helm-charts
helm-charts copied to clipboard
prometheus-community
[kube-prometheus-stack] support for prometheusOperator.admissionWebhooks.patch.containerSecurityContext
Is your feature request related to a problem ?
When namespace is protected by restricted Pod Security Standard [1] there is a need to add some securityContext to the containers. It is possible to add required containerSecurityContext to prometheus-operator itself:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
However it's not possible to add it to admissionWebhooks containers. There is only pod level securityContext (prometheusOperator.admissionWebhooks.patch.securityContext) but it's not enough. Certain securityContext parameters can only be applied at container level (e.g. allowPrivilegeEscalation, capabilities).
[1] https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
Describe the solution you'd like.
Add support for admission webhook containers securityContext, e.g.: prometheusOperator.admissionWebhooks.patch.containerSecurityContext similar to how we can do it with prometheus-operator containers.
Alternatively as less flexible solution we can add restricted Pod Security Standard compatible parameters as a static manifest:
containers:
- name: create
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
Describe alternatives you've considered.
None
Additional context.
No response
Hello,
I have the same issue, i want to apply an immutable infrastructure strategy (readOnlyRootFilesystem on containers) but .Values.prometheusOperator.containerSecurityContext is not deployed into prometheusOperator .
cf. https://github.com/prometheus-community/helm-charts/blob/kube-prometheus-stack-35.5.1/charts/kube-prometheus-stack/values.yaml#L1708 cf. https://github.com/prometheus-community/helm-charts/blob/kube-prometheus-stack-35.5.1/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml#L33-L46
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.
Just chiming in this is an important feature for regulated industries to be able to achieve compliance when using these charts per CIS EKS 4.6.2.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.
Container's securityContext for both create and patch container can be set through values
prometheusOperator:
admissionWebhooks:
createSecretJob:
securityContext: {}
patchWebhookJob:
securityContext: {}
Introduced in kube-prometheus-stack-39.11.0.
