diff --git a/.bingo/Variables.mk b/.bingo/Variables.mk index 1c47056..66ebea2 100644 --- a/.bingo/Variables.mk +++ b/.bingo/Variables.mk @@ -53,9 +53,9 @@ $(JSONNETFMT): $(BINGO_DIR)/jsonnetfmt.mod @echo "(re)installing $(GOBIN)/jsonnetfmt-v0.20.0" @cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=jsonnetfmt.mod -o=$(GOBIN)/jsonnetfmt-v0.20.0 "github.com/google/go-jsonnet/cmd/jsonnetfmt" -KUBECONFORM := $(GOBIN)/kubeconform-v0.4.4 +KUBECONFORM := $(GOBIN)/kubeconform-v0.6.3 $(KUBECONFORM): $(BINGO_DIR)/kubeconform.mod @# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies. - @echo "(re)installing $(GOBIN)/kubeconform-v0.4.4" - @cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=kubeconform.mod -o=$(GOBIN)/kubeconform-v0.4.4 "github.com/yannh/kubeconform/cmd/kubeconform" + @echo "(re)installing $(GOBIN)/kubeconform-v0.6.3" + @cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=kubeconform.mod -o=$(GOBIN)/kubeconform-v0.6.3 "github.com/yannh/kubeconform/cmd/kubeconform" diff --git a/.bingo/kubeconform.mod b/.bingo/kubeconform.mod index 80d3db8..9d289ef 100644 --- a/.bingo/kubeconform.mod +++ b/.bingo/kubeconform.mod @@ -1,5 +1,5 @@ module _ // Auto generated by https://github.com/bwplotka/bingo. DO NOT EDIT -go 1.15 +go 1.21 -require github.com/yannh/kubeconform v0.4.4 // cmd/kubeconform +require github.com/yannh/kubeconform v0.6.3 // cmd/kubeconform diff --git a/.bingo/kubeconform.sum b/.bingo/kubeconform.sum index 797c3b8..d380423 100644 --- a/.bingo/kubeconform.sum +++ b/.bingo/kubeconform.sum @@ -1,6 +1,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/santhosh-tekuri/jsonschema/v5 v5.1.1 h1:lEOLY2vyGIqKWUI9nzsOJRV3mb3WC9dXYORsLEUcoeY= +github.com/santhosh-tekuri/jsonschema/v5 v5.1.1/go.mod h1:FKdcjfQW6rpZSnxxUvEA5H/cDPdvJ/SZJQLWWXWGrZ0= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c= @@ -11,9 +13,13 @@ github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17 github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= github.com/yannh/kubeconform v0.4.4 h1:1+Wmd2QnZFaHd5hrNXWxwvPbE/pVTDNNWWXRaoN1Zbs= github.com/yannh/kubeconform v0.4.4/go.mod h1:Ysf3RSreh2rX8IJsVt/uT3Um/U3e3ykx6Fcz8nCdskM= +github.com/yannh/kubeconform v0.6.3 h1:lNmb/kphyzitA+GBsOxjBsagCEpjLvt3+qo3XMiEOUA= +github.com/yannh/kubeconform v0.6.3/go.mod h1:4E6oaL+lh7KgCG2SaOabeeAFBkyKu5D9ab0OEekGcbs= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= diff --git a/.bingo/kubeval.sum b/.bingo/kubeval.sum new file mode 100644 index 0000000..7e712c1 --- /dev/null +++ b/.bingo/kubeval.sum @@ -0,0 +1,57 @@ +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/hashicorp/errwrap v0.0.0-20180715044906-d6c0cd880357 h1:Rem2+U35z1QtPQc6r+WolF7yXiefXqDKyk+lN2pE164= +github.com/hashicorp/errwrap v0.0.0-20180715044906-d6c0cd880357/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-multierror v0.0.0-20180717150148-3d5d8f294aa0 h1:j30noezaCfvNLcdMYSvHLv81DxYRSt1grlpseG67vhU= +github.com/hashicorp/go-multierror v0.0.0-20180717150148-3d5d8f294aa0/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I= +github.com/hashicorp/hcl v0.0.0-20180404174102-ef8a98b0bbce h1:xdsDDbiBDQTKASoGEZ+pEmF1OnWuu8AQ9I8iNbHNeno= +github.com/hashicorp/hcl v0.0.0-20180404174102-ef8a98b0bbce/go.mod h1:oZtUIOe8dh44I2q6ScRibXws4Ajl+d+nod3AaR9vL5w= +github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/instrumenta/kubeval v0.0.0-20201005082916-38668c6c5b23 h1:M1Ms+wV9kd4g65MWhdyoMmaVIZj4U18t5bFRPs/zJUs= +github.com/instrumenta/kubeval