyhsaKZehbhzxBZZobJloiKyKadgM="
     },
     {
@@ -213,8 +213,8 @@
           "subdir": "documentation/prometheus-mixin"
         }
       },
-      "version": "b787e5f190428ba23de9b6dcaa18eb963f239a76",
-      "sum": "8OngT76gVXOUROOOeP9yTe6E/dn+2D2J34Dn690QCG0=",
+      "version": "e250f09b5d34d6c936b18f3b7699df23a0555092",
+      "sum": "rNvddVTMNfaguOGzEGoeKjUsfhlXJBUImC+SIFNNCiM=",
       "name": "prometheus"
     },
     {
@@ -235,8 +235,8 @@
           "subdir": "jsonnet/kube-thanos"
         }
       },
-      "version": "ac261330bb819523d2caba81b4e82add166436c7",
-      "sum": "sN9PqW93Kh+jyf5kvRKQgotY3xbRIU/h22TcNO2KTag="
+      "version": "48639958ccd4fa81fbb261ce4f9e790d69c71e2e",
+      "sum": "22UgIfAACAxg2HRyAXFIN8Qi+p8rEcbWoM5XsXu9Mdo="
     },
     {
       "source": {
@@ -245,7 +245,7 @@
           "subdir": "mixin"
         }
       },
-      "version": "ef2d5d63b184a513af1e188b7a625ad8ef3bce5d",
+      "version": "c74a050a190486addc1ea1ca4b522462fc7ec680",
       "sum": "HhSSbGGCNHCMy1ee5jElYDm0yS9Vesa7QB2/SHKdjsY="
     }
   ],

jsonnet/main.jsonnet

@@ -310,6 +310,17 @@ local inCluster =
         kubeRbacProxyImage: $.values.common.images.kubeRbacProxy,
         promLabelProxyImage: $.values.common.images.promLabelProxy,
         commonLabels+: $.values.common.commonLabels,
+        securityContext: {
+          runAsNonRoot: true,
+          seccompProfile: { type: 'RuntimeDefault' },
+        },
+        securityContextContainer: {
+          runAsNonRoot: true,
+          seccompProfile: { type: 'RuntimeDefault' },
+          allowPrivilegeEscalation: false,
+          readOnlyRootFilesystem: true,
+          capabilities: { drop: ['ALL'] },
+        },
       },
       telemeterClient: {
         namespace: $.values.common.namespace,