[Promtail] enables configuring psp in helm chart (grafana#2659)

* makes pod security policy configurable * bump promtail chart version * bump loki-stack chart version Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com>
cyriltovena · Oct 21, 2020 · 129c1ea · 129c1ea
1 parent e5b63c1
commit 129c1ea
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 26 deletions.
diff --git a/production/helm/loki-stack/Chart.yaml b/production/helm/loki-stack/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: "v1"
 name: loki-stack
-version: 0.40.1
+version: 0.41.0
 appVersion: v1.6.0
 kubeVersion: "^1.10.0-0"
 description: "Loki: like Prometheus, but for logs."

diff --git a/production/helm/promtail/Chart.yaml b/production/helm/promtail/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: "v1"
 name: promtail
-version: 0.24.0
+version: 0.25.0
 appVersion: v1.6.0
 kubeVersion: "^1.10.0-0"
 description: "Responsible for gathering logs and sending them to Loki"

diff --git a/production/helm/promtail/templates/podsecuritypolicy.yaml b/production/helm/promtail/templates/podsecuritypolicy.yaml
@@ -9,27 +9,5 @@ metadata:
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
 spec:
-  privileged: false
-  allowPrivilegeEscalation: false
-  volumes:
-    - 'secret'
-    - 'configMap'
-    - 'hostPath'
-    - 'projected'
-    - 'downwardAPI'
-    - 'emptyDir'
-  hostNetwork: false
-  hostIPC: false
-  hostPID: false
-  runAsUser:
-    rule: 'RunAsAny'
-  seLinux:
-    rule: 'RunAsAny'
-  supplementalGroups:
-    rule: 'RunAsAny'
-  fsGroup:
-    rule: 'RunAsAny'
-  readOnlyRootFilesystem: true
-  requiredDropCapabilities:
-    - ALL
-  {{- end }}
+  {{- toYaml .Values.podSecurityPolicy | nindent 2 }}
+{{- end }}
diff --git a/production/helm/promtail/values.yaml b/production/helm/promtail/values.yaml
@@ -58,6 +58,31 @@ rbac:
   create: true
   pspEnabled: true
 
+podSecurityPolicy:
+  privileged: false
+  allowPrivilegeEscalation: false
+  volumes:
+    - 'secret'
+    - 'configMap'
+    - 'hostPath'
+    - 'projected'
+    - 'downwardAPI'
+    - 'emptyDir'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+  readOnlyRootFilesystem: true
+  requiredDropCapabilities:
+    - ALL
+
 readinessProbe:
   failureThreshold: 5
   httpGet: