diff --git a/charts/prometheus-thanos/Chart.yaml b/charts/prometheus-thanos/Chart.yaml
index 4f8548c4..7753fd07 100644
--- a/charts/prometheus-thanos/Chart.yaml
+++ b/charts/prometheus-thanos/Chart.yaml
@@ -1,8 +1,8 @@
apiVersion: v1
-appVersion: "0.27.0"
+appVersion: "0.32.4"
description: A Helm chart for thanos monitoring components
name: prometheus-thanos
-version: 4.9.4
+version: 5.0.0
home: https://github.com/thanos-io/thanos
sources:
- https://github.com/thanos-io/thanos
diff --git a/charts/prometheus-thanos/README.md b/charts/prometheus-thanos/README.md
index 04bec4e8..a0b0a6c4 100644
--- a/charts/prometheus-thanos/README.md
+++ b/charts/prometheus-thanos/README.md
@@ -114,6 +114,8 @@ The following table lists the configurable parameters of the prometheus-thanos c
| `bucketWebInterface.replicaCount` | Replica count for bucket web interface | `1` |
| `bucketWebInterface.resources` | Resources | `{}` |
| `bucketWebInterface.tolerations` | Tolerations | `[]` |
+| `bucketWebInterface.podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
`runAsUser: 1001`
`runAsGroup: 1001`
`fsGroup: 1001` |
+| `bucketWebInterface.containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) |
`runAsNonRoot: true`
`allowPrivilegeEscalation: false`
`capabilities:`
`drop:`
`- ALL`
`privileged: false` |
| `bucketWebInterface.updateStrategy` | Deployment update strategy | `type: RollingUpdate` |
| `bucketWebInterface.volumeMounts` | Additional volume mounts | `nil` |
| `bucketWebInterface.volumes` |Additional volumes | `nil` |
@@ -148,6 +150,8 @@ The following table lists the configurable parameters of the prometheus-thanos c
| `compact.retentionResolution5m` | Retention for 5m buckets | `30d` |
| `compact.retentionResolution1h` | Retention for 1h buckets | `10y` |
| `compact.tolerations` | Tolerations | `[]` |
+| `compact.podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
`runAsUser: 1001`
`runAsGroup: 1001`
`fsGroup: 1001` |
+| `compact.containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) |
`runAsNonRoot: true`
`allowPrivilegeEscalation: false`
`capabilities:`
`drop:`
`- ALL`
`privileged: false` |
| `compact.updateStrategy` | StatefulSet update strategy | `type: RollingUpdate` |
| `compact.volumeMounts` | Additional volume mounts | `nil` |
| `compact.volumes` | Additional volumes | `nil` |
@@ -183,6 +187,8 @@ The following table lists the configurable parameters of the prometheus-thanos c
| `querier.resources` | Resources | `{}` |
| `querier.stores` | List of stores [see](https://github.com/thanos-io/thanos/blob/master/docs/components/query.md) | `[]` |
| `querier.tolerations` | Tolerations | `[]` |
+| `querier.podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
`runAsUser: 1001`
`runAsGroup: 1001`
`fsGroup: 1001` |
+| `querier.containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) |
`runAsNonRoot: true`
`allowPrivilegeEscalation: false`
`capabilities:`
`drop:`
`- ALL`
`privileged: false` |
| `querier.updateStrategy` | Deployment update strategy | `type: RollingUpdate` |
| `querier.volumeMounts` | Additional volume mounts | `nil` |
| `querier.volumes` | Additional volumes | `nil` |
@@ -223,6 +229,8 @@ The following table lists the configurable parameters of the prometheus-thanos c
| `queryFrontend.resources` | Resources | `{}` |
| `queryFrontend.stores` | List of stores [see](https://github.com/thanos-io/thanos/blob/master/docs/components/query.md) | `[]` |
