From cd8cd4241d3cc464243deae2d21dff20e6d7a968 Mon Sep 17 00:00:00 2001 From: Simon Pasquier Date: Tue, 9 Apr 2024 16:33:50 +0200 Subject: [PATCH] feat: make Thanos querier compliant with restricted policy (#452) Signed-off-by: Simon Pasquier --- .../monitoring-stack/alertmanager.go | 2 +- .../monitoring/monitoring-stack/components.go | 8 ++--- .../monitoring/thanos-querier/components.go | 30 +++++++++++++++---- 3 files changed, 27 insertions(+), 13 deletions(-) diff --git a/pkg/controllers/monitoring/monitoring-stack/alertmanager.go b/pkg/controllers/monitoring/monitoring-stack/alertmanager.go index 87a9fe47..77324c6b 100644 --- a/pkg/controllers/monitoring/monitoring-stack/alertmanager.go +++ b/pkg/controllers/monitoring/monitoring-stack/alertmanager.go @@ -77,7 +77,7 @@ func newAlertmanager( }, } if alertmanagerCfg.Image != "" { - am.Spec.Image = stringPtr(alertmanagerCfg.Image) + am.Spec.Image = ptr.To(alertmanagerCfg.Image) } return am } diff --git a/pkg/controllers/monitoring/monitoring-stack/components.go b/pkg/controllers/monitoring/monitoring-stack/components.go index 31dde2b2..41df1e4b 100644 --- a/pkg/controllers/monitoring/monitoring-stack/components.go +++ b/pkg/controllers/monitoring/monitoring-stack/components.go @@ -191,13 +191,13 @@ func newPrometheus( RuleSelector: prometheusSelector, RuleNamespaceSelector: ms.Spec.NamespaceSelector, Thanos: &monv1.ThanosSpec{ - Image: stringPtr(thanosCfg.Image), + Image: ptr.To(thanosCfg.Image), }, }, } if prometheusCfg.Image != "" { - prometheus.Spec.CommonPrometheusFields.Image = stringPtr(prometheusCfg.Image) + prometheus.Spec.CommonPrometheusFields.Image = ptr.To(prometheusCfg.Image) } if !ms.Spec.AlertmanagerConfig.Disabled { @@ -484,7 +484,3 @@ func podLabels(component string, msName string) map[string]string { "app.kubernetes.io/part-of": msName, } } - -func stringPtr(s string) *string { - return &s -} diff --git a/pkg/controllers/monitoring/thanos-querier/components.go b/pkg/controllers/monitoring/thanos-querier/components.go index 67b11fb9..90553995 100644 --- a/pkg/controllers/monitoring/thanos-querier/components.go +++ b/pkg/controllers/monitoring/thanos-querier/components.go @@ -3,14 +3,14 @@ package thanos_querier import ( "fmt" - "github.com/rhobs/observability-operator/pkg/reconciler" - monv1 "github.com/rhobs/obo-prometheus-operator/pkg/apis/monitoring/v1" - msoapi "github.com/rhobs/observability-operator/pkg/apis/monitoring/v1alpha1" - appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" + + msoapi "github.com/rhobs/observability-operator/pkg/apis/monitoring/v1alpha1" + "github.com/rhobs/observability-operator/pkg/reconciler" ) func thanosComponentReconcilers(thanos *msoapi.ThanosQuerier, sidecarUrls []string, thanosCfg ThanosConfiguration) []reconciler.Reconciler { @@ -49,7 +49,7 @@ func newThanosQuerierDeployment(name string, spec *msoapi.ThanosQuerier, sidecar Labels: componentLabels(name), }, Spec: appsv1.DeploymentSpec{ - Replicas: func(i int32) *int32 { return &i }(1), + Replicas: ptr.To(int32(1)), Selector: &metav1.LabelSelector{ MatchLabels: map[string]string{ "app.kubernetes.io/instance": name, @@ -74,14 +74,32 @@ func newThanosQuerierDeployment(name string, spec *msoapi.ThanosQuerier, sidecar }, }, TerminationMessagePolicy: "FallbackToLogsOnError", + SecurityContext: &corev1.SecurityContext{ + AllowPrivilegeEscalation: ptr.To(false), + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{ + "ALL", + }, + }, + RunAsNonRoot: ptr.To(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, }, NodeSelector: map[string]string{ "kubernetes.io/os": "linux", }, + SecurityContext: &corev1.PodSecurityContext{ + RunAsNonRoot: ptr.To(true), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, }, - ProgressDeadlineSeconds: func(i int32) *int32 { return &i }(300), + ProgressDeadlineSeconds: ptr.To(int32(300)), }, }