diff --git a/charts/rancher-monitoring/v0.0.4/charts/exporter-node/templates/psp.yaml b/charts/rancher-monitoring/v0.0.4/charts/exporter-node/templates/psp.yaml new file mode 100644 index 0000000000000000000000000000000000000000..1c5f1b33b1fd021fb8fd3311d198b45fc9264fa7 --- /dev/null +++ b/charts/rancher-monitoring/v0.0.4/charts/exporter-node/templates/psp.yaml @@ -0,0 +1,44 @@ +{{- if .Values.enabledPSP }} +apiVersion: extensions/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "app.fullname" . }} +spec: + allowPrivilegeEscalation: false + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim + - hostPath + allowedHostPaths: + - pathPrefix: / + readOnly: true +{{- if .Values.enabledHostNetwork }} + hostNetwork: true + hostPorts: + - min: {{ .Values.ports.metrics.port }} + max: {{ .Values.ports.metrics.port }} +{{- end }} +{{- if .Values.enabledHostPID }} + hostPID: true +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/rancher-monitoring/v0.0.4/charts/exporter-node/templates/rbac.yaml b/charts/rancher-monitoring/v0.0.4/charts/exporter-node/templates/rbac.yaml index 48f32c40b784576b17a106efd2e1131c26e93d73..d93c037a9276c1bbaddbfee6ac5ada5f2b93d0fa 100644 --- a/charts/rancher-monitoring/v0.0.4/charts/exporter-node/templates/rbac.yaml +++ b/charts/rancher-monitoring/v0.0.4/charts/exporter-node/templates/rbac.yaml @@ -53,4 +53,33 @@ subjects: - kind: ServiceAccount name: {{ template "app.fullname" . }} namespace: {{ .Release.Namespace }} +{{- if .Values.enabledPSP }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "app.fullname" . }}-psp-role +rules: +- apiGroups: + - extensions + resourceNames: + - {{ template "app.fullname" . }} + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "app.fullname" . }}-psp-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "app.fullname" . }}-psp-role +subjects: +- kind: ServiceAccount + name: {{ template "app.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end }} {{- end }} \ No newline at end of file diff --git a/charts/rancher-monitoring/v0.0.4/charts/exporter-node/values.yaml b/charts/rancher-monitoring/v0.0.4/charts/exporter-node/values.yaml index 970d0e8272a650148dfdbc4dd21cbd4ed9028bce..79c312745d383b641fe4463ec4f9f03e008b9f55 100755 --- a/charts/rancher-monitoring/v0.0.4/charts/exporter-node/values.yaml +++ b/charts/rancher-monitoring/v0.0.4/charts/exporter-node/values.yaml @@ -1,4 +1,5 @@ enabledRBAC: true +enabledPSP: true ## # Default collector settings diff --git a/charts/rancher-monitoring/v0.0.4/charts/grafana/templates/deployment.yaml b/charts/rancher-monitoring/v0.0.4/charts/grafana/templates/deployment.yaml index 688ff05878bf100736a11cad27e74b6145bb14cb..94ec884e5bd6175dad1dd59a54cc1022d10e9247 100755 --- a/charts/rancher-monitoring/v0.0.4/charts/grafana/templates/deployment.yaml +++ b/charts/rancher-monitoring/v0.0.4/charts/grafana/templates/deployment.yaml @@ -101,7 +101,7 @@ spec: - /nginx/nginx.conf ports: - name: http - containerPort: 80 + containerPort: 8080 protocol: TCP volumeMounts: - mountPath: /nginx/ @@ -109,6 +109,9 @@ spec: {{- if and .Values.resources .Values.resources.proxy }} resources: {{ toYaml .Values.resources.proxy | indent 10 }} + securityContext: + runAsUser: 100 + runAsGroup: 101 {{- end }} nodeSelector: {{- include "linux-node-selector" . | nindent 8 }} @@ -129,6 +132,8 @@ spec: {{ toYaml .Values.tolerations | indent 8 }} {{- end }} securityContext: + runAsUser: 472 + runAsGroup: 472 fsGroup: 472 volumes: - name: grafana-static-contents diff --git a/charts/rancher-monitoring/v0.0.4/charts/grafana/templates/nginx-configmap.yaml b/charts/rancher-monitoring/v0.0.4/charts/grafana/templates/nginx-configmap.yaml