| `queryFrontend.tolerations` | Tolerations | `[]` |
+| `queryFrontend.podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
`runAsUser: 1001`
`runAsGroup: 1001`
`fsGroup: 1001` |
+| `queryFrontend.containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) |
`runAsNonRoot: true`
`allowPrivilegeEscalation: false`
`capabilities:`
`drop:`
`- ALL`
`privileged: false` |
| `queryFrontend.updateStrategy` | Deployment update strategy | `type: RollingUpdate` |
| `queryFrontend.volumeMounts` | Additional volume mounts | `nil` |
| `queryFrontend.volumes` | Additional volumes | `nil` |
@@ -263,6 +271,8 @@ The following table lists the configurable parameters of the prometheus-thanos c
| `receiver.serviceAccount.create` | Create service account | `true` |
| `receiver.serviceAccount.annotations` | Service account annotations | `nil` |
| `receiver.tolerations` | Tolerations | `[]` |
+| `receiver.podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
`runAsUser: 1001`
`runAsGroup: 1001`
`fsGroup: 1001` |
+| `receiver.containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) |
`runAsNonRoot: true`
`allowPrivilegeEscalation: false`
`capabilities:`
`drop:`
`- ALL`
`privileged: false` |
| `receiver.tsdbRetention` | The period to retain TSDB blocks in the receiver | `1d` |
| `receiver.updateStrategy` | StatefulSet update strategy | `type: RollingUpdate` |
| `receiver.volumeMounts` | Additional volume mounts | `nil` |
@@ -314,6 +324,8 @@ The following table lists the configurable parameters of the prometheus-thanos c
| `ruler.sidecar.enabled` | Enable configmap watcher sidecar | `false` |
| `ruler.sidecar.watchLabel` | Label for configmaps to watch | `thanos_alert_config` |
| `ruler.tolerations` | Tolerations | `[]` |
+| `ruler.podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
`runAsUser: 1001`
`runAsGroup: 1001`
`fsGroup: 1001` |
+| `ruler.containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) |
`runAsNonRoot: true`
`allowPrivilegeEscalation: false`
`capabilities:`
`drop:`
`- ALL`
`privileged: false` |
| `ruler.updateStrategy` | StatefulSet update strategy | `type: RollingUpdate` |
| `ruler.volumeMounts` | Additional volume mounts | `nil` |
| `ruler.volumes` | Additional volumes | `nil` |
@@ -382,6 +394,8 @@ The following table lists the configurable parameters of the prometheus-thanos c
| `storeGateway.serviceAccount.create` | Create service account | `true` |
| `storeGateway.serviceAccount.annotations` | Service account annotations | `nil` |
| `storeGateway.tolerations` | Tolerations | `[]` |
+| `storeGateway.podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
`runAsUser: 1001`
`runAsGroup: 1001`
`fsGroup: 1001` |
+| `storeGateway.containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) |
`runAsNonRoot: true`
`allowPrivilegeEscalation: false`
`capabilities:`
`drop:`
`- ALL`
`privileged: false` |
| `storeGateway.updateStrategy` | StatefulSet update strategy | `type: RollingUpdate` |
| `storeGateway.volumeMounts` | Additional volume mounts | `nil` |
| `storeGateway.volumes` |Additional volumes | `nil` |
@@ -392,4 +406,4 @@ Specify each parameter using the `--set key=value[,key=value]` argument to `helm
helm install --name prometheus-thanos --set ingress.enabled=false kiwigrid/prometheus-thanos
```
-Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart.
+Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart.
\ No newline at end of file
diff --git a/charts/prometheus-thanos/templates/bucket-web/deployment.yaml b/charts/prometheus-thanos/templates/bucket-web/deployment.yaml
index 3fd11fbd..7412b771 100644
--- a/charts/prometheus-thanos/templates/bucket-web/deployment.yaml
+++ b/charts/prometheus-thanos/templates/bucket-web/deployment.yaml
@@ -67,6 +67,8 @@ spec:
{{- end }}
resources:
{{- toYaml .Values.bucketWebInterface.resources | nindent 12 }}
+ securityContext:
+ {{- toYaml .Values.bucketWebInterface.containerSecurityContext | nindent 12 }}
{{- with .Values.bucketWebInterface.volumeMounts }}
volumeMounts:
{{- toYaml . | nindent 14 }}
@@ -83,6 +85,10 @@ spec:
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
+ {{- with .Values.bucketWebInterface.podSecurityContext }}
+ securityContext:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
{{- with .Values.bucketWebInterface.volumes }}
volumes:
{{- toYaml . | nindent 8 }}
diff --git a/charts/prometheus-thanos/templates/compactor/statefulset.yaml b/charts/prometheus-thanos/templates/compactor/statefulset.yaml
index dc863433..7a0b7b9d 100644
--- a/charts/prometheus-thanos/templates/compactor/statefulset.yaml
+++ b/charts/prometheus-thanos/templates/compactor/statefulset.yaml
@@ -73,6 +73,8 @@ spec:
{{- end }}
resources:
{{- toYaml .Values.compact.resources | nindent 12 }}
+ securityContext:
+ {{- toYaml .Values.compact.containerSecurityContext | nindent 12 }}
volumeMounts:
- mountPath: /data
name: storage-volume
@@ -91,6 +93,10 @@ spec:
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
+ {{- with .Values.compact.podSecurityContext }}
+ securityContext:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
volumes:
{{- with .Values.compact.volumes }}
{{- toYaml . | nindent 8 }}
diff --git a/charts/prometheus-thanos/templates/querier/deployment.yaml b/charts/prometheus-thanos/templates/querier/deployment.yaml
index 2332b967..861dfd0c 100644
--- a/charts/prometheus-thanos/templates/querier/deployment.yaml
+++ b/charts/prometheus-thanos/templates/querier/deployment.yaml
@@ -84,6 +84,8 @@ spec:
timeoutSeconds: {{ .Values.querier.readinessProbe.timeoutSeconds }}
resources:
{{- toYaml .Values.querier.resources | nindent 12 }}
+ securityContext:
+ {{- toYaml .Values.querier.containerSecurityContext | nindent 12 }}
{{- with .Values.querier.volumeMounts }}
volumeMounts:
{{- toYaml . | nindent 14 }}
@@ -100,6 +102,10 @@ spec:
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
+ {{- with .Values.querier.podSecurityContext }}
+ securityContext:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
{{- with .Values.querier.volumes }}
volumes:
{{- toYaml . | nindent 8 }}
diff --git a/charts/prometheus-thanos/templates/query-frontend/deployment.yaml b/charts/prometheus-thanos/templates/query-frontend/deployment.yaml
index 5ebc77cc..6eefc0f7 100644
--- a/charts/prometheus-thanos/templates/query-frontend/deployment.yaml
+++ b/charts/prometheus-thanos/templates/query-frontend/deployment.yaml
@@ -91,6 +91,8 @@ spec:
timeoutSeconds: {{ .Values.queryFrontend.readinessProbe.timeoutSeconds }}
resources:
{{- toYaml .Values.queryFrontend.resources | nindent 12 }}
+ securityContext:
+ {{- toYaml .Values.queryFrontend.containerSecurityContext | nindent 12 }}
{{- with .Values.queryFrontend.volumeMounts }}
volumeMounts:
{{- toYaml . | nindent 14 }}
@@ -107,6 +109,10 @@ spec:
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
+ {{- with .Values.queryFrontend.podSecurityContext }}
+ securityContext:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
{{- with .Values.queryFrontend.volumes }}
volumes:
{{- toYaml . | nindent 8 }}
diff --git a/charts/prometheus-thanos/templates/receiver/statefulset.yaml b/charts/prometheus-thanos/templates/receiver/statefulset.yaml
index 6016025e..3e396e72 100644
--- a/charts/prometheus-thanos/templates/receiver/statefulset.yaml
+++ b/charts/prometheus-thanos/templates/receiver/statefulset.yaml
@@ -90,7 +90,6 @@ spec:
- name: http-rw
containerPort: {{ .Values.service.receiver.httpRemoteWrite.port }}
protocol: TCP
-
env:
- name: K8S_NAMESPACE
valueFrom:
@@ -102,11 +101,9 @@ spec:
fieldPath: metadata.name
- name: K8S_SERVICE
value: {{ include "prometheus-thanos.fullname" . }}-receiver
-
{{- if .Values.receiver.extraEnv }}
{{- toYaml .Values.receiver.extraEnv | nindent 12 }}
{{- end }}
-
livenessProbe:
httpGet:
path: /-/healthy
@@ -123,10 +120,10 @@ spec:
periodSeconds: {{ .Values.receiver.readinessProbe.periodSeconds }}
successThreshold: {{ .Values.receiver.readinessProbe.successThreshold }}
timeoutSeconds: {{ .Values.receiver.readinessProbe.timeoutSeconds }}
-
resources:
{{- toYaml .Values.receiver.resources | nindent 12 }}
-
+ securityContext:
+ {{- toYaml .Values.receiver.containerSecurityContext | nindent 12 }}
volumeMounts:
- mountPath: /data
name: storage-volume
@@ -148,6 +145,10 @@ spec:
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
+ {{- with .Values.receiver.podSecurityContext }}
+ securityContext:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
volumes:
{{- with .Values.receiver.volumes }}
{{- toYaml . | nindent 8 }}
diff --git a/charts/prometheus-thanos/templates/ruler/statefulset.yaml b/charts/prometheus-thanos/templates/ruler/statefulset.yaml
index 68e893ec..a86bbc17 100644
--- a/charts/prometheus-thanos/templates/ruler/statefulset.yaml
+++ b/charts/prometheus-thanos/templates/ruler/statefulset.yaml
@@ -106,6 +106,8 @@ spec:
timeoutSeconds: {{ .Values.ruler.readinessProbe.timeoutSeconds }}
resources:
{{- toYaml .Values.ruler.resources | nindent 12 }}
+ securityContext:
+ {{- toYaml .Values.ruler.containerSecurityContext | nindent 12 }}
volumeMounts:
- mountPath: /etc/thanos-ruler
name: config
@@ -156,6 +158,10 @@ spec:
tolerations:
{{- toYaml . | nindent 6 }}
{{- end }}
+ {{- with .Values.ruler.podSecurityContext }}
+ securityContext:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
volumes:
- name: external-config-volume
emptyDir: {}
diff --git a/charts/prometheus-thanos/templates/store-gateway/statefulset.yaml b/charts/prometheus-thanos/templates/store-gateway/statefulset.yaml
index 3c8b0a54..fbbf5f99 100644
--- a/charts/prometheus-thanos/templates/store-gateway/statefulset.yaml
+++ b/charts/prometheus-thanos/templates/store-gateway/statefulset.yaml
@@ -95,6 +95,8 @@ spec:
timeoutSeconds: {{ .Values.storeGateway.readinessProbe.timeoutSeconds }}
resources:
{{- toYaml .Values.storeGateway.resources | nindent 12 }}
+ securityContext:
+ {{- toYaml .Values.storeGateway.containerSecurityContext | nindent 12 }}
volumeMounts:
- mountPath: /data
name: storage-volume
@@ -113,6 +115,10 @@ spec:
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
+ {{- with .Values.storeGateway.podSecurityContext }}
+ securityContext:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
volumes:
{{- with .Values.storeGateway.volumes }}
{{- toYaml . | nindent 8 }}
diff --git a/charts/prometheus-thanos/values.yaml b/charts/prometheus-thanos/values.yaml
index 1806c482..38bae9b3 100644
--- a/charts/prometheus-thanos/values.yaml
+++ b/charts/prometheus-thanos/values.yaml
@@ -66,7 +66,7 @@ queryFrontend:
maxUnavailable: 0
image:
