Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-03-06 06:58:50 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/prometheus] feat: 🔒 Add readOnlyRootFilesystem support (#23990)

Browse Source 
Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2024-03-06 09:51:17 +01:00
committed by GitHub
parent 3abf97369c
commit bdf0d79f3a
5 changed files with 29 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bitnami/prometheus/Chart.yaml
View File

@@ -35,4 +35,4 @@ sources:
- https://github.com/bitnami/containers/tree/main/bitnami/prometheus
- https://github.com/prometheus/prometheus
- https://github.com/prometheus-community/helm-charts
version: 0.11.4
version: 0.12.0

3
bitnami/prometheus/README.md
View File

@@ -127,6 +127,7 @@ The command removes all the Kubernetes components associated with the chart and
| `alertmanager.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `alertmanager.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `alertmanager.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `alertmanager.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
| `alertmanager.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `alertmanager.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `alertmanager.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
@@ -258,6 +259,7 @@ The command removes all the Kubernetes components associated with the chart and
| `server.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `server.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `server.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `server.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
| `server.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `server.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `server.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
@@ -320,6 +322,7 @@ The command removes all the Kubernetes components associated with the chart and
| `server.thanos.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `server.thanos.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `server.thanos.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `server.thanos.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` |
| `server.thanos.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `server.thanos.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `server.thanos.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |

8
bitnami/prometheus/templates/alertmanager/statefulset.yaml
View File

@@ -94,6 +94,9 @@ spec:
resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: data
mountPath: {{ .Values.alertmanager.persistence.mountPath }}
{{- if .Values.alertmanager.persistence.subPath }}
@@ -197,6 +200,9 @@ spec:
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.alertmanager.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: config
mountPath: /opt/bitnami/alertmanager/conf
readOnly: true
@@ -209,6 +215,8 @@ spec:
{{- include "common.tplvalues.render" ( dict "value" .Values.alertmanager.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: empty-dir
emptyDir: {}
- name: config
configMap:
name: {{ include "prometheus.alertmanager.configmapName" . }}

11
bitnami/prometheus/templates/server/deployment.yaml
View File

@@ -88,6 +88,9 @@ spec:
resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: data
mountPath: {{ .Values.server.persistence.mountPath }}
{{- if .Values.server.persistence.subPath }}
@@ -190,6 +193,9 @@ spec:
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.server.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: config
mountPath: /opt/bitnami/prometheus/conf
readOnly: true
@@ -235,6 +241,9 @@ spec:
containerPort: 10902
protocol: TCP
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- mountPath: /prometheus
name: data
{{- if .Values.server.thanos.extraVolumeMounts }}
@@ -266,6 +275,8 @@ spec:
{{- include "common.tplvalues.render" ( dict "value" .Values.server.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: empty-dir
emptyDir: {}
- name: config
configMap:
name: {{ include "prometheus.server.configmapName" . }}

6
bitnami/prometheus/values.yaml
View File

@@ -205,6 +205,7 @@ alertmanager:
## @param alertmanager.containerSecurityContext.enabled Enabled containers' Security Context
## @param alertmanager.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param alertmanager.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param alertmanager.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
## @param alertmanager.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param alertmanager.containerSecurityContext.privileged Set container's Security Context privileged
## @param alertmanager.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
@@ -216,6 +217,7 @@ alertmanager:
enabled: true
seLinuxOptions: null
runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: false
@@ -818,6 +820,7 @@ server:
## @param server.containerSecurityContext.enabled Enabled containers' Security Context
## @param server.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param server.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param server.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
## @param server.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param server.containerSecurityContext.privileged Set container's Security Context privileged
## @param server.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
@@ -829,6 +832,7 @@ server:
enabled: true
seLinuxOptions: null
runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: false
@@ -1066,6 +1070,7 @@ server:
## @param server.thanos.containerSecurityContext.enabled Enabled containers' Security Context
## @param server.thanos.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param server.thanos.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param server.thanos.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
## @param server.thanos.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param server.thanos.containerSecurityContext.privileged Set container's Security Context privileged
## @param server.thanos.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
@@ -1077,6 +1082,7 @@ server:
enabled: true
seLinuxOptions: null
runAsUser: 1001
runAsGroup: 0
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: false