From 78ca6d957935bc01336fc705b2a9f544bb54cdf1 Mon Sep 17 00:00:00 2001
From: ArthurSens <arthursens2005@gmail.com>
Date: Tue, 15 Feb 2022 15:20:21 +0000
Subject: [PATCH] Address FIXME
Signed-off-by: ArthurSens <arthursens2005@gmail.com>
---
jsonnet/kube-prometheus/components/grafana.libsonnet | 4 +---
.../components/kube-state-metrics.libsonnet | 5 -----
.../components/prometheus-operator.libsonnet | 8 +-------
3 files changed, 2 insertions(+), 15 deletions(-)
diff --git a/jsonnet/kube-prometheus/components/grafana.libsonnet b/jsonnet/kube-prometheus/components/grafana.libsonnet
index beca7a0c..6ea80dd4 100644
--- a/jsonnet/kube-prometheus/components/grafana.libsonnet
+++ b/jsonnet/kube-prometheus/components/grafana.libsonnet
@@ -86,8 +86,7 @@ function(params)
// FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged
// 'allowPrivilegeEscalation: false' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/128 gets merged.
- // 'readOnlyRootFilesystem: true' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/129 gets merged.
- // 'capabilities: { drop: ['ALL'] }' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/130 gets merged.
+ // 'readOnlyRootFilesystem: true' and extra volumeMounts can be deleted when https://github.com/brancz/kubernetes-grafana/pull/129 gets merged.
// FIXME(paulfantom): `automountServiceAccountToken` can be removed after porting to brancz/kuberentes-grafana
deployment+: {
spec+: {
@@ -98,7 +97,6 @@ function(params)
securityContext+: {
allowPrivilegeEscalation: false,
readOnlyRootFilesystem: true,
- capabilities: { drop: ['ALL'] },
},
volumeMounts+: [{
mountPath: '/tmp',
diff --git a/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet b/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
index c63891ec..deaeb085 100644
--- a/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
+++ b/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
@@ -118,8 +118,6 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
image: ksm._config.kubeRbacProxyImage,
}),
- // FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged
- // 'capabilities: { drop: ['ALL'] },' can be deleted when https://github.com/kubernetes/kube-state-metrics/pull/1674 gets merged.
deployment+: {
spec+: {
template+: {
@@ -136,9 +134,6 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
readinessProbe:: null,
args: ['--host=127.0.0.1', '--port=8081', '--telemetry-host=127.0.0.1', '--telemetry-port=8082'],
resources: ksm._config.resources,
- securityContext+: {
- capabilities: { drop: ['ALL'] },
- },
}, super.containers) + [kubeRbacProxyMain, kubeRbacProxySelf],
},
},
diff --git a/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet b/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet
index 68ebf94c..d95d854e 100644
--- a/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet
+++ b/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet
@@ -125,18 +125,12 @@ function(params)
image: po._config.kubeRbacProxyImage,
}),
- // FIXME(ArthurSens): The securityContext overrides can be removed after some PRs get merged
- // 'capabilities: { drop: ['ALL'] },' can be deleted when https://github.com/prometheus-operator/prometheus-operator/pull/4546 gets merged.
deployment+: {
spec+: {
template+: {
spec+: {
automountServiceAccountToken: true,
- containers: std.map(function(c) c {
- securityContext+: {
- capabilities: { drop: ['ALL'] },
- },
- }, super.containers) + [kubeRbacProxy],
+ containers+: [kubeRbacProxy],
},
},
},
--
GitLab