diff --git a/CHANGELOG.md b/CHANGELOG.md index 4dc7c3c4..64095ddf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,16 @@ ## Other changes - None +# 2.x.x +## Breaking changes +- None + +## New features +- Add securityContext and podSecurityContext to Helm chart - [#289](https://github.com/jertel/elastalert2/pull/289) - @lepouletsuisse + +## Other changes +- Deprecated `podSecurityPolicy` feature in Helm Chart as [it's deprecated in Kubernetes 1.21](https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/) - [#289](https://github.com/jertel/elastalert2/pull/289) - @lepouletsuisse + # 2.1.1 ## Breaking changes diff --git a/chart/elastalert2/README.md b/chart/elastalert2/README.md index 92d0ec78..9d1817d6 100644 --- a/chart/elastalert2/README.md +++ b/chart/elastalert2/README.md @@ -44,47 +44,49 @@ The command removes all the Kubernetes components associated with the chart and ## Configuration -| Parameter | Description | Default | -|----------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|---------------------------------| -| `image.repository` | docker image | jertel/elastalert2 | -| `image.tag` | docker image tag | 2.1.1 | -| `image.pullPolicy` | image pull policy | IfNotPresent | -| `podAnnotations` | Annotations to be added to pods | {} | -| `command` | command override for container | `NULL` | -| `args` | args override for container | `NULL` | -| `replicaCount` | number of replicas to run | 1 | -| `elasticsearch.host` | elasticsearch endpoint to use | elasticsearch | -| `elasticsearch.port` | elasticsearch port to use | 9200 | -| `elasticsearch.useSsl` | whether or not to connect to es_host using SSL | False | -| `elasticsearch.username` | Username for ES with basic auth | `NULL` | -| `elasticsearch.password` | Password for ES with basic auth | `NULL` | -| `elasticsearch.credentialsSecret` | Specifies an existing secret to be used for the ES username/password auth | `NULL` | -| `elasticsearch.credentialsSecretUsernameKey` | The key in elasticsearch.credentialsSecret that stores the ES password auth | `NULL` | -| `elasticsearch.credentialsSecretPasswordKey` | The key in elasticsearch.credentialsSecret that stores the ES username auth | `NULL` | -| `elasticsearch.verifyCerts` | whether or not to verify TLS certificates | True | -| `elasticsearch.clientCert` | path to a PEM certificate to use as the client certificate | /certs/client.pem | -| `elasticsearch.clientKey` | path to a private key file to use as the client key | /certs/client-key.pem | -| `elasticsearch.caCerts` | path to a CA cert bundle to use to verify SSL connections | /certs/ca.pem | -| `elasticsearch.certsVolumes` | certs volumes, required to mount ssl certificates when elasticsearch has tls enabled | `NULL` | -| `elasticsearch.certsVolumeMounts` | mount certs volumes, required to mount ssl certificates when elasticsearch has tls enabled | `NULL` | -| `extraConfigOptions` | Additional options to propagate to all rules, cannot be `alert`, `type`, `name` or `index` | `{}` | -| `secretConfigName` | name of the secret which holds the ElastAlert config. **Note:** this will completely overwrite the generated config | `NULL` | -| `secretRulesName` | name of the secret which holds the ElastAlert rules. **Note:** this will overwrite the generated rules | `NULL` | -| `secretRulesList` | a list of rules to enable from the secret | [] | -| `optEnv` | Additional pod environment variable definitions | [] | -| `extraVolumes` | Additional volume definitions | [] | -| `extraVolumeMounts` | Additional volumeMount definitions | [] | -| `serviceAccount.create` | Specifies whether a service account should be created. | `true` | -| `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the fullname template | | -| `serviceAccount.annotations` | ServiceAccount annotations | | -| `podSecurityPolicy.create` | Create pod security policy resources | `false` | -| `resources` | Container resource requests and limits | {} | -| `rules` | Rule and alert configuration for ElastAlert 2 | {} example shown in values.yaml | -| `runIntervalMins` | Default interval between alert checks, in minutes | 1 | -| `realertIntervalMins` | Time between alarms for same rule, in minutes | `NULL` | -| `alertRetryLimitMins` | Time to retry failed alert deliveries, in minutes | 2880 (2 days) | -| `bufferTimeMins` | Default rule buffer time, in minutes | 15 | -| `writebackIndex` | Name or prefix of elastalert index(es) | elastalert | -| `nodeSelector` | Node selector for deployment | {} | -| `affinity` | Affinity specifications for the deployed pod(s) | {} | -| `tolerations` | Tolerations for deployment | [] | +| Parameter | Description | Default | +|----------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------| +| `image.repository` | docker image | jertel/elastalert2 | +| `image.tag` | docker image tag | 2.1.1 | +| `image.pullPolicy` | image pull policy | IfNotPresent | +| `podAnnotations` | Annotations to be added to pods | {} | +| `podSecurityContext` | Configurable podSecurityContext for