From 83f0491217e54f01e21533e71d929f6f35942d97 Mon Sep 17 00:00:00 2001 From: rashmichandrashekar Date: Fri, 7 Jun 2024 14:08:38 -0700 Subject: [PATCH] Drop all capabilities for containers and add image pull policy (#903) [comment]: # (Note that your PR title should follow the conventional commit format: https://conventionalcommits.org/en/v1.0.0/#summary) # PR Description [comment]: # (The below checklist is for PRs adding new features. If a box is not checked, add a reason why it's not needed.) # New Feature Checklist - [ ] List telemetry added about the feature. - [ ] Link to the one-pager about the feature. - [ ] List any tasks necessary for release (3P docs, AKS RP chart changes, etc.) after merging the PR. - [ ] Attach results of scale and perf testing. [comment]: # (The below checklist is for code changes. Not all boxes necessarily need to be checked. Build, doc, and template changes do not need to fill out the checklist.) # Tests Checklist - [ ] Have end-to-end Ginkgo tests been run on your cluster and passed? To bootstrap your cluster to run the tests, follow [these instructions](/otelcollector/test/README.md#bootstrap-a-dev-cluster-to-run-ginkgo-tests). - Labels used when running the tests on your cluster: - [ ] `operator` - [ ] `windows` - [ ] `arm64` - [ ] `arc-extension` - [ ] `fips` - [ ] Have new tests been added? For features, have tests been added for this feature? For fixes, is there a test that could have caught this issue and could validate that the fix works? - [ ] Is a new scrape job needed? - [ ] The scrape job was added to the folder [test-cluster-yamls](/otelcollector/test/test-cluster-yamls/) in the correct configmap or as a CR. - [ ] Was a new test label added? - [ ] A string constant for the label was added to [constants.go](/otelcollector/test/utils/constants.go). - [ ] The label and description was added to the [test README](/otelcollector/test/README.md). - [ ] The label was added to this [PR checklist](/.github/pull_request_template). - [ ] The label was added as needed to [testkube-test-crs.yaml](/otelcollector/test/testkube/testkube-test-crs.yaml). - [ ] Are additional API server permissions needed for the new tests? - [ ] These permissions have been added to [api-server-permissions.yaml](/otelcollector/test/testkube/api-server-permissions.yaml). - [ ] Was a new test suite (a new folder under `/tests`) added? - [ ] The new test suite is included in [testkube-test-crs.yaml](/otelcollector/test/testkube/testkube-test-crs.yaml). --- .../templates/ama-metrics-daemonset.yaml | 34 +++++++++---------- .../templates/ama-metrics-deployment.yaml | 11 +++--- .../templates/ama-metrics-ksm-deployment.yaml | 4 +++ .../ama-metrics-targetallocator.yaml | 9 ++++- 4 files changed, 34 insertions(+), 24 deletions(-) diff --git a/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-daemonset.yaml b/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-daemonset.yaml index 3a1cfd805..f71407250 100644 --- a/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-daemonset.yaml +++ b/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-daemonset.yaml @@ -139,6 +139,11 @@ spec: value: "{{ .Values.AzureMonitorMetrics.OpenTelemetryMetricsPort }}" securityContext: privileged: false + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE volumeMounts: - mountPath: /etc/config/settings name: settings-vol-config @@ -152,9 +157,6 @@ spec: - name: host-log-containers readOnly: true mountPath: /var/log/containers - - name: host-log-pods - readOnly: true - mountPath: /var/log/pods - mountPath: /anchors/mariner name: anchors-mariner readOnly: true @@ -248,7 +250,7 @@ spec: - operator: "Exists" effect: "NoExecute" - operator: "Exists" - effect: "PreferNoSchedule" + effect: "PreferNoSchedule" {{- end }} - key: "node-role.kubernetes.io/control-plane" operator: "Exists" @@ -284,9 +286,6 @@ spec: - name: host-log-containers hostPath: path: /var/log/containers - - name: host-log-pods - hostPath: - path: /var/log/pods - name: anchors-mariner hostPath: path: /etc/pki/ca-trust/anchors/ @@ -412,6 +411,11 @@ spec: value: "{{ .Values.AzureMonitorMetrics.OpenTelemetryMetricsPort }}" securityContext: privileged: false + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE volumeMounts: - mountPath: /etc/config/settings name: settings-vol-config @@ -425,9 +429,6 @@ spec: - name: host-log-containers readOnly: true mountPath: /var/log/containers - - name: host-log-pods - readOnly: true - mountPath: /var/log/pods livenessProbe: exec: command: @@ -447,7 +448,7 @@ spec: - --token-server-listening-port=7777 - --health-server-listening-port=9999 image: "mcr.microsoft.com{{ .Values.AzureMonitorMetrics.AddonTokenAdapter.ImageRepositoryWin }}:{{ .Values.AzureMonitorMetrics.AddonTokenAdapter.ImageTagWin }}" - imagePullPolicy: Always + imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /healthz @@ -461,9 +462,11 @@ spec: cpu: 100m memory: 100Mi securityContext: - capabilities: - add: - - NET_ADMIN + capabilities: + drop: + - ALL + add: + - NET_ADMIN affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -501,7 +504,4 @@ spec: secret: secretName: ama-metrics-mtls-secret optional: true - - name: host-log-pods - hostPath: - path: /var/log/pods {{- end }} diff --git a/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-deployment.yaml b/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-deployment.yaml index 903f8c2b1..5d7a4b4ea 100644 --- a/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-deployment.yaml +++ b/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-deployment.yaml @@ -163,6 +163,11 @@ spec: value: "true" # only supported value is the string "true" securityContext: privileged: false + capabilities: + drop: + - ALL + add: + - DAC_OVERRIDE volumeMounts: - mountPath: /etc/config/settings name: settings-vol-config @@ -176,9 +181,6 @@ spec: - name: host-log-containers readOnly: true mountPath: /var/log/containers - - name: host-log-pods - readOnly: true - mountPath: /var/log/pods - mountPath: /anchors/mariner name: anchors-mariner readOnly: true @@ -320,9 +322,6 @@ spec: - name: host-log-containers hostPath: path: /var/log/containers - - name: host-log-pods - hostPath: - path: /var/log/pods - name: anchors-mariner hostPath: path: /etc/pki/ca-trust/anchors/ diff --git a/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-ksm-deployment.yaml b/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-ksm-deployment.yaml index 61b7b058a..8b8377e3c 100644 --- a/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-ksm-deployment.yaml +++ b/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-ksm-deployment.yaml @@ -75,6 +75,10 @@ spec: requests: cpu: 5m memory: 50Mi + securityContext: + capabilities: + drop: + - ALL ports: - containerPort: 8080 name: "http" diff --git a/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-targetallocator.yaml b/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-targetallocator.yaml index 739edd612..4d4d43c15 100644 --- a/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-targetallocator.yaml +++ b/otelcollector/deploy/addon-chart/azure-monitor-metrics-addon/templates/ama-metrics-targetallocator.yaml @@ -64,6 +64,10 @@ spec: value: {{ .Values.AzureMonitorMetrics.ImageTagTargetAllocator }} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File + securityContext: + capabilities: + drop: + - ALL volumeMounts: - mountPath: /conf name: ta-config-shared @@ -154,6 +158,10 @@ spec: readOnly: true - mountPath: /ta-configuration name: ta-config-shared + securityContext: + capabilities: + drop: + - ALL livenessProbe: exec: command: @@ -167,7 +175,6 @@ spec: dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler - securityContext: {} serviceAccount: ama-metrics-serviceaccount serviceAccountName: ama-metrics-serviceaccount terminationGracePeriodSeconds: 30