v0.0.0-20201005082916-38668c6c5b23/go.mod h1:cD+P/oZrBwOnaIHXrqvKPuN353KPxGomnsXSXf8pFJs= +github.com/magiconair/properties v1.8.0 h1:LLgXmsheXeRoUOBOjtwPQCWIYqM/LU1ayDtDePerRcY= +github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= +github.com/mattn/go-colorable v0.1.0 h1:v2XXALHHh6zHfYTJ+cSkwtyffnaOyR1MXaA91mTrb8o= +github.com/mattn/go-colorable v0.1.0/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= +github.com/mattn/go-isatty v0.0.4 h1:bnP0vzxcAdeI1zdubAl5PjU6zsERjGZb7raWodagDYs= +github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mitchellh/mapstructure v0.0.0-20180715050151-f15292f7a699 h1:KXZJFdun9knAVAR8tg/aHJEr5DgtcbqyvzacK+CDCaI= +github.com/mitchellh/mapstructure v0.0.0-20180715050151-f15292f7a699/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/pelletier/go-toml v0.0.0-20180724185102-c2dbbc24a979 h1:Uh8pTMDzw+nuDTW7lyxcpmYqQJFE8SnO93F3lyY4XzY= +github.com/pelletier/go-toml v0.0.0-20180724185102-c2dbbc24a979/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/spf13/afero v1.1.1 h1:Lt3ihYMlE+lreX1GS4Qw4ZsNpYQLxIXKBTEOXm3nt6I= +github.com/spf13/afero v1.1.1/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= +github.com/spf13/cast v1.2.0 h1:HHl1DSRbEQN2i8tJmtS6ViPyHx35+p51amrdsiTCrkg= +github.com/spf13/cast v1.2.0/go.mod h1:r2rcYCSwa1IExKTDiTfzaxqT2FNHs8hODu4LnUfgKEg= +github.com/spf13/cobra v0.0.0-20180820174524-ff0d02e85550 h1:LB9SHuuXO8gnsHtexOQSpsJrrAHYA35lvHUaE74kznU= +github.com/spf13/cobra v0.0.0-20180820174524-ff0d02e85550/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= +github.com/spf13/jwalterweatherman v0.0.0-20180814060501-14d3d4c51834 h1:kJI9pPzfsULT/72wy7mxkRQZPtKWgFdCA2RTGZ4v8/E= +github.com/spf13/jwalterweatherman v0.0.0-20180814060501-14d3d4c51834/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= +github.com/spf13/pflag v0.0.0-20180821114517-d929dcbb1086 h1:iU+nPfqRqK8ShQqnpZLv8cZ9oklo6NFUcmX1JT5Rudg= +github.com/spf13/pflag v0.0.0-20180821114517-d929dcbb1086/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/viper v1.1.0 h1:V7OZpY8i3C1x/pDmU0zNNlfVoDz112fSYvtWMjjS3f4= +github.com/spf13/viper v1.1.0/go.mod h1:A8kyI5cUJhb8N+3pkfONlcEcZbueH6nhAm0Fq7SrnBM= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c= +github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= +github.com/xeipuuv/gojsonschema v0.0.0-20180816142147-da425ebb7609 h1:BcMExZAULPkihVZ7UJXK7t8rwGqisXFw75tILnafhBY= +github.com/xeipuuv/gojsonschema v0.0.0-20180816142147-da425ebb7609/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs= +golang.org/x/sys v0.0.0-20180821044426-4ea2f632f6e9 h1:0RHCP7KEw0rDuVXXaT2gfV77uu6lTKa5aItB+EoFbQk= +golang.org/x/sys v0.0.0-20180821044426-4ea2f632f6e9/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/text v0.0.0-20180810153555-6e3c4e7365dd h1:e/dojZNNKqwK3xq7UQTKTQJim18r/FxvQk7PFXULeZg= +golang.org/x/text v0.0.0-20180810153555-6e3c4e7365dd/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v2 v2.2.1 h1:mUhvW9EsL+naU5Q3cakzfE91YhliOondGd6ZrsDBHQE= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs= +sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= diff --git a/CHANGELOG.md b/CHANGELOG.md index 165d9b1..c6d59a8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -32,6 +32,7 @@ We use *breaking* word for marking changes that are not backward compatible (rel - [#305](https://github.com/thanos-io/kube-thanos/pull/305) Receive: allow configuration of limits-config-file - [#308](https://github.com/thanos-io/kube-thanos/pull/308) Recive: add store limits flags - [#310](https://github.com/thanos-io/kube-thanos/pull/310) Ruler: Add host anti-affinity to ruler +- [#313](https://github.com/thanos-io/kube-thanos/pull/313) Add per-container SecurityContext ### Fixed diff --git a/Makefile b/Makefile index 0e59913..f6eb606 100644 --- a/Makefile +++ b/Makefile @@ -9,7 +9,7 @@ MANIFESTS := manifests CRDSCHEMAS := .crdschemas TMP := tmp -K8S_VERSION := 1.21.0 +K8S_VERSION := 1.27.0 PROM_OPERATOR_VERSION := 0.46.0 PIP := pip3 diff --git a/examples/all/manifests/thanos-bucket-deployment.yaml b/examples/all/manifests/thanos-bucket-deployment.yaml index 2a1192b..29d2d2e 100644 --- a/examples/all/manifests/thanos-bucket-deployment.yaml +++ b/examples/all/manifests/thanos-bucket-deployment.yaml @@ -76,13 +76,28 @@ spec: requests: cpu: 0.123 memory: 123Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault terminationMessagePolicy: FallbackToLogsOnError volumeMounts: [] nodeSelector: kubernetes.io/os: linux securityContext: fsGroup: 65534 + runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: thanos-bucket terminationGracePeriodSeconds: 120 volumes: [] diff --git a/examples/all/manifests/thanos-bucket-replicate-deployment.yaml b/examples/all/manifests/thanos-bucket-replicate-deployment.yaml index 49a19e2..7a37c35 100644 --- a/examples/all/manifests/thanos-bucket-replicate-deployment.yaml +++ b/examples/all/manifests/thanos-bucket-replicate-deployment.yaml @@ -90,7 +90,11 @@ spec: kubernetes.io/os: linux securityContext: fsGroup: 65534 + runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: thanos-bucket-replicate terminationGracePeriodSeconds: 120 volumes: [] diff --git a/examples/all/manifests/thanos-compact-shard0-statefulSet.yaml b/examples/all/manifests/thanos-compact-shard0-statefulSet.yaml index f2d533f..1d66fea 100644 --- a/examples/all/manifests/thanos-compact-shard0-statefulSet.yaml +++ b/examples/all/manifests/thanos-compact-shard0-statefulSet.yaml @@ -122,7 +122,11 @@ spec: kubernetes.io/os: linux securityContext: fsGroup: 65534 + runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: thanos-compact terminationGracePeriodSeconds: 120 volumes: [] diff --git a/examples/all/manifests/thanos-compact-shard1-statefulSet.yaml b/examples/all/manifests/thanos-compact-shard1-statefulSet.yaml index 7fef688..bf076a8 100644 --- a/examples/all/manifests/thanos-compact-shard1-statefulSet.yaml +++ b/examples/all/manifests/thanos-compact-shard1-statefulSet.yaml @@ -122,7 +122,11 @@ spec: kubernetes.io/os: linux securityContext: fsGroup: 65534 + runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: thanos-compact terminationGracePeriodSeconds: 120 volumes: [] diff --git a/examples/all/manifests/thanos-compact-shard2-statefulSet.yaml b/examples/all/manifests/thanos-compact-shard2-statefulSet.yaml index 052cc18..a9dbb96 100644 --- a/examples/all/manifests/thanos-compact-shard2-statefulSet.yaml +++ b/examples/all/manifests/thanos-compact-shard2-statefulSet.yaml @@ -122,7 +122,11 @@ spec: kubernetes.io/os: linux securityContext: fsGroup: 65534 + runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: thanos-compact terminationGracePeriodSeconds: 120 volumes: [] diff --git a/examples/all/manifests/thanos-compact-statefulSet.yaml b/examples/all/manifests/thanos-compact-statefulSet.yaml index 8def4ac..4c5ab34 100644 --- a/examples/all/manifests/thanos-compact-statefulSet.yaml +++ b/examples/all/manifests/thanos-compact-statefulSet.yaml @@ -112,7 +112,11 @@ spec: kubernetes.io/os: linux securityContext: fsGroup: 65534 + runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: thanos-compact terminationGracePeriodSeconds: 120 volumes: [] diff --git a/examples/all/manifests/thanos-query-deployment.yaml b/examples/all/manifests/thanos-query-deployment.yaml index 2e54550..774a82a 100644 --- a/examples/all/manifests/thanos-query-deployment.yaml +++ b/examples/all/manifests/thanos-query-deployment.yaml @@ -92,11 +92,26 @@ spec: scheme: HTTP periodSeconds: 5 resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault terminationMessagePolicy: FallbackToLogsOnError nodeSelector: kubernetes.io/os: linux securityContext: fsGroup: 65534 + runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: thanos-query terminationGracePeriodSeconds: 120 diff --git a/examples/all/manifests/thanos-query-frontend-deployment.yaml b/examples/all/manifests/thanos-query-frontend-deployment.yaml index 2ab1850..2fb0e32 100644 --- a/examples/all/manifests/thanos-query-frontend-deployment.yaml +++ b/examples/all/manifests/thanos-query-frontend-deployment.yaml @@ -112,11 +112,26 @@ spec: requests: cpu: 0.123 memory: 123Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault terminationMessagePolicy: FallbackToLogsOnError nodeSelector: kubernetes.io/os: linux securityContext: fsGroup: 65534 + runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: thanos-query-frontend terminationGracePeriodSeconds: 120 diff --git a/examples/all/manifests/thanos-receive-default-statefulSet.yaml b/examples/all/manifests/thanos-receive-default-statefulSet.yaml index 9b1c13d..46cd7fc 100644 --- a/examples/all/manifests/thanos-receive-default-statefulSet.yaml +++ b/examples/all/manifests/thanos-receive-default-statefulSet.yaml @@ -144,7 +144,11 @@ spec: kubernetes.io/os: linux securityContext: fsGroup: 65534 + runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: thanos-receive terminationGracePeriodSeconds: 900 volumes: diff --git a/examples/all/manifests/thanos-receive-region-1-statefulSet.yaml b/examples/all/manifests/thanos-receive-region-1-statefulSet.yaml index 98ccbb1..646fb86 100644 --- a/examples/all/manifests/thanos-receive-region-1-statefulSet.yaml +++ b/examples/all/manifests/thanos-receive-region-1-statefulSet.yaml @@ -144,7 +144,11 @@ spec: kubernetes.io/os: linux securityContext: fsGroup: 65534 + runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: thanos-receive terminationGracePeriodSeconds: 900 volumes: diff --git a/examples/all/manifests/thanos-receive-statefulSet.yaml b/examples/all/manifests/thanos-receive-statefulSet.yaml index 659528f..b59f482 100644 --- a/examples/all/manifests/thanos-receive-statefulSet.yaml +++ b/examples/all/manifests/thanos-receive-statefulSet.yaml @@ -140,7 +140,11 @@ spec: kubernetes.io/os: linux securityContext: fsGroup: 65534 + runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: thanos-receive terminationGracePeriodSeconds: 900 volumes: diff --git a/examples/all/manifests/thanos-rule-statefulSet.yaml b/examples/all/manifests/thanos-rule-statefulSet.yaml index bbbe815..3c3853e 100644 --- a/examples/all/manifests/thanos-rule-statefulSet.yaml +++ b/examples/all/manifests/thanos-rule-statefulSet.yaml @@ -112,6 +112,17 @@ spec: requests: cpu: 0.123 memory: 123Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/thanos/rule @@ -144,7 +155,11 @@ spec: kubernetes.io/os: linux securityContext: fsGroup: 65534 + runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: thanos-rule volumes: - configMap: diff --git a/examples/all/manifests/thanos-store-shard0-statefulSet.yaml b/examples/all/manifests/thanos-store-shard0-statefulSet.yaml index d46c525..05cb43b 100644 --- a/examples/all/manifests/thanos-store-shard0-statefulSet.yaml +++ b/examples/all/manifests/thanos-store-shard0-statefulSet.yaml @@ -145,6 +145,17 @@ spec: requests: cpu: 0.123 memory: 123Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/thanos/store @@ -154,7 +165,11 @@ spec: kubernetes.io/os: linux securityContext: fsGroup: 65534 + runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: thanos-store terminationGracePeriodSeconds: 120 volumes: [] diff --git a/examples/all/manifests/thanos-store-shard1-statefulSet.yaml b/examples/all/manifests/thanos-store-shard1-statefulSet.yaml index 7a47d46..fd8db07 100644 --- a/examples/all/manifests/thanos-store-shard1-statefulSet.yaml +++ b/examples/all/manifests/thanos-store-shard1-statefulSet.yaml @@ -145,6 +145,17 @@ spec: requests: cpu: 0.123 memory: 123Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/thanos/store @@ -154,7 +165,11 @@ spec: kubernetes.io/os: linux securityContext: fsGroup: 65534 + runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: thanos-store terminationGracePeriodSeconds: 120 volumes: [] diff --git a/examples/all/manifests/thanos-store-shard2-statefulSet.yaml b/examples/all/manifests/thanos-store-shard2-statefulSet.yaml index f7bb26a..25f46aa 100644 --- a/examples/all/manifests/thanos-store-shard2-statefulSet.yaml +++ b/examples/all/manifests/thanos-store-shard2-statefulSet.yaml @@ -145,6 +145,17 @@ spec: requests: cpu: 0.123 memory: 123Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/thanos/store @@ -154,7 +165,11 @@ spec: kubernetes.io/os: linux securityContext: fsGroup: 65534 + runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: thanos-store terminationGracePeriodSeconds: 120 volumes: [] diff --git a/examples/all/manifests/thanos-store-statefulSet.yaml b/examples/all/manifests/thanos-store-statefulSet.yaml index 50f6d57..0f128a3 100644 --- a/examples/all/manifests/thanos-store-statefulSet.yaml +++ b/examples/all/manifests/thanos-store-statefulSet.yaml @@ -133,6 +133,17 @@ spec: requests: cpu: 0.123 memory: 123Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/thanos/store @@ -142,7 +153,11 @@ spec: kubernetes.io/os: linux securityContext: fsGroup: 65534 + runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: thanos-store terminationGracePeriodSeconds: 120 volumes: [] diff --git a/jsonnet/kube-thanos/kube-thanos-bucket-replicate.libsonnet b/jsonnet/kube-thanos/kube-thanos-bucket-replicate.libsonnet index 7c56160..01cfc30 100644 --- a/jsonnet/kube-thanos/kube-thanos-bucket-replicate.libsonnet +++ b/jsonnet/kube-thanos/kube-thanos-bucket-replicate.libsonnet @@ -39,6 +39,18 @@ local defaults = { securityContext:: { fsGroup: 65534, runAsUser: 65534, + runAsGroup: 65532, + runAsNonRoot: true, + seccompProfile: { type: 'RuntimeDefault' }, + }, + securityContextContainer:: { + runAsUser: defaults.securityContext.runAsUser, + runAsGroup: defaults.securityContext.runAsGroup, + runAsNonRoot: defaults.securityContext.runAsNonRoot, + seccompProfile: defaults.securityContext.seccompProfile, + allowPrivilegeEscalation: false, + readOnlyRootFilesystem: true, + capabilities: { drop: ['ALL'] }, }, serviceAccountAnnotations:: {}, diff --git a/jsonnet/kube-thanos/kube-thanos-bucket.libsonnet b/jsonnet/kube-thanos/kube-thanos-bucket.libsonnet index 364efb4..2450dc2 100644 --- a/jsonnet/kube-thanos/kube-thanos-bucket.libsonnet +++ b/jsonnet/kube-thanos/kube-thanos-bucket.libsonnet @@ -34,6 +34,18 @@ local defaults = { securityContext:: { fsGroup: 65534, runAsUser: 65534, + runAsGroup: 65532, + runAsNonRoot: true, + seccompProfile: { type: 'RuntimeDefault' }, + }, + securityContextContainer:: { + runAsUser: defaults.securityContext.runAsUser, + runAsGroup: defaults.securityContext.runAsGroup, + runAsNonRoot: defaults.securityContext.runAsNonRoot, + seccompProfile: defaults.securityContext.seccompProfile, + allowPrivilegeEscalation: false, + readOnlyRootFilesystem: true, + capabilities: { drop: ['ALL'] }, }, serviceAccountAnnotations:: {}, @@ -142,6 +154,7 @@ function(params) { path: '/-/ready', } }, resources: if tb.config.resources != {} then tb.config.resources else {}, + securityContext: tb.config.securityContextContainer, terminationMessagePolicy: 'FallbackToLogsOnError', volumeMounts: if std.objectHas(tb.config.objectStorageConfig, 'tlsSecretName') && std.length(tb.config.objectStorageConfig.tlsSecretName) > 0 then [ { name: 'tls-secret', mountPath: tb.config.objectStorageConfig.tlsSecretMountPath }, diff --git a/jsonnet/kube-thanos/kube-thanos-compact-default-params.libsonnet b/jsonnet/kube-thanos/kube-thanos-compact-default-params.libsonnet index 69b3643..1cd34a9 100644 --- a/jsonnet/kube-thanos/kube-thanos-compact-default-params.libsonnet +++ b/jsonnet/kube-thanos/kube-thanos-compact-default-params.libsonnet @@ -44,6 +44,19 @@ securityContext:: { fsGroup: 65534, runAsUser: 65534, + runAsGroup: 65532, + runAsNonRoot: true, + seccompProfile: { type: 'RuntimeDefault' }, + }, + + securityContextContainer:: { + runAsUser: defaults.securityContext.runAsUser, + runAsGroup: defaults.securityContext.runAsGroup, + runAsNonRoot: defaults.securityContext.runAsNonRoot, + seccompProfile: defaults.securityContext.seccompProfile, + allowPrivilegeEscalation: false, + readOnlyRootFilesystem: true, + capabilities: { drop: ['ALL'] }, }, serviceAccountAnnotations:: {}, diff --git a/jsonnet/kube-thanos/kube-thanos-query-frontend.libsonnet b/jsonnet/kube-thanos/kube-thanos-query-frontend.libsonnet index 13a6582..de64aa8 100644 --- a/jsonnet/kube-thanos/kube-thanos-query-frontend.libsonnet +++ b/jsonnet/kube-thanos/kube-thanos-query-frontend.libsonnet @@ -63,6 +63,19 @@ local defaults = { securityContext:: { fsGroup: 65534, runAsUser: 65534, + runAsGroup: 65532, + runAsNonRoot: true, + seccompProfile: { type: 'RuntimeDefault' }, + }, + + securityContextContainer:: { + runAsUser: defaults.securityContext.runAsUser, + runAsGroup: defaults.securityContext.runAsGroup, + runAsNonRoot: defaults.securityContext.runAsNonRoot, + seccompProfile: defaults.securityContext.seccompProfile, + allowPrivilegeEscalation: false, + readOnlyRootFilesystem: true, + capabilities: { drop: ['ALL'] }, }, serviceAccountAnnotations:: {}, @@ -203,6 +216,7 @@ function(params) { path: '/-/ready', } }, resources: if tqf.config.resources != {} then tqf.config.resources else {}, + securityContext: tqf.config.securityContextContainer, terminationMessagePolicy: 'FallbackToLogsOnError', }; diff --git a/jsonnet/kube-thanos/kube-thanos-query.libsonnet b/jsonnet/kube-thanos/kube-thanos-query.libsonnet index c40e8a7..973b062 100644 --- a/jsonnet/kube-thanos/kube-thanos-query.libsonnet +++ b/jsonnet/kube-thanos/kube-thanos-query.libsonnet @@ -48,7 +48,21 @@ local defaults = { securityContext:: { fsGroup: 65534, runAsUser: 65534, + runAsGroup: 65532, + runAsNonRoot: true, + seccompProfile: { type: 'RuntimeDefault' }, }, + + securityContextContainer:: { + runAsUser: defaults.securityContext.runAsUser, + runAsGroup: defaults.securityContext.runAsGroup, + runAsNonRoot: defaults.securityContext.runAsNonRoot, + seccompProfile: defaults.securityContext.seccompProfile, + allowPrivilegeEscalation: false, + readOnlyRootFilesystem: true, + capabilities: { drop: ['ALL'] }, + }, + serviceAccountAnnotations:: {}, }; @@ -201,6 +215,7 @@ function(params) { path: '/-/ready', } }, resources: if tq.config.resources != {} then tq.config.resources else {}, + securityContext: tq.config.securityContextContainer, terminationMessagePolicy: 'FallbackToLogsOnError', }; diff --git a/jsonnet/kube-thanos/kube-thanos-receive-default-params.libsonnet b/jsonnet/kube-thanos/kube-thanos-receive-default-params.libsonnet index 095d0db..2b3a04e 100644 --- a/jsonnet/kube-thanos/kube-thanos-receive-default-params.libsonnet +++ b/jsonnet/kube-thanos/kube-thanos-receive-default-params.libsonnet @@ -54,6 +54,19 @@ securityContext:: { fsGroup: 65534, runAsUser: 65534, + runAsGroup: 65532, + runAsNonRoot: true, + seccompProfile: { type: 'RuntimeDefault' }, + }, + + securityContextContainer:: { + runAsUser: defaults.securityContext.runAsUser, + runAsGroup: defaults.securityContext.runAsGroup, + runAsNonRoot: defaults.securityContext.runAsNonRoot, + seccompProfile: defaults.securityContext.seccompProfile, + allowPrivilegeEscalation: false, + readOnlyRootFilesystem: true, + capabilities: { drop: ['ALL'] }, }, serviceAccountAnnotations:: {}, diff --git a/jsonnet/kube-thanos/kube-thanos-receive-router.libsonnet b/jsonnet/kube-thanos/kube-thanos-receive-router.libsonnet index 6e2e569..f6dd2c4 100644 --- a/jsonnet/kube-thanos/kube-thanos-receive-router.libsonnet +++ b/jsonnet/kube-thanos/kube-thanos-receive-router.libsonnet @@ -140,6 +140,7 @@ function(params) { path: '/-/ready', } }, resources: if tr.config.resources != {} then tr.config.resources else {}, + securityContext: tr.config.securityContextContainer, terminationMessagePolicy: 'FallbackToLogsOnError', }], volumes: [{ diff --git a/jsonnet/kube-thanos/kube-thanos-rule.libsonnet b/jsonnet/kube-thanos/kube-thanos-rule.libsonnet index d78b8f0..c4a06cd 100644 --- a/jsonnet/kube-thanos/kube-thanos-rule.libsonnet +++ b/jsonnet/kube-thanos/kube-thanos-rule.libsonnet @@ -49,6 +49,19 @@ local defaults = { securityContext:: { fsGroup: 65534, runAsUser: 65534, + runAsGroup: 65532, + runAsNonRoot: true, + seccompProfile: { type: 'RuntimeDefault' }, + }, + + securityContextContainer:: { + runAsUser: defaults.securityContext.runAsUser, + runAsGroup: defaults.securityContext.runAsGroup, + runAsNonRoot: defaults.securityContext.runAsNonRoot, + seccompProfile: defaults.securityContext.seccompProfile, + allowPrivilegeEscalation: false, + readOnlyRootFilesystem: true, + capabilities: { drop: ['ALL'] }, }, serviceAccountAnnotations:: {}, @@ -215,6 +228,7 @@ function(params) { } }, resources: if tr.config.resources != {} then tr.config.resources else {}, + securityContext: tr.config.securityContextContainer, terminationMessagePolicy: 'FallbackToLogsOnError', }; diff --git a/jsonnet/kube-thanos/kube-thanos-store-default-params.libsonnet b/jsonnet/kube-thanos/kube-thanos-store-default-params.libsonnet index 