pod execution environment | {"runAsUser": 1000, "runAsGroup": 1000, "fsGroup": 1000} | +| `securityContext` | Allows you to set the securityContext for the container | {"runAsNonRoot": true, "runAsUser": 1000} | +| `command` | command override for container | `NULL` | +| `args` | args override for container | `NULL` | +| `replicaCount` | number of replicas to run | 1 | +| `elasticsearch.host` | elasticsearch endpoint to use | elasticsearch | +| `elasticsearch.port` | elasticsearch port to use | 9200 | +| `elasticsearch.useSsl` | whether or not to connect to es_host using SSL | False | +| `elasticsearch.username` | Username for ES with basic auth | `NULL` | +| `elasticsearch.password` | Password for ES with basic auth | `NULL` | +| `elasticsearch.credentialsSecret` | Specifies an existing secret to be used for the ES username/password auth | `NULL` | +| `elasticsearch.credentialsSecretUsernameKey` | The key in elasticsearch.credentialsSecret that stores the ES password auth | `NULL` | +| `elasticsearch.credentialsSecretPasswordKey` | The key in elasticsearch.credentialsSecret that stores the ES username auth | `NULL` | +| `elasticsearch.verifyCerts` | whether or not to verify TLS certificates | True | +| `elasticsearch.clientCert` | path to a PEM certificate to use as the client certificate | /certs/client.pem | +| `elasticsearch.clientKey` | path to a private key file to use as the client key | /certs/client-key.pem | +| `elasticsearch.caCerts` | path to a CA cert bundle to use to verify SSL connections | /certs/ca.pem | +| `elasticsearch.certsVolumes` | certs volumes, required to mount ssl certificates when elasticsearch has tls enabled | `NULL` | +| `elasticsearch.certsVolumeMounts` | mount certs volumes, required to mount ssl certificates when elasticsearch has tls enabled | `NULL` | +| `extraConfigOptions` | Additional options to propagate to all rules, cannot be `alert`, `type`, `name` or `index` | `{}` | +| `secretConfigName` | name of the secret which holds the ElastAlert config. **Note:** this will completely overwrite the generated config | `NULL` | +| `secretRulesName` | name of the secret which holds the ElastAlert rules. **Note:** this will overwrite the generated rules | `NULL` | +| `secretRulesList` | a list of rules to enable from the secret | [] | +| `optEnv` | Additional pod environment variable definitions | [] | +| `extraVolumes` | Additional volume definitions | [] | +| `extraVolumeMounts` | Additional volumeMount definitions | [] | +| `serviceAccount.create` | Specifies whether a service account should be created. | `true` | +| `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the fullname template | | +| `serviceAccount.annotations` | ServiceAccount annotations | | +| `podSecurityPolicy.create` | [DEPRECATED] Create pod security policy resources | `false` | +| `resources` | Container resource requests and limits | {} | +| `rules` | Rule and alert configuration for ElastAlert 2 | {} example shown in values.yaml | +| `runIntervalMins` | Default interval between alert checks, in minutes | 1 | +| `realertIntervalMins` | Time between alarms for same rule, in minutes | `NULL` | +| `alertRetryLimitMins` | Time to retry failed alert deliveries, in minutes | 2880 (2 days) | +| `bufferTimeMins` | Default rule buffer time, in minutes | 15 | +| `writebackIndex` | Name or prefix of elastalert index(es) | elastalert | +| `nodeSelector` | Node selector for deployment | {} | +| `affinity` | Affinity specifications for the deployed pod(s) | {} | +| `tolerations` | Tolerations for deployment | [] | diff --git a/chart/elastalert2/templates/deployment.yaml b/chart/elastalert2/templates/deployment.yaml index 47a3faf8..49975754 100644 --- a/chart/elastalert2/templates/deployment.yaml +++ b/chart/elastalert2/templates/deployment.yaml @@ -28,10 +28,18 @@ spec: release: {{ .Release.Name }} spec: serviceAccountName: {{ include "elastalert.serviceAccountName" . }} +{{- if .Values.podSecurityContext }} + securityContext: +{{ toYaml .Values.podSecurityContext | indent 8 }} +{{- end }} containers: - name: elastalert image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} +{{- if .Values.securityContext }} + securityContext: +{{ toYaml .Values.securityContext | indent 10 }} +{{- end }} {{- if .Values.command }} command: {{ toYaml .Values.command | indent 10 }} diff --git a/chart/elastalert2/values.yaml b/chart/elastalert2/values.yaml index a61adb87..e7a9f078 100644 --- a/chart/elastalert2/values.yaml +++ b/chart/elastalert2/values.yaml @@ -194,9 +194,19 @@ serviceAccount: # Enable pod security policy # https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +# DEPRECATED in Kubernetes 1.21 (https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/) podSecurityPolicy: create: false +securityContext: + runAsNonRoot: true + runAsUser: 1000 + +podSecurityContext: + fsGroup: 1000 + runAsUser: 1000 + runAsGroup: 1000 + # Support using node selectors and tolerations # nodeSelector: # "node-role.kubernetes.io/infra_worker": "true"