index ea76932969e19498458ea9db41ab62e89fd1cd9b..aa3228f7967a45215a571a54f5b4fbc4488b4005 100644 --- a/charts/rancher-monitoring/v0.0.4/charts/grafana/templates/nginx-configmap.yaml +++ b/charts/rancher-monitoring/v0.0.4/charts/grafana/templates/nginx-configmap.yaml @@ -43,10 +43,9 @@ data: exit 1 nginx.conf: |- - user nginx; worker_processes auto; error_log /dev/stdout warn; - pid /var/run/nginx.pid; + pid /var/cache/nginx/nginx.pid; events { worker_connections 1024; @@ -60,10 +59,10 @@ data: proxy_read_timeout 180; proxy_send_timeout 5; proxy_buffering off; - proxy_cache_path /tmp/nginx levels=1:2 keys_zone=my_zone:100m inactive=1d max_size=10g; + proxy_cache_path /var/cache/nginx/cache levels=1:2 keys_zone=my_zone:100m inactive=1d max_size=10g; server { - listen 80; + listen 8080; access_log off; gzip on; diff --git a/charts/rancher-monitoring/v0.0.4/charts/prometheus/templates/nginx-configmap.yaml b/charts/rancher-monitoring/v0.0.4/charts/prometheus/templates/nginx-configmap.yaml index 0b3a672c8a6afcee5f57398499bb8c844141424a..842cee5ff31c945d11a106ee565d9ebebafdcac6 100644 --- a/charts/rancher-monitoring/v0.0.4/charts/prometheus/templates/nginx-configmap.yaml +++ b/charts/rancher-monitoring/v0.0.4/charts/prometheus/templates/nginx-configmap.yaml @@ -13,22 +13,23 @@ data: set -e srcpath="/nginx/nginx-conf.tmpl" - dstpath="/var/run/nginx.conf" + dstpath="/var/cache/nginx/nginx.conf" if ! [ -f $srcpath ]; then exit 1 fi + mkdir -p /var/cache/nginx/cache + token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) sed "s/REPLACE_PARAM_AUTHORIZATION/Bearer ${token}/g" $srcpath | sed "s/REPLACE_PARAM_IP/${POD_IP}/g" > $dstpath - exec nginx -g "daemon off;" -c /var/run/nginx.conf + exec nginx -g "daemon off;" -c /var/cache/nginx/nginx.conf nginx-conf.tmpl: |- - user nginx; worker_processes auto; error_log /dev/stdout warn; - pid /var/run/nginx.pid; + pid /var/cache/nginx/nginx.pid; events { worker_connections 1024; @@ -42,10 +43,10 @@ data: proxy_read_timeout 180; proxy_send_timeout 5; proxy_buffering off; - proxy_cache_path /tmp/nginx levels=1:2 keys_zone=my_zone:100m inactive=1d max_size=10g; + proxy_cache_path /var/cache/nginx/cache levels=1:2 keys_zone=my_zone:100m inactive=1d max_size=10g; server { - listen 80; + listen 8080; access_log off; gzip on; diff --git a/charts/rancher-monitoring/v0.0.4/charts/prometheus/templates/prometheus.yaml b/charts/rancher-monitoring/v0.0.4/charts/prometheus/templates/prometheus.yaml index ff43c198c96ae71b5222d3e8935a795eb9d719de..c5e4bf24a590d034282db8ac66dcecef5740211f 100755 --- a/charts/rancher-monitoring/v0.0.4/charts/prometheus/templates/prometheus.yaml +++ b/charts/rancher-monitoring/v0.0.4/charts/prometheus/templates/prometheus.yaml @@ -17,7 +17,7 @@ spec: command: - /bin/sh - -c - - cp /nginx/run-sh.tmpl /var/run/nginx-start.sh; chmod +x /var/run/nginx-start.sh; /var/run/nginx-start.sh + - cp /nginx/run-sh.tmpl /var/cache/nginx/nginx-start.sh; chmod +x /var/cache/nginx/nginx-start.sh; /var/cache/nginx/nginx-start.sh env: - name: POD_IP valueFrom: @@ -25,7 +25,7 @@ spec: fieldPath: status.podIP image: {{ template "system_default_registry" . }}{{ .Values.image.proxy.repository }}:{{ .Values.image.proxy.tag }} ports: - - containerPort: 80 + - containerPort: 8080 name: http protocol: TCP {{- if and .Values.resources .Values.resources.proxy }} @@ -33,8 +33,8 @@ spec: {{ toYaml .Values.resources.proxy | indent 6 }} {{- end }} securityContext: - runAsNonRoot: false - runAsUser: 0 + runAsUser: 100 + runAsGroup: 101 volumeMounts: - mountPath: /nginx name: configmap-{{ template "app.nginx.fullname" . }}