repository: quay.io/thanos/thanos
- tag: v0.27.0
+ tag: v0.32.4
pullPolicy: IfNotPresent
serviceAccount:
create: false
@@ -85,6 +85,17 @@ queryFrontend:
nodeSelector: {}
podNumericalPriorityEnabled: false
podPriority: 0
+ podSecurityContext:
+ runAsUser: 1001
+ runAsGroup: 1001
+ fsGroup: 1001
+ containerSecurityContext:
+ runAsNonRoot: true
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
podPriorityClassName: ""
tolerations: []
affinity: {}
@@ -129,7 +140,7 @@ querier:
maxUnavailable: 0
image:
repository: quay.io/thanos/thanos
- tag: v0.27.0
+ tag: v0.32.4
pullPolicy: IfNotPresent
serviceAccount:
create: false
@@ -147,6 +158,17 @@ querier:
podNumericalPriorityEnabled: false
podPriority: 0
podPriorityClassName: ""
+ podSecurityContext:
+ runAsUser: 1001
+ runAsGroup: 1001
+ fsGroup: 1001
+ containerSecurityContext:
+ runAsNonRoot: true
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
tolerations: []
affinity: {}
livenessProbe:
@@ -186,7 +208,7 @@ storeGateway:
updateStrategy: RollingUpdate
image:
repository: quay.io/thanos/thanos
- tag: v0.27.0
+ tag: v0.32.4
pullPolicy: IfNotPresent
serviceAccount:
create: false
@@ -219,7 +241,17 @@ storeGateway:
podNumericalPriorityEnabled: false
podPriority: 0
podPriorityClassName: ""
-
+ podSecurityContext:
+ runAsUser: 1001
+ runAsGroup: 1001
+ fsGroup: 1001
+ containerSecurityContext:
+ runAsNonRoot: true
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
resources: {}
nodeSelector: {}
tolerations: []
@@ -270,7 +302,7 @@ compact:
updateStrategy: RollingUpdate
image:
repository: quay.io/thanos/thanos
- tag: v0.27.0
+ tag: v0.32.4
pullPolicy: IfNotPresent
serviceAccount:
create: false
@@ -298,7 +330,17 @@ compact:
podNumericalPriorityEnabled: false
podPriority: 0
podPriorityClassName: ""
-
+ podSecurityContext:
+ runAsUser: 1001
+ runAsGroup: 1001
+ fsGroup: 1001
+ containerSecurityContext:
+ runAsNonRoot: true
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
extraEnv: []
# - name: GOOGLE_APPLICATION_CREDENTIALS
# value: /etc/gcp/secrets/credentials.json
@@ -324,7 +366,7 @@ ruler:
updateStrategy: RollingUpdate
image:
repository: quay.io/thanos/thanos
- tag: v0.27.0
+ tag: v0.32.4
pullPolicy: IfNotPresent
sidecar:
enabled: false
@@ -397,6 +439,17 @@ ruler:
podNumericalPriorityEnabled: true
podPriority: 0
podPriorityClassName: ""
+ podSecurityContext:
+ runAsUser: 1001
+ runAsGroup: 1001
+ fsGroup: 1001
+ containerSecurityContext:
+ runAsNonRoot: true
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
receiver:
enabled: true
@@ -404,7 +457,7 @@ receiver:
updateStrategy: RollingUpdate
image:
repository: quay.io/thanos/thanos
- tag: v0.27.0
+ tag: v0.32.4
pullPolicy: IfNotPresent
serviceAccount:
create: false
@@ -431,7 +484,17 @@ receiver:
podNumericalPriorityEnabled: false
podPriority: 0
podPriorityClassName: ""
-
+ podSecurityContext:
+ runAsUser: 1001
+ runAsGroup: 1001
+ fsGroup: 1001
+ containerSecurityContext:
+ runAsNonRoot: true
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
resources: {}
nodeSelector: {}
tolerations: []
@@ -467,7 +530,7 @@ bucketWebInterface:
httpServerPort: 10902
image:
repository: quay.io/thanos/thanos
- tag: v0.27.0
+ tag: v0.32.4
pullPolicy: IfNotPresent
serviceAccount:
create: false
@@ -488,6 +551,17 @@ bucketWebInterface:
podNumericalPriorityEnabled: false
podPriority: 0
podPriorityClassName: ""
+ podSecurityContext:
+ runAsUser: 1001
+ runAsGroup: 1001
+ fsGroup: 1001
+ containerSecurityContext:
+ runAsNonRoot: true
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
replicaCount: 1
resources: {}
tolerations: []