Skip to content

Commit

Permalink
Add targetallocator securityContext configuration (open-telemetry#2419)
Browse files Browse the repository at this point in the history 
* Add targetallocator securitycontext

Signed-off-by: Frances Barcelos <frances.laking@gresearch.co.uk>

* Add targetallocator securitycontext

Signed-off-by: Frances Barcelos <frances.laking@gresearch.co.uk>

* Adding perms for servicemonitors

* Update 00-assert.yaml

---------

Signed-off-by: Frances Barcelos <frances.laking@gresearch.co.uk>
Co-authored-by: Jacob Aronoff <jaronoff97@users.noreply.github.com>
  • Loading branch information
@frances-barcelos @jaronoff97
frances-barcelos and jaronoff97 authored Dec 6, 2023
1 parent 498f8fb commit 98fe7f6
Show file tree
Hide file tree
Showing 10 changed files with 614 additions and 0 deletions.
16 changes: 16 additions & 0 deletions .chloggen/ta-securitycontext.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
change_type: enhancement

# The name of the component, or a single word describing the area of concern, (e.g. operator, target allocator, github action)
component: target allocator

# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
note: add target allocator securityContext configuration

# One or more tracking issues related to the change
issues: [2397]

# (Optional) One or more lines of additional information to render under the primary note.
# These lines will be padded with 2 spaces and then inserted directly into the document.
# Use pipe (|) for multiline entries.
subtext:
4 changes: 4 additions & 0 deletions apis/v1alpha1/opentelemetrycollector_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -322,6 +322,10 @@ type OpenTelemetryTargetAllocator struct {
// All CR instances which the ServiceAccount has access to will be retrieved. This includes other namespaces.
// +optional
PrometheusCR OpenTelemetryTargetAllocatorPrometheusCR `json:"prometheusCR,omitempty"`
// SecurityContext configures the container security context for
// the targetallocator.
// +optional
SecurityContext *v1.PodSecurityContext `json:"securityContext,omitempty"`
// TopologySpreadConstraints embedded kubernetes pod configuration option,
// controls how pods are spread across your cluster among failure-domains
// such as regions, zones, nodes, and other user-defined topology domains
Expand Down
5 changes: 5 additions & 0 deletions apis/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

