Merge remote-tracking branch 'origin/main' into add_alertmanager_serv…

…icemonitor Signed-off-by: Thibault Mange <[email protected]>
stolostron · Feb 21, 2024 · 18be7a6 · 18be7a6
2 parents 72cf79e + a0619ce
commit 18be7a6
Show file tree

Hide file tree

Showing 10 changed files with 359 additions and 311 deletions.
diff --git a/operators/endpointmetrics/config/manager/manager.yaml b/operators/endpointmetrics/config/manager/manager.yaml
@@ -51,6 +51,9 @@ spec:
         - mountPath: /spoke/hub-kubeconfig
           name: hub-kubeconfig-secret
           readOnly: true
+        securityContext:
+          privileged: false
+          readOnlyRootFilesystem: true
       volumes:
       - name: hub-kubeconfig-secret
         secret:

diff --git a/operators/endpointmetrics/controllers/observabilityendpoint/metrics_collector.go b/operators/endpointmetrics/controllers/observabilityendpoint/metrics_collector.go
@@ -314,6 +314,14 @@ func createDeployment(params CollectorParams) *appsv1.Deployment {
 			})
 	}
 
+	privileged := false
+	readOnlyRootFilesystem := true
+
+	metricsCollectorDep.Spec.Template.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{
+		Privileged:             &privileged,
+		ReadOnlyRootFilesystem: &readOnlyRootFilesystem,
+	}
+
 	if params.obsAddonSpec.Resources != nil {
 		metricsCollectorDep.Spec.Template.Spec.Containers[0].Resources = *params.obsAddonSpec.Resources
 	}

diff --git a/...rvability/bundle/manifests/multicluster-observability-operator.clusterserviceversion.yaml b/...rvability/bundle/manifests/multicluster-observability-operator.clusterserviceversion.yaml
@@ -526,6 +526,8 @@ spec:
                     memory: 128Mi
                 securityContext:
                   allowPrivilegeEscalation: false
+                  privileged: false
+                  readOnlyRootFilesystem: true
                 volumeMounts:
                 - mountPath: /tmp/k8s-webhook-server/serving-certs
                   name: cert

diff --git a/operators/multiclusterobservability/config/manager/manager.yaml b/operators/multiclusterobservability/config/manager/manager.yaml
@@ -34,6 +34,8 @@ spec:
         imagePullPolicy: IfNotPresent
         securityContext:
           allowPrivilegeEscalation: false
+          privileged: false
+          readOnlyRootFilesystem: true
         ports:
         - containerPort: 9443
           name: webhook-server