8a541e6..817d0e7 100644 --- a/jsonnet/kube-thanos/kube-thanos-store-default-params.libsonnet +++ b/jsonnet/kube-thanos/kube-thanos-store-default-params.libsonnet @@ -83,6 +83,18 @@ securityContext:: { fsGroup: 65534, runAsUser: 65534, + runAsGroup: 65532, + runAsNonRoot: true, + seccompProfile: { type: 'RuntimeDefault' }, + }, + securityContextContainer:: { + runAsUser: defaults.securityContext.runAsUser, + runAsGroup: defaults.securityContext.runAsGroup, + runAsNonRoot: defaults.securityContext.runAsNonRoot, + seccompProfile: defaults.securityContext.seccompProfile, + allowPrivilegeEscalation: false, + readOnlyRootFilesystem: true, + capabilities: { drop: ['ALL'] }, }, serviceAccountAnnotations:: {}, diff --git a/jsonnet/kube-thanos/kube-thanos-store.libsonnet b/jsonnet/kube-thanos/kube-thanos-store.libsonnet index cf56b8c..8ab36e5 100644 --- a/jsonnet/kube-thanos/kube-thanos-store.libsonnet +++ b/jsonnet/kube-thanos/kube-thanos-store.libsonnet @@ -167,6 +167,7 @@ function(params) { path: '/-/ready', } }, resources: if ts.config.resources != {} then ts.config.resources else {}, + securityContext: ts.config.securityContextContainer, terminationMessagePolicy: 'FallbackToLogsOnError', }; diff --git a/manifests/thanos-query-deployment.yaml b/manifests/thanos-query-deployment.yaml index fae1957..9215460 100644 --- a/manifests/thanos-query-deployment.yaml +++ b/manifests/thanos-query-deployment.yaml @@ -77,11 +77,26 @@ spec: scheme: HTTP periodSeconds: 5 resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault terminationMessagePolicy: FallbackToLogsOnError nodeSelector: kubernetes.io/os: linux securityContext: fsGroup: 65534 + runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: thanos-query terminationGracePeriodSeconds: 120 diff --git a/manifests/thanos-receive-ingestor-default-statefulSet.yaml b/manifests/thanos-receive-ingestor-default-statefulSet.yaml index 868cb57..c330e94 100644 --- a/manifests/thanos-receive-ingestor-default-statefulSet.yaml +++ b/manifests/thanos-receive-ingestor-default-statefulSet.yaml @@ -126,7 +126,11 @@ spec: kubernetes.io/os: linux securityContext: fsGroup: 65534 + runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: thanos-receive-ingestor terminationGracePeriodSeconds: 900 volumes: diff --git a/manifests/thanos-receive-router-deployment.yaml b/manifests/thanos-receive-router-deployment.yaml index 7a9875d..9d5d202 100644 --- a/manifests/thanos-receive-router-deployment.yaml +++ b/manifests/thanos-receive-router-deployment.yaml @@ -74,6 +74,17 @@ spec: scheme: HTTP periodSeconds: 5 resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/lib/thanos-receive @@ -82,7 +93,11 @@ spec: kubernetes.io/os: linux securityContext: fsGroup: 65534 + runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: thanos-receive-router terminationGracePeriodSeconds: 30 volumes: diff --git a/manifests/thanos-store-statefulSet.yaml b/manifests/thanos-store-statefulSet.yaml index 49fe6c3..a1146e9 100644 --- a/manifests/thanos-store-statefulSet.yaml +++ b/manifests/thanos-store-statefulSet.yaml @@ -86,6 +86,17 @@ spec: scheme: HTTP periodSeconds: 5 resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /var/thanos/store @@ -95,7 +106,11 @@ spec: kubernetes.io/os: linux securityContext: fsGroup: 65534 + runAsGroup: 65532 + runAsNonRoot: true runAsUser: 65534 + seccompProfile: + type: RuntimeDefault serviceAccountName: thanos-store terminationGracePeriodSeconds: 120 volumes: []