128 changes: 128 additions & 0 deletions bundle/manifests/opentelemetry.io_opentelemetrycollectors.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5050,6 +5050,134 @@ spec:
resources required.
type: object
type: object
securityContext:
description: SecurityContext configures the container security
context for the targetallocator.
properties:
fsGroup:
description: "A special supplemental group that applies to
all containers in a pod. Some volume types allow the Kubelet
to change the ownership of that volume to be owned by the
pod: \n 1."
format: int64
type: integer
fsGroupChangePolicy:
description: fsGroupChangePolicy defines behavior of changing
ownership and permission of the volume before being exposed
inside Pod.
type: string
runAsGroup:
description: The GID to run the entrypoint of the container
process. Uses runtime default if unset. May also be set
in SecurityContext.
format: int64
type: integer
runAsNonRoot:
description: Indicates that the container must run as a non-root
user.
type: boolean
runAsUser:
description: The UID to run the entrypoint of the container
process. Defaults to user specified in image metadata if
unspecified. May also be set in SecurityContext.
format: int64
type: integer
seLinuxOptions:
description: The SELinux context to be applied to all containers.
If unspecified, the container runtime will allocate a random
SELinux context for each container. May also be set in
SecurityContext.
properties:
level:
description: Level is SELinux level label that applies
to the container.
type: string
role:
description: Role is a SELinux role label that applies
to the container.
type: string
type:
description: Type is a SELinux type label that applies
to the container.
type: string
user:
description: User is a SELinux user label that applies
to the container.
type: string
type: object
seccompProfile:
description: The seccomp options to use by the containers
in this pod. Note that this field cannot be set when spec.os.name
is windows.
properties:
localhostProfile:
description: localhostProfile indicates a profile defined
in a file on the node should be used. The profile must
be preconfigured on the node to work.
type: string
type:
description: "type indicates which kind of seccomp profile
will be applied. Valid options are: \n Localhost - a
profile defined in a file on the node should be used."
type: string
required:
- type
type: object
supplementalGroups:
description: A list of groups applied to the first process
run in each container, in addition to the container's primary
GID, the fsGroup (if specified), and group memberships defined
in the container image for th
items:
format: int64
type: integer
type: array
sysctls:
description: Sysctls hold a list of namespaced sysctls used
for the pod. Pods with unsupported sysctls (by the container
runtime) might fail to launch. Note that this field cannot
be set when spec.os.
items:
description: Sysctl defines a kernel parameter to be set
properties:
name:
description: Name of a property to set
type: string
value:
description: Value of a property to set
type: string
required:
- name
- value
type: object
type: array
windowsOptions:
description: The Windows specific settings applied to all
containers. If unspecified, the options within a container's
SecurityContext will be used.
properties:
gmsaCredentialSpec:
description: GMSACredentialSpec is where the GMSA admission
webhook (https://github.com/kubernetes-sigs/windows-gmsa)
inlines the contents of the GMSA credential spec named
by the GMSACredentialSpecName field.
type: string
gmsaCredentialSpecName:
description: GMSACredentialSpecName is the name of the
GMSA credential spec to use.
type: string
hostProcess:
description: HostProcess determines if a container should
be run as a 'Host Process' container.
type: boolean
runAsUserName:
description: The UserName in Windows to run the entrypoint
of the container process. Defaults to the user specified
in image metadata if unspecified. May also be set in
PodSecurityContext.
type: string
type: object
type: object
serviceAccount:
description: ServiceAccount indicates the name of an existing
service account to use with this instance. When set, the operator
Expand Down
128 changes: 128 additions & 0 deletions config/crd/bases/opentelemetry.io_opentelemetrycollectors.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5047,6 +5047,134 @@ spec:
resources required.
type: object
type: object
securityContext:
description: SecurityContext configures the container security
context for the targetallocator.
properties:
fsGroup:
description: "A special supplemental group that applies to
all containers in a pod. Some volume types allow the Kubelet
to change the ownership of that volume to be owned by the
pod: \n 1."
format: int64
type: integer
fsGroupChangePolicy:
description: fsGroupChangePolicy defines behavior of changing
ownership and permission of the volume before being exposed
inside Pod.
type: string
runAsGroup:
description: The GID to run the entrypoint of the container
process. Uses runtime default if unset. May also be set
in SecurityContext.
format: int64
type: integer
runAsNonRoot:
description: Indicates that the container must run as a non-root
user.
type: boolean
runAsUser:
description: The UID to run the entrypoint of the container
process. Defaults to user specified in image metadata if
unspecified. May also be set in SecurityContext.
format: int64
type: integer
seLinuxOptions:
description: The SELinux context to be applied to all containers.
If unspecified, the container runtime will allocate a random
SELinux context for each container. May also be set in
SecurityContext.
properties:
level:
description: Level is SELinux level label that applies
to the container.
type: string
role:
description: Role is a SELinux role label that applies
to the container.
type: string
type:
description: Type is a SELinux type label that applies
to the container.
type: string
user:
description: User is a SELinux user label that applies
to the container.
type: string
type: object
seccompProfile:
description: The seccomp options to use by the containers
in this pod. Note that this field cannot be set when spec.os.name
is windows.
properties:
localhostProfile:
description: localhostProfile indicates a profile defined
in a file on the node should be used. The profile must
be preconfigured on the node to work.
type: string
type:
description: "type indicates which kind of seccomp profile
will be applied. Valid options are: \n Localhost - a
profile defined in a file on the node should be used."
type: string
required:
- type
type: object
supplementalGroups:
description: A list of groups applied to the first process
run in each container, in addition to the container's primary
GID, the fsGroup (if specified), and group memberships defined
in the container image for th
items:
format: int64
type: integer
type: array
sysctls:
description: Sysctls hold a list of namespaced sysctls used
for the pod. Pods with unsupported sysctls (by the container
runtime) might fail to launch. Note that this field cannot
be set when spec.os.
items:
description: Sysctl defines a kernel parameter to be set
properties:
name:
description: Name of a property to set
type: string
value:
description: Value of a property to set
type: string
required:
- name
- value
type: object
type: array
windowsOptions:
description: The Windows specific settings applied to all
containers. If unspecified, the options within a container's
SecurityContext will be used.
properties:
gmsaCredentialSpec:
description: GMSACredentialSpec is where the GMSA admission
webhook (https://github.com/kubernetes-sigs/windows-gmsa)
inlines the contents of the GMSA credential spec named
by the GMSACredentialSpecName field.
type: string
gmsaCredentialSpecName:
description: GMSACredentialSpecName is the name of the
GMSA credential spec to use.
type: string
hostProcess:
description: HostProcess determines if a container should
be run as a 'Host Process' container.
type: boolean
runAsUserName:
description: The UserName in Windows to run the entrypoint
of the container process. Defaults to the user specified
in image metadata if unspecified. May also be set in
PodSecurityContext.
type: string
type: object
type: object
serviceAccount:
description: ServiceAccount indicates the name of an existing
service account to use with this instance. When set, the operator
Expand Down
Loading

0 comments on commit 98fe7f6

Please sign in to comment.