Upgrade the Coreos Prometheus extension to use the Prometheus-Operato…

…r v0.14.0 (tilt-dev#608) * feat: Upgrade Prometheus to v0.13.0 Signed-off-by: Jeremy Dinsel <[email protected]> * added update to coreos_prometheus/Tiltfile v0.13.0 Signed-off-by: Jeremy Dinsel <[email protected]> * chore: rename files to match new name Signed-off-by: Jeremy Dinsel <[email protected]> * Trying without local replacements for prometheus-operator Signed-off-by: Jeremy Dinsel <[email protected]> * switch to v0.14.0 which has just been released Signed-off-by: Jeremy Dinsel <[email protected]> * copy of the nodeExporter-daemonset.yaml file with sys mount removed Signed-off-by: Jeremy Dinsel <[email protected]> * allow greater read access within the cluster Signed-off-by: Jeremy Dinsel <[email protected]> --------- Signed-off-by: Jeremy Dinsel <[email protected]>
GEBIT · Sep 14, 2024 · dd80528 · dd80528
1 parent 016723e
commit dd80528
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 66 deletions.
diff --git a/coreos_prometheus/Tiltfile b/coreos_prometheus/Tiltfile
@@ -52,7 +52,7 @@ def replace_target(src, target):
 def download_files():
     cachedir = _find_cache_dir()
 
-    kube_prometheus_version = '0.8.0'
+    kube_prometheus_version = '0.14.0'
     kube_prometheus_tarball = os.path.join(cachedir, 'coreos-kube-prometheus-%s.tar.gz' % kube_prometheus_version)
     kube_prometheus_tarball_quoted = shlex.quote(kube_prometheus_tarball)
 

diff --git a/...s/prometheus/node-exporter-daemonset.yaml → ...us/prometheus/nodeExporter-daemonset.yaml b/...s/prometheus/node-exporter-daemonset.yaml → ...us/prometheus/nodeExporter-daemonset.yaml
@@ -1,11 +1,13 @@
+# Source: https://github.com/prometheus-operator/kube-prometheus/blob/v0.14.0/manifests/nodeExporter-daemonset.yaml
+# Modified to remove the `sys` mount
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   labels:
     app.kubernetes.io/component: exporter
     app.kubernetes.io/name: node-exporter
     app.kubernetes.io/part-of: kube-prometheus
-    app.kubernetes.io/version: 1.1.2
+    app.kubernetes.io/version: 1.8.2
   name: node-exporter
   namespace: monitoring
 spec:
@@ -16,23 +18,27 @@ spec:
       app.kubernetes.io/part-of: kube-prometheus
   template:
     metadata:
+      annotations:
+        kubectl.kubernetes.io/default-container: node-exporter
       labels:
         app.kubernetes.io/component: exporter
         app.kubernetes.io/name: node-exporter
         app.kubernetes.io/part-of: kube-prometheus
-        app.kubernetes.io/version: 1.1.2
+        app.kubernetes.io/version: 1.8.2
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - --web.listen-address=127.0.0.1:9100
-        - --path.sysfs=/host/sys
         - --path.rootfs=/host/root
+        - --path.udev.data=/host/root/run/udev/data
         - --no-collector.wifi
         - --no-collector.hwmon
-        - --collector.filesystem.ignored-mount-points=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/pods/.+)($|/)
-        - --collector.netclass.ignored-devices=^(veth.*)$
-        - --collector.netdev.device-exclude=^(veth.*)$
-        image: quay.io/prometheus/node-exporter:v1.1.2
+        - --no-collector.btrfs
+        - --collector.filesystem.mount-points-exclude=^/(dev|proc|sys|run/k3s/containerd/.+|var/lib/docker/.+|var/lib/kubelet/pods/.+)($|/)
+        - --collector.netclass.ignored-devices=^(veth.*|[a-f0-9]{15})$
+        - --collector.netdev.device-exclude=^(veth.*|[a-f0-9]{15})$
+        image: quay.io/prometheus/node-exporter:v1.8.2
         name: node-exporter
         resources:
           limits:
@@ -41,16 +47,20 @@ spec:
           requests:
             cpu: 102m
             memory: 180Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            add:
+            - SYS_TIME
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
         volumeMounts:
-        - mountPath: /host/sys
-          name: sys
-          readOnly: false
         - mountPath: /host/root
           mountPropagation: HostToContainer
           name: root
           readOnly: true
       - args:
-        - --logtostderr
         - --secure-listen-address=[$(IP)]:9100
         - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
         - --upstream=http://127.0.0.1:9100/
@@ -59,7 +69,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: status.podIP
-        image: quay.io/brancz/kube-rbac-proxy:v0.8.0
+        image: quay.io/brancz/kube-rbac-proxy:v0.18.1
         name: kube-rbac-proxy
         ports:
         - containerPort: 9100
@@ -73,23 +83,29 @@ spec:
             cpu: 10m
             memory: 20Mi
         securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
           runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
+          seccompProfile:
+            type: RuntimeDefault
       hostNetwork: true
       hostPID: true
       nodeSelector:
         kubernetes.io/os: linux
+      priorityClassName: system-cluster-critical
       securityContext:
+        runAsGroup: 65534
         runAsNonRoot: true
         runAsUser: 65534
       serviceAccountName: node-exporter
       tolerations:
       - operator: Exists
       volumes:
-      - hostPath:
-          path: /sys
-        name: sys
       - hostPath:
           path: /
         name: root

diff --git a/coreos_prometheus/prometheus/prometheus-clusterRole.yaml b/coreos_prometheus/prometheus/prometheus-clusterRole.yaml
@@ -1,13 +1,27 @@
+# Source: https://github.com/prometheus-operator/kube-prometheus/blob/v0.14.0/manifests/prometheus-clusterRole.yaml
+# Modified to grant access to pods, services, and endpoints
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/component: prometheus
+    app.kubernetes.io/instance: k8s
     app.kubernetes.io/name: prometheus
     app.kubernetes.io/part-of: kube-prometheus
-    app.kubernetes.io/version: 2.26.0
+    app.kubernetes.io/version: 2.54.1
   name: prometheus-k8s
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes/metrics
+  verbs:
+  - get
+- nonResourceURLs:
+  - /metrics
+  - /metrics/slis
+  verbs:
+  - get
 - apiGroups:
   - ""
   resources:

diff --git a/coreos_prometheus/prometheus/prometheus-prometheus.yaml b/coreos_prometheus/prometheus/prometheus-prometheus.yaml