From 60c7625faf204864f862d98f8319e8f774f006bc Mon Sep 17 00:00:00 2001 From: RSKR Date: Wed, 23 Sep 2020 08:39:34 +0530 Subject: [PATCH 1/3] makes pod security policy configurable --- .../promtail/templates/podsecuritypolicy.yaml | 26 ++----------------- production/helm/promtail/values.yaml | 25 ++++++++++++++++++ 2 files changed, 27 insertions(+), 24 deletions(-) diff --git a/production/helm/promtail/templates/podsecuritypolicy.yaml b/production/helm/promtail/templates/podsecuritypolicy.yaml index 77ab4a493e98..56643cb5b084 100644 --- a/production/helm/promtail/templates/podsecuritypolicy.yaml +++ b/production/helm/promtail/templates/podsecuritypolicy.yaml @@ -9,27 +9,5 @@ metadata: heritage: {{ .Release.Service }} release: {{ .Release.Name }} spec: - privileged: false - allowPrivilegeEscalation: false - volumes: - - 'secret' - - 'configMap' - - 'hostPath' - - 'projected' - - 'downwardAPI' - - 'emptyDir' - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'RunAsAny' - fsGroup: - rule: 'RunAsAny' - readOnlyRootFilesystem: true - requiredDropCapabilities: - - ALL - {{- end }} + {{- toYaml .Values.podSecurityPolicy | nindent 2 }} +{{- end }} diff --git a/production/helm/promtail/values.yaml b/production/helm/promtail/values.yaml index 6db64f77891e..4e2c12b19cfd 100644 --- a/production/helm/promtail/values.yaml +++ b/production/helm/promtail/values.yaml @@ -58,6 +58,31 @@ rbac: create: true pspEnabled: true +podSecurityPolicy: + privileged: false + allowPrivilegeEscalation: false + volumes: + - 'secret' + - 'configMap' + - 'hostPath' + - 'projected' + - 'downwardAPI' + - 'emptyDir' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true + requiredDropCapabilities: + - ALL + readinessProbe: failureThreshold: 5 httpGet: From dd3b41e804d80670e5ec3625be811665cbf13950 Mon Sep 17 00:00:00 2001 From: RSKR Date: Wed, 23 Sep 2020 08:44:10 +0530 Subject: [PATCH 2/3] bump promtail chart version --- production/helm/promtail/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/production/helm/promtail/Chart.yaml b/production/helm/promtail/Chart.yaml index 88c3ba48b391..cc6116dce21c 100644 --- a/production/helm/promtail/Chart.yaml +++ b/production/helm/promtail/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: "v1" name: promtail -version: 0.24.0 +version: 0.25.0 appVersion: v1.6.0 kubeVersion: "^1.10.0-0" description: "Responsible for gathering logs and sending them to Loki" From 33d3ec1dd179c7cab35b599b6779c6dc10868ae5 Mon Sep 17 00:00:00 2001 From: RSKR Date: Tue, 29 Sep 2020 15:21:15 +0530 Subject: [PATCH 3/3] bump loki-stack chart version --- production/helm/loki-stack/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/production/helm/loki-stack/Chart.yaml b/production/helm/loki-stack/Chart.yaml index 7817560f7be8..c4528943f7d5 100644 --- a/production/helm/loki-stack/Chart.yaml +++ b/production/helm/loki-stack/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: "v1" name: loki-stack -version: 0.40.1 +version: 0.41.0 appVersion: v1.6.0 kubeVersion: "^1.10.0-0" description: "Loki: like Prometheus, but for logs."