diff --git a/...ators/multiclusterobservability/manifests/base/alertmanager/alertmanager-statefulset.yaml b/...ators/multiclusterobservability/manifests/base/alertmanager/alertmanager-statefulset.yaml
@@ -22,24 +22,24 @@ spec:
       affinity:
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
-          - weight: 70
-            podAffinityTerm:
-              topologyKey: topology.kubernetes.io/zone
-              labelSelector:
-                matchExpressions:
-                - key: app
-                  operator: In
-                  values:
-                  - multicluster-observability-alertmanager
-          - weight: 30
-            podAffinityTerm:
-              topologyKey: kubernetes.io/hostname
-              labelSelector:
-                matchExpressions:
-                - key: app
-                  operator: In
-                  values:
-                  - multicluster-observability-alertmanager
+            - weight: 70
+              podAffinityTerm:
+                topologyKey: topology.kubernetes.io/zone
+                labelSelector:
+                  matchExpressions:
+                    - key: app
+                      operator: In
+                      values:
+                        - multicluster-observability-alertmanager
+            - weight: 30
+              podAffinityTerm:
+                topologyKey: kubernetes.io/hostname
+                labelSelector:
+                  matchExpressions:
+                    - key: app
+                      operator: In
+                      values:
+                        - multicluster-observability-alertmanager
       containers:
       - args:
         - --config.file=/etc/alertmanager/config/alertmanager.yaml
@@ -84,6 +84,9 @@ spec:
           name: config-volume
         - mountPath: /alertmanager
           name: alertmanager-db
+        securityContext:
+          privileged: false
+          readOnlyRootFilesystem: true
       - args:
         - -webhook-url=http://localhost:9093/-/reload
         - -volume-dir=/etc/alertmanager/config
@@ -102,6 +105,9 @@ spec:
         - mountPath: /etc/tls/private
           name: tls-secret
           readOnly: true
+        securityContext:
+          privileged: false
+          readOnlyRootFilesystem: true
       - args:
         - --provider=openshift
         - --https-address=:9095
@@ -146,6 +152,9 @@ spec:
           readOnly: true
         - mountPath: /etc/proxy/secrets
           name: alertmanager-proxy
+        securityContext:
+          privileged: false
+          readOnlyRootFilesystem: true
       - image: quay.io/stolostron/kube-rbac-proxy:2.10.0-SNAPSHOT-2024-02-13-14-12-35
         name: kube-rbac-proxy
         args:
@@ -175,7 +184,9 @@ spec:
         - mountPath: /etc/tls/client
           name: metrics-client-ca
           readOnly: true
-
+        securityContext:
+          privileged: false
+          readOnlyRootFilesystem: true
       serviceAccount: alertmanager
       serviceAccountName: alertmanager
       volumes:
@@ -202,12 +213,12 @@ spec:
         configMap:
           name: alertmanager-clientca-metric
   volumeClaimTemplates:
-  - metadata:
-      name: alertmanager-db
-    spec:
-      accessModes:
-      - ReadWriteOnce
-      resources:
-        requests:
-          storage: 10Gi
-      storageClassName: "gp2"
+    - metadata:
+        name: alertmanager-db
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 10Gi
+        storageClassName: "gp2"
diff --git a/operators/multiclusterobservability/manifests/base/grafana/deployment.yaml b/operators/multiclusterobservability/manifests/base/grafana/deployment.yaml
@@ -21,119 +21,128 @@ spec:
       affinity:
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
-          - weight: 70
-            podAffinityTerm:
-              topologyKey: topology.kubernetes.io/zone
-              labelSelector:
-                matchExpressions:
-                - key: app
-                  operator: In
-                  values:
-                  - multicluster-observability-grafana
-          - weight: 30
-            podAffinityTerm:
-              topologyKey: kubernetes.io/hostname
-              labelSelector:
-                matchExpressions:
-                - key: app
-                  operator: In
-                  values:
-                  - multicluster-observability-grafana
+            - weight: 70
+              podAffinityTerm:
+                topologyKey: topology.kubernetes.io/zone
+                labelSelector:
+                  matchExpressions:
+                    - key: app
+                      operator: In
+                      values:
+                        - multicluster-observability-grafana
+            - weight: 30
+              podAffinityTerm:
+                topologyKey: kubernetes.io/hostname
+                labelSelector:
+                  matchExpressions:
+                    - key: app
+                      operator: In
+                      values:
+                        - multicluster-observability-grafana
       containers:
-      - args:
-        - -config=/etc/grafana/grafana.ini
-        image: quay.io/stolostron/grafana:2.4.0-SNAPSHOT-2021-09-23-07-02-14
-        imagePullPolicy: IfNotPresent
-        name: grafana
-        ports:
-        - containerPort: 3001
-          name: http
-          protocol: TCP
-        resources:
-          limits:
-            cpu: 500m
-            memory: 1Gi
-          requests:
-            cpu: 4m
-            memory: 100Mi
-        volumeMounts:
-        - mountPath: /var/lib/grafana
-          name: grafana-storage
-        - mountPath: /etc/grafana/provisioning/datasources
-          name: grafana-datasources
-        - mountPath: /etc/grafana
-          name: grafana-config
-      - name: grafana-dashboard-loader
-        env:
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        image: quay.io/stolostron/grafana-dashboard-loader:2.3.0-SNAPSHOT-2021-07-26-18-43-26
-        imagePullPolicy: IfNotPresent
-        resources:
-          requests:
-            cpu: 4m
-            memory: 50Mi  
-      - readinessProbe:
-          httpGet:
-            path: /oauth/healthz
-            port: 9443
-            scheme: HTTPS
-          timeoutSeconds: 1
-          periodSeconds: 10
-          successThreshold: 1
-          failureThreshold: 3
-        name: grafana-proxy
-        ports:
-          - name: public
-            containerPort: 9443
-            protocol: TCP
-        imagePullPolicy: IfNotPresent
-        volumeMounts:
-          - name: tls-secret
-            mountPath: /etc/tls/private
-          - mountPath: /etc/proxy/secrets
-            name: cookie-secret
-        image: quay.io/stolostron/origin-oauth-proxy:4.5
-        args:
-          - '--provider=openshift'
-          - '--upstream=http://localhost:3001'
-          - '--https-address=:9443'
-          - '--cookie-secret-file=/etc/proxy/secrets/session_secret'
-          - '--cookie-expire=12h0m0s'
-          - '--cookie-refresh=8h0m0s'
-          - '--openshift-delegate-urls={"/": {"resource": "projects", "verb": "list"}}'          
-          - '--tls-cert=/etc/tls/private/tls.crt'
-          - '--tls-key=/etc/tls/private/tls.key'
-          - '--openshift-service-account=grafana'
-          - '--pass-user-bearer-token=true'
-          - '--pass-access-token=true'
-          - '--client-id=grafana-proxy-client'
-          - '--client-secret=grafana-proxy-client'
-          - '--scope=user:full'
-          - '--openshift-ca=/etc/pki/tls/cert.pem'
-          - '--openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'      
+        - args:
+            - -config=/etc/grafana/grafana.ini
+          image: quay.io/stolostron/grafana:2.4.0-SNAPSHOT-2021-09-23-07-02-14
+          imagePullPolicy: IfNotPresent
+          name: grafana
+          ports:
+            - containerPort: 3001
+              name: http
+              protocol: TCP
+          resources:
+            limits:
+              cpu: 500m
+              memory: 1Gi
+            requests:
+              cpu: 4m
+              memory: 100Mi
+          volumeMounts:
+            - mountPath: /var/lib/grafana
+              name: grafana-storage
+            - mountPath: /etc/grafana/provisioning/datasources
+              name: grafana-datasources
+            - mountPath: /etc/grafana
+              name: grafana-config
+          securityContext:
+            privileged: false
+            readOnlyRootFilesystem: true
+        - name: grafana-dashboard-loader
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          image: quay.io/stolostron/grafana-dashboard-loader:2.3.0-SNAPSHOT-2021-07-26-18-43-26
+          imagePullPolicy: IfNotPresent
+          resources:
+            requests:
+              cpu: 4m
+              memory: 50Mi
+          securityContext:
+            privileged: false
+            readOnlyRootFilesystem: true
+        - readinessProbe:
+            httpGet:
+              path: /oauth/healthz
+              port: 9443
+              scheme: HTTPS
+            timeoutSeconds: 1
+            periodSeconds: 10
+            successThreshold: 1
+            failureThreshold: 3
+          name: grafana-proxy
+          ports:
+            - name: public
+              containerPort: 9443
+              protocol: TCP
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - name: tls-secret
+              mountPath: /etc/tls/private
+            - mountPath: /etc/proxy/secrets
+              name: cookie-secret
+          image: quay.io/stolostron/origin-oauth-proxy:4.5
+          args:
+            - '--provider=openshift'
+            - '--upstream=http://localhost:3001'
+            - '--https-address=:9443'
+            - '--cookie-secret-file=/etc/proxy/secrets/session_secret'
+            - '--cookie-expire=12h0m0s'
+            - '--cookie-refresh=8h0m0s'
+            - '--openshift-delegate-urls={"/": {"resource": "projects", "verb": "list"}}'
+            - '--tls-cert=/etc/tls/private/tls.crt'
+            - '--tls-key=/etc/tls/private/tls.key'
+            - '--openshift-service-account=grafana'
+            - '--pass-user-bearer-token=true'
+            - '--pass-access-token=true'
+            - '--client-id=grafana-proxy-client'
+            - '--client-secret=grafana-proxy-client'
+            - '--scope=user:full'
+            - '--openshift-ca=/etc/pki/tls/cert.pem'
+            - '--openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
+          securityContext:
+            privileged: false
+            readOnlyRootFilesystem: true
       serviceAccount: grafana
       imagePullSecrets:
-      - name: multiclusterhub-operator-pull-secret
+        - name: multiclusterhub-operator-pull-secret
       serviceAccountName: grafana
       volumes:
-      - emptyDir: {}
-        name: grafana-storage
-      - name: grafana-datasources
-        secret:
-          defaultMode: 420
-          secretName: grafana-datasources
-      - name: grafana-config
-        secret:
-          defaultMode: 420
-          secretName: grafana-config
-      - name: tls-secret
-        secret:
-          defaultMode: 420
-          secretName: grafana-tls
-      - name: cookie-secret
-        secret:
-          defaultMode: 420
-          secretName: rbac-proxy-cookie-secret
+        - emptyDir: {}
+          name: grafana-storage
+        - name: grafana-datasources
+          secret:
+            defaultMode: 420
+            secretName: grafana-datasources
+        - name: grafana-config
+          secret:
+            defaultMode: 420
+            secretName: grafana-config
+        - name: tls-secret
+          secret:
+            defaultMode: 420
+            secretName: grafana-tls
+        - name: cookie-secret
+          secret:
+            defaultMode: 420
+            secretName: rbac-proxy-cookie-secret