[bitnami/thanos] added psp for thanos querier (#3819)

* [thanos] added psp for thanos querier Signed-off-by: Ahmed Nasir <ahmednasir91@gmail.com> * fix linting issues Signed-off-by: Ahmed Nasir <ahmednasir91@gmail.com> * updated conditions for psp and also created separate files Signed-off-by: Ahmed Nasir <ahmednasir91@gmail.com> * version bump Signed-off-by: Ahmed Nasir <ahmednasir91@gmail.com>
2026-03-16 06:47:30 +08:00 · 2020-10-02 21:00:02 +05:00
parent 7a6824ae85
commit 8976ec476a
7 changed files with 67 additions and 1 deletions
--- a/bitnami/thanos/Chart.yaml
+++ b/bitnami/thanos/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v1
-version: 2.4.3
+version: 2.4.4
 appVersion: 0.15.0
 description: Thanos is a highly available metrics system that can be added on top of existing Prometheus deployments, providing a global query view across all Prometheus installations.
 engine: gotpl
--- a/bitnami/thanos/README.md
+++ b/bitnami/thanos/README.md
@@ -153,6 +153,8 @@ The following tables lists the configurable parameters of the Thanos chart and t
 | `querier.service.loadBalancerSourceRanges`      | Address that are allowed when service is LoadBalancer                                                  | `[]`                                                    |
 | `querier.service.annotations`                   | Annotations for Thanos Querier service                                                                 | `{}`                                                    |
 | `querier.serviceAccount.annotations`            | Annotations for Thanos Querier Service Account                                                         | `{}`                                                    |
+| `querier.rbac.create`                           | Create RBAC                                                                                            | `false`                                                 |
+| `querier.pspEnabled`                            | Create PodSecurityPolicy                                                                               | `false`                                                 |
 | `querier.autoscaling.enabled`                   | Enable autoscaling for Thanos Querier                                                                  | `false`                                                 |
 | `querier.autoscaling.minReplicas`               | Minimum number of Thanos Querier replicas                                                              | `nil`                                                   |
 | `querier.autoscaling.maxReplicas`               | Maximum number of Thanos Querier replicas                                                              | `nil`                                                   |
--- a/bitnami/thanos/templates/querier/psp-clusterrole.yaml
+++ b/bitnami/thanos/templates/querier/psp-clusterrole.yaml
@@ -0,0 +1,12 @@
+{{- if and .Values.querier.enabled .Values.querier.pspEnabled .Values.querier.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "thanos.fullname" . }}-querier
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - {{ include "thanos.fullname" . }}-querier
+{{- end -}}
--- a/bitnami/thanos/templates/querier/psp-clusterrolebinding.yaml
+++ b/bitnami/thanos/templates/querier/psp-clusterrolebinding.yaml
@@ -0,0 +1,15 @@
+{{- if and .Values.querier.enabled .Values.querier.pspEnabled .Values.querier.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "thanos.fullname" . }}-querier
+roleRef:
+  kind: ClusterRole
+  name: {{ include "thanos.fullname" . }}-querier
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+# Authorize specific service accounts:
+- kind: ServiceAccount
+  name: {{ include "thanos.serviceaccount.name" (dict "component" "querier" "context" $) }}
+  namespace: {{ .Release.Namespace }}
+{{- end -}}
--- a/bitnami/thanos/templates/querier/psp.yaml
+++ b/bitnami/thanos/templates/querier/psp.yaml
@@ -0,0 +1,22 @@
+{{- if and .Values.querier.enabled .Values.querier.pspEnabled .Values.querier.rbac.create -}}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ include "thanos.fullname" . }}-querier
+  labels: {{- include "thanos.labels" . | nindent 4 }}
+    app.kubernetes.io/component: querier
+spec:
+  fsGroup:
+    rule: RunAsAny
+  runAsUser:
+    ranges:
+    - max: 1001
+      min: 1001
+    rule: MustRunAs
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  volumes:
+  - secret
+{{- end -}}
--- a/bitnami/thanos/values-production.yaml
+++ b/bitnami/thanos/values-production.yaml
@@ -147,6 +147,14 @@ querier:
    fsGroup: 1001
    runAsUser: 1001

+  # Create ClusterRole and ClusterRolebing for the Service account
+  rbac:
+    create: false
+  
+  # Create PodSecurity Policy
+  psp:
+    create: false
+  
  ## Thanos Querier containers' resource requests and limits
  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
  ##
--- a/bitnami/thanos/values.yaml
+++ b/bitnami/thanos/values.yaml
@@ -157,6 +157,13 @@ querier:
    fsGroup: 1001
    runAsUser: 1001

+  # Create ClusterRole and ClusterRolebing for the Service account
+  rbac:
+    create: false
+
+  # Create PodSecurity Policy
+  pspEnabled: false
+
  ## Thanos Querier containers' resource requests and limits
  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
  ##