From b3dbe6a2ae3aa7d251dcaefc71ad1ad6a11daf03 Mon Sep 17 00:00:00 2001
From: Alice <31040183+alice-sawatzky@users.noreply.github.com>
Date: Mon, 3 Feb 2020 11:53:21 -0600
Subject: [PATCH] [stable/prometheus-blackbox-exporter] add "allowIcmp" setting
 (#20409)

* [stable/prometheus-blackbox-exporter] add "allowIcmp" setting

Signed-off-by: Alice Sawatzky <alice.sawatzky@farmersedge.ca>

* [stable/prometheus-blackbox-exporter] minor version bump

Signed-off-by: Alice Sawatzky <alice.sawatzky@farmersedge.ca>

* [stable/prometheus-blackbox-exporter] fix NET_RAW capability

Signed-off-by: Alice Sawatzky <alice.sawatzky@farmersedge.ca>

* [stable/prometheus-blackbox-exporter] run as root if allowIcmp is set

Signed-off-by: Alice Sawatzky <alice.sawatzky@farmersedge.ca>

* [stable/prometheus-blackbox-exporter] document security implications of allowIcmp

Signed-off-by: Alice Sawatzky <alice.sawatzky@farmersedge.ca>

* [stable/prometheus-blackbox-exporter] add test values for allowIcmp

Signed-off-by: Alice Sawatzky <alice.sawatzky@farmersedge.ca>
Signed-off-by: Miguel Mingorance <miguel.mingorance@deliveryhero.com>
---
 stable/prometheus-blackbox-exporter/Chart.yaml             | 2 +-
 stable/prometheus-blackbox-exporter/README.md              | 1 +
 stable/prometheus-blackbox-exporter/ci/icmp-values.yaml    | 1 +
 .../prometheus-blackbox-exporter/templates/deployment.yaml | 7 ++++++-
 stable/prometheus-blackbox-exporter/values.yaml            | 2 ++
 5 files changed, 11 insertions(+), 2 deletions(-)
 create mode 100644 stable/prometheus-blackbox-exporter/ci/icmp-values.yaml

diff --git a/stable/prometheus-blackbox-exporter/Chart.yaml b/stable/prometheus-blackbox-exporter/Chart.yaml
index 6c88de641773..fe7644245665 100644
--- a/stable/prometheus-blackbox-exporter/Chart.yaml
+++ b/stable/prometheus-blackbox-exporter/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 description: Prometheus Blackbox Exporter
 name: prometheus-blackbox-exporter
-version: 3.0.1
+version: 3.1.0
 appVersion: 0.15.1
 home: https://github.com/prometheus/blackbox_exporter
 sources:
diff --git a/stable/prometheus-blackbox-exporter/README.md b/stable/prometheus-blackbox-exporter/README.md
index e56a09750d60..61f2bf48e31e 100644
--- a/stable/prometheus-blackbox-exporter/README.md
+++ b/stable/prometheus-blackbox-exporter/README.md
@@ -63,6 +63,7 @@ The following table lists the configurable parameters of the Blackbox-Exporter c
 | `podAnnotations`                          | annotations to add to each pod                                                   | `{}`                                                                         |
 | `podDisruptionBudget`                     | pod disruption budget                                                            | `{}`                                                                         |
 | `priorityClassName`                       | priority class name                                                              | None                                                                         |
+| `allowIcmp`                               | whether to enable ICMP probes, by giving the pods `CAP_NET_RAW` and running as root | `false`                                                                   |
 | `resources`                               | pod resource requests & limits                                                   | `{}`                                                                         |
 | `restartPolicy`                           | container restart policy                                                         | `Always`                                                                     |
 | `service.annotations`                     | annotations for the service                                                      | `{}`                                                                         |
diff --git a/stable/prometheus-blackbox-exporter/ci/icmp-values.yaml b/stable/prometheus-blackbox-exporter/ci/icmp-values.yaml
new file mode 100644
index 000000000000..39dfe5e8782c
--- /dev/null
+++ b/stable/prometheus-blackbox-exporter/ci/icmp-values.yaml
@@ -0,0 +1 @@
+allowIcmp: true
diff --git a/stable/prometheus-blackbox-exporter/templates/deployment.yaml b/stable/prometheus-blackbox-exporter/templates/deployment.yaml
index 7153d7202d4e..6825fcbb3b47 100644
--- a/stable/prometheus-blackbox-exporter/templates/deployment.yaml
+++ b/stable/prometheus-blackbox-exporter/templates/deployment.yaml
@@ -58,8 +58,13 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           securityContext:
             readOnlyRootFilesystem: {{ .Values.readOnlyRootFilesystem }}
+            {{- if .Values.allowIcmp }}
+            capabilities:
+              add: ["NET_RAW"]
+            {{- else }}
             runAsNonRoot: {{ .Values.runAsNonRoot  }}
             runAsUser: {{ .Values.runAsUser }}
+            {{- end }}
           args:
 {{- if .Values.config }}
             - "--config.file=/config/blackbox.yaml"
@@ -117,4 +122,4 @@ spec:
           secret:
             secretName: {{ .secretName }}
             defaultMode: {{ .defaultMode }}
-      {{- end }}
\ No newline at end of file
+      {{- end }}
diff --git a/stable/prometheus-blackbox-exporter/values.yaml b/stable/prometheus-blackbox-exporter/values.yaml
index e52e3511c9f0..53e2f33e77e6 100644
--- a/stable/prometheus-blackbox-exporter/values.yaml
+++ b/stable/prometheus-blackbox-exporter/values.yaml
@@ -58,6 +58,8 @@ extraSecretMounts: []
   #   readOnly: true
   #   defaultMode: 420
 
+allowIcmp: false
+
 resources: {}
   # limits:
   #   memory: 300Mi