From cc74e68a57982c6925cd60f8344dd2d4e44328bd Mon Sep 17 00:00:00 2001 From: RS Krishna Date: Tue, 29 Sep 2020 18:30:13 +0000 Subject: [PATCH] [Promtail] enables configuring psp in helm chart (#2659) * makes pod security policy configurable * bump promtail chart version * bump loki-stack chart version --- production/helm/loki-stack/Chart.yaml | 2 +- production/helm/promtail/Chart.yaml | 2 +- .../promtail/templates/podsecuritypolicy.yaml | 26 ++----------------- production/helm/promtail/values.yaml | 25 ++++++++++++++++++ 4 files changed, 29 insertions(+), 26 deletions(-) diff --git a/production/helm/loki-stack/Chart.yaml b/production/helm/loki-stack/Chart.yaml index 7817560f7be8b..c4528943f7d5d 100644 --- a/production/helm/loki-stack/Chart.yaml +++ b/production/helm/loki-stack/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: "v1" name: loki-stack -version: 0.40.1 +version: 0.41.0 appVersion: v1.6.0 kubeVersion: "^1.10.0-0" description: "Loki: like Prometheus, but for logs." diff --git a/production/helm/promtail/Chart.yaml b/production/helm/promtail/Chart.yaml index 88c3ba48b391d..cc6116dce21cf 100644 --- a/production/helm/promtail/Chart.yaml +++ b/production/helm/promtail/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: "v1" name: promtail -version: 0.24.0 +version: 0.25.0 appVersion: v1.6.0 kubeVersion: "^1.10.0-0" description: "Responsible for gathering logs and sending them to Loki" diff --git a/production/helm/promtail/templates/podsecuritypolicy.yaml b/production/helm/promtail/templates/podsecuritypolicy.yaml index 77ab4a493e98d..56643cb5b0849 100644 --- a/production/helm/promtail/templates/podsecuritypolicy.yaml +++ b/production/helm/promtail/templates/podsecuritypolicy.yaml @@ -9,27 +9,5 @@ metadata: heritage: {{ .Release.Service }} release: {{ .Release.Name }} spec: - privileged: false - allowPrivilegeEscalation: false - volumes: - - 'secret' - - 'configMap' - - 'hostPath' - - 'projected' - - 'downwardAPI' - - 'emptyDir' - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'RunAsAny' - fsGroup: - rule: 'RunAsAny' - readOnlyRootFilesystem: true - requiredDropCapabilities: - - ALL - {{- end }} + {{- toYaml .Values.podSecurityPolicy | nindent 2 }} +{{- end }} diff --git a/production/helm/promtail/values.yaml b/production/helm/promtail/values.yaml index 6db64f77891e5..4e2c12b19cfd9 100644 --- a/production/helm/promtail/values.yaml +++ b/production/helm/promtail/values.yaml @@ -58,6 +58,31 @@ rbac: create: true pspEnabled: true +podSecurityPolicy: + privileged: false + allowPrivilegeEscalation: false + volumes: + - 'secret' + - 'configMap' + - 'hostPath' + - 'projected' + - 'downwardAPI' + - 'emptyDir' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true + requiredDropCapabilities: + - ALL + readinessProbe: failureThreshold: 5 httpGet: