From 4453e8bfffc64fba56e2ac9f3a58e1eefea39c72 Mon Sep 17 00:00:00 2001 From: Antoine Toulme Date: Sun, 2 Feb 2025 17:39:30 -0800 Subject: [PATCH] [chart] use security context under container level to allow setting additional permissions --- .../movesecuritycontexttocontainers.yaml | 12 +++++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-gateway.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-gateway.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-gateway.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 9 ++++++++ .../deployment-cluster-receiver.yaml | 8 +++---- .../templates/deployment-gateway.yaml | 8 +++---- helm-charts/splunk-otel-collector/values.yaml | 21 +++++++++++++++++-- 37 files changed, 336 insertions(+), 10 deletions(-) create mode 100644 .chloggen/movesecuritycontexttocontainers.yaml diff --git a/.chloggen/movesecuritycontexttocontainers.yaml b/.chloggen/movesecuritycontexttocontainers.yaml new file mode 100644 index 0000000000..94c9e30fdc --- /dev/null +++ b/.chloggen/movesecuritycontexttocontainers.yaml @@ -0,0 +1,12 @@ +# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix' +change_type: enhancement +# The name of the component, or a single word describing the area of concern, (e.g. agent, clusterReceiver, gateway, operator, chart, other) +component: chart +# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). +note: use security context under container level to allow setting additional permissions +# One or more tracking issues related to the change +issues: [] +# (Optional) One or more lines of additional information to render under the primary note. +# These lines will be padded with 2 spaces and then inserted directly into the document. +# Use pipe (|) for multiline entries. +subtext: diff --git a/examples/add-filter-processor/rendered_manifests/deployment-cluster-receiver.yaml b/examples/add-filter-processor/rendered_manifests/deployment-cluster-receiver.yaml index 58a01c7a5f..311e0135cc 100644 --- a/examples/add-filter-processor/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/add-filter-processor/rendered_manifests/deployment-cluster-receiver.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/add-kafkametrics-receiver/rendered_manifests/deployment-cluster-receiver.yaml b/examples/add-kafkametrics-receiver/rendered_manifests/deployment-cluster-receiver.yaml index 58a01c7a5f..311e0135cc 100644 --- a/examples/add-kafkametrics-receiver/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/add-kafkametrics-receiver/rendered_manifests/deployment-cluster-receiver.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/add-receiver-creator/rendered_manifests/deployment-cluster-receiver.yaml b/examples/add-receiver-creator/rendered_manifests/deployment-cluster-receiver.yaml index 58a01c7a5f..311e0135cc 100644 --- a/examples/add-receiver-creator/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/add-receiver-creator/rendered_manifests/deployment-cluster-receiver.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/add-sampler/rendered_manifests/deployment-cluster-receiver.yaml b/examples/add-sampler/rendered_manifests/deployment-cluster-receiver.yaml index 58a01c7a5f..311e0135cc 100644 --- a/examples/add-sampler/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/add-sampler/rendered_manifests/deployment-cluster-receiver.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/autodetect-istio/rendered_manifests/deployment-cluster-receiver.yaml b/examples/autodetect-istio/rendered_manifests/deployment-cluster-receiver.yaml index 2180bc7740..f7d51348ad 100644 --- a/examples/autodetect-istio/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/autodetect-istio/rendered_manifests/deployment-cluster-receiver.yaml @@ -44,6 +44,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/collector-all-modes/rendered_manifests/deployment-cluster-receiver.yaml b/examples/collector-all-modes/rendered_manifests/deployment-cluster-receiver.yaml index 58a01c7a5f..311e0135cc 100644 --- a/examples/collector-all-modes/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/collector-all-modes/rendered_manifests/deployment-cluster-receiver.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/collector-all-modes/rendered_manifests/deployment-gateway.yaml b/examples/collector-all-modes/rendered_manifests/deployment-gateway.yaml index 74d32156b4..a52688777a 100644 --- a/examples/collector-all-modes/rendered_manifests/deployment-gateway.yaml +++ b/examples/collector-all-modes/rendered_manifests/deployment-gateway.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "8192" diff --git a/examples/collector-cluster-receiver-only/rendered_manifests/deployment-cluster-receiver.yaml b/examples/collector-cluster-receiver-only/rendered_manifests/deployment-cluster-receiver.yaml index 9558b08f00..5464383e58 100644 --- a/examples/collector-cluster-receiver-only/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/collector-cluster-receiver-only/rendered_manifests/deployment-cluster-receiver.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/collector-gateway-only/rendered_manifests/deployment-gateway.yaml b/examples/collector-gateway-only/rendered_manifests/deployment-gateway.yaml index a8d622af68..a01813f76d 100644 --- a/examples/collector-gateway-only/rendered_manifests/deployment-gateway.yaml +++ b/examples/collector-gateway-only/rendered_manifests/deployment-gateway.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "4096" diff --git a/examples/controlplane-histogram-metrics/rendered_manifests/deployment-cluster-receiver.yaml b/examples/controlplane-histogram-metrics/rendered_manifests/deployment-cluster-receiver.yaml index 58a01c7a5f..311e0135cc 100644 --- a/examples/controlplane-histogram-metrics/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/controlplane-histogram-metrics/rendered_manifests/deployment-cluster-receiver.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/crio-logging/rendered_manifests/deployment-cluster-receiver.yaml b/examples/crio-logging/rendered_manifests/deployment-cluster-receiver.yaml index 58a01c7a5f..311e0135cc 100644 --- a/examples/crio-logging/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/crio-logging/rendered_manifests/deployment-cluster-receiver.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/default/rendered_manifests/deployment-cluster-receiver.yaml b/examples/default/rendered_manifests/deployment-cluster-receiver.yaml index 58a01c7a5f..311e0135cc 100644 --- a/examples/default/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/default/rendered_manifests/deployment-cluster-receiver.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/disable-persistence-queue-traces/rendered_manifests/deployment-cluster-receiver.yaml b/examples/disable-persistence-queue-traces/rendered_manifests/deployment-cluster-receiver.yaml index 77f7637a2e..3b847ddda7 100644 --- a/examples/disable-persistence-queue-traces/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/disable-persistence-queue-traces/rendered_manifests/deployment-cluster-receiver.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/distribution-aks/rendered_manifests/deployment-cluster-receiver.yaml b/examples/distribution-aks/rendered_manifests/deployment-cluster-receiver.yaml index b50081cb00..8a0d23c315 100644 --- a/examples/distribution-aks/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/distribution-aks/rendered_manifests/deployment-cluster-receiver.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/distribution-eks-fargate/rendered_manifests/deployment-cluster-receiver.yaml b/examples/distribution-eks-fargate/rendered_manifests/deployment-cluster-receiver.yaml index b5f936e42e..62f24b9921 100644 --- a/examples/distribution-eks-fargate/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/distribution-eks-fargate/rendered_manifests/deployment-cluster-receiver.yaml @@ -76,6 +76,15 @@ spec: - --config=/splunk-messages/config.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/distribution-eks-fargate/rendered_manifests/deployment-gateway.yaml b/examples/distribution-eks-fargate/rendered_manifests/deployment-gateway.yaml index bc3162b2be..3daf5a674c 100644 --- a/examples/distribution-eks-fargate/rendered_manifests/deployment-gateway.yaml +++ b/examples/distribution-eks-fargate/rendered_manifests/deployment-gateway.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "8192" diff --git a/examples/distribution-eks/rendered_manifests/deployment-cluster-receiver.yaml b/examples/distribution-eks/rendered_manifests/deployment-cluster-receiver.yaml index 0982503104..ae67bfefd0 100644 --- a/examples/distribution-eks/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/distribution-eks/rendered_manifests/deployment-cluster-receiver.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/distribution-gke-autopilot/rendered_manifests/deployment-cluster-receiver.yaml b/examples/distribution-gke-autopilot/rendered_manifests/deployment-cluster-receiver.yaml index a46ab3c166..29fd506191 100644 --- a/examples/distribution-gke-autopilot/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/distribution-gke-autopilot/rendered_manifests/deployment-cluster-receiver.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/distribution-gke/rendered_manifests/deployment-cluster-receiver.yaml b/examples/distribution-gke/rendered_manifests/deployment-cluster-receiver.yaml index a46ab3c166..29fd506191 100644 --- a/examples/distribution-gke/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/distribution-gke/rendered_manifests/deployment-cluster-receiver.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/distribution-openshift/rendered_manifests/deployment-cluster-receiver.yaml b/examples/distribution-openshift/rendered_manifests/deployment-cluster-receiver.yaml index 5f04c29e24..4f6066119e 100644 --- a/examples/distribution-openshift/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/distribution-openshift/rendered_manifests/deployment-cluster-receiver.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/enable-operator-and-auto-instrumentation/rendered_manifests/deployment-cluster-receiver.yaml b/examples/enable-operator-and-auto-instrumentation/rendered_manifests/deployment-cluster-receiver.yaml index d3fe3b7dbf..f7d3c6017c 100644 --- a/examples/enable-operator-and-auto-instrumentation/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/enable-operator-and-auto-instrumentation/rendered_manifests/deployment-cluster-receiver.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/enable-persistence-queue/rendered_manifests/deployment-cluster-receiver.yaml b/examples/enable-persistence-queue/rendered_manifests/deployment-cluster-receiver.yaml index 77f7637a2e..3b847ddda7 100644 --- a/examples/enable-persistence-queue/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/enable-persistence-queue/rendered_manifests/deployment-cluster-receiver.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/enabled-pprof-extension/rendered_manifests/deployment-cluster-receiver.yaml b/examples/enabled-pprof-extension/rendered_manifests/deployment-cluster-receiver.yaml index 58a01c7a5f..311e0135cc 100644 --- a/examples/enabled-pprof-extension/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/enabled-pprof-extension/rendered_manifests/deployment-cluster-receiver.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/fluentd-multiline-logs-java-stack-traces/rendered_manifests/deployment-cluster-receiver.yaml b/examples/fluentd-multiline-logs-java-stack-traces/rendered_manifests/deployment-cluster-receiver.yaml index 58a01c7a5f..311e0135cc 100644 --- a/examples/fluentd-multiline-logs-java-stack-traces/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/fluentd-multiline-logs-java-stack-traces/rendered_manifests/deployment-cluster-receiver.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/fluentd-refresh-interval/rendered_manifests/deployment-cluster-receiver.yaml b/examples/fluentd-refresh-interval/rendered_manifests/deployment-cluster-receiver.yaml index 58a01c7a5f..311e0135cc 100644 --- a/examples/fluentd-refresh-interval/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/fluentd-refresh-interval/rendered_manifests/deployment-cluster-receiver.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/kubernetes-windows-nodes/rendered_manifests/deployment-cluster-receiver.yaml b/examples/kubernetes-windows-nodes/rendered_manifests/deployment-cluster-receiver.yaml index 07a62fbaae..c9200c96e5 100644 --- a/examples/kubernetes-windows-nodes/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/kubernetes-windows-nodes/rendered_manifests/deployment-cluster-receiver.yaml @@ -45,6 +45,15 @@ spec: - --config=C:\\conf\relay.yaml image: quay.io/signalfx/splunk-otel-collector-windows:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + windowsOptions: {} env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/multi-metrics/rendered_manifests/deployment-cluster-receiver.yaml b/examples/multi-metrics/rendered_manifests/deployment-cluster-receiver.yaml index 77f7637a2e..3b847ddda7 100644 --- a/examples/multi-metrics/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/multi-metrics/rendered_manifests/deployment-cluster-receiver.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/only-metrics-platform/rendered_manifests/deployment-cluster-receiver.yaml b/examples/only-metrics-platform/rendered_manifests/deployment-cluster-receiver.yaml index 77f7637a2e..3b847ddda7 100644 --- a/examples/only-metrics-platform/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/only-metrics-platform/rendered_manifests/deployment-cluster-receiver.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/only-metrics/rendered_manifests/deployment-cluster-receiver.yaml b/examples/only-metrics/rendered_manifests/deployment-cluster-receiver.yaml index 58a01c7a5f..311e0135cc 100644 --- a/examples/only-metrics/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/only-metrics/rendered_manifests/deployment-cluster-receiver.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/route-data-through-gateway-deployed-separately/rendered_manifests/deployment-cluster-receiver.yaml b/examples/route-data-through-gateway-deployed-separately/rendered_manifests/deployment-cluster-receiver.yaml index fefc786104..91a044110f 100644 --- a/examples/route-data-through-gateway-deployed-separately/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/route-data-through-gateway-deployed-separately/rendered_manifests/deployment-cluster-receiver.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/target-allocator/rendered_manifests/deployment-cluster-receiver.yaml b/examples/target-allocator/rendered_manifests/deployment-cluster-receiver.yaml index 58a01c7a5f..311e0135cc 100644 --- a/examples/target-allocator/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/target-allocator/rendered_manifests/deployment-cluster-receiver.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/use-proxy/rendered_manifests/deployment-cluster-receiver.yaml b/examples/use-proxy/rendered_manifests/deployment-cluster-receiver.yaml index 5dee2bc745..6aa880163f 100644 --- a/examples/use-proxy/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/use-proxy/rendered_manifests/deployment-cluster-receiver.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/examples/with-target-allocator/rendered_manifests/deployment-cluster-receiver.yaml b/examples/with-target-allocator/rendered_manifests/deployment-cluster-receiver.yaml index 58a01c7a5f..311e0135cc 100644 --- a/examples/with-target-allocator/rendered_manifests/deployment-cluster-receiver.yaml +++ b/examples/with-target-allocator/rendered_manifests/deployment-cluster-receiver.yaml @@ -43,6 +43,15 @@ spec: - --config=/conf/relay.yaml image: quay.io/signalfx/splunk-otel-collector:0.117.0 imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 20000 + runAsNonRoot: true + runAsUser: 20000 env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "500" diff --git a/helm-charts/splunk-otel-collector/templates/deployment-cluster-receiver.yaml b/helm-charts/splunk-otel-collector/templates/deployment-cluster-receiver.yaml index 76ca03fbb6..b5a403abd1 100644 --- a/helm-charts/splunk-otel-collector/templates/deployment-cluster-receiver.yaml +++ b/helm-charts/splunk-otel-collector/templates/deployment-cluster-receiver.yaml @@ -81,10 +81,6 @@ spec: ` }} {{- $clusterReceiver.affinity | mustMergeOverwrite (fromYaml $clusterReceiverPodAntiAffinity) | toYaml | nindent 8 }} {{- end }} - {{- if $clusterReceiver.securityContext }} - securityContext: - {{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "securityContext" $clusterReceiver.securityContext) | nindent 8 }} - {{- end }} {{- if eq (include "splunk-otel-collector.distribution" .) "eks/fargate" }} initContainers: - name: cluster-receiver-node-discoverer @@ -129,6 +125,10 @@ spec: {{- end }} image: {{ template "splunk-otel-collector.image.otelcol" . }} imagePullPolicy: {{ .Values.image.otelcol.pullPolicy }} + {{- if $clusterReceiver.securityContext }} + securityContext: + {{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "securityContext" $clusterReceiver.securityContext) | nindent 10 }} + {{- end }} env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "{{ include "splunk-otel-collector.convertMemToMib" $clusterReceiver.resources.limits.memory | int64 }}" diff --git a/helm-charts/splunk-otel-collector/templates/deployment-gateway.yaml b/helm-charts/splunk-otel-collector/templates/deployment-gateway.yaml index 8edea4f781..817132505d 100644 --- a/helm-charts/splunk-otel-collector/templates/deployment-gateway.yaml +++ b/helm-charts/splunk-otel-collector/templates/deployment-gateway.yaml @@ -61,10 +61,6 @@ spec: affinity: {{- toYaml $gateway.affinity | nindent 8 }} {{- end }} - {{- if $gateway.securityContext }} - securityContext: - {{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "securityContext" $gateway.securityContext) | nindent 8 }} - {{- end }} containers: - name: otel-collector command: @@ -82,6 +78,10 @@ spec: {{- end }} image: {{ template "splunk-otel-collector.image.otelcol" . }} imagePullPolicy: {{ .Values.image.otelcol.pullPolicy }} + {{- if $gateway.securityContext }} + securityContext: + {{- include "splunk-otel-collector.securityContext" (dict "isWindows" .Values.isWindows "securityContext" $gateway.securityContext) | nindent 10 }} + {{- end }} env: - name: SPLUNK_MEMORY_TOTAL_MIB value: "{{ include "splunk-otel-collector.convertMemToMib" $gateway.resources.limits.memory | int64 }}" diff --git a/helm-charts/splunk-otel-collector/values.yaml b/helm-charts/splunk-otel-collector/values.yaml index c6bfbe2728..397db99b5c 100644 --- a/helm-charts/splunk-otel-collector/values.yaml +++ b/helm-charts/splunk-otel-collector/values.yaml @@ -475,7 +475,16 @@ clusterReceiver: affinity: {} # Pod configurations - securityContext: {} + securityContext: + runAsNonRoot: true + runAsUser: 20000 + runAsGroup: 20000 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + terminationGracePeriodSeconds: 600 priorityClassName: "" @@ -1138,7 +1147,15 @@ gateway: affinity: {} # Pod configurations - securityContext: {} + securityContext: + runAsNonRoot: true + runAsUser: 20000 + runAsGroup: 20000 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true terminationGracePeriodSeconds: 600 priorityClassName: ""