1.98.0-rc.4.2

README-install-guide.md

@@ -12,12 +12,12 @@ One must be used or there will be helm failure for nil pointers.
 
 ```bash
 helm upgrade --install kubecost \
- --repo https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/ cost-analyzer \
+ --repo https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/ cost-analyzer \
  --namespace kubecost --create-namespace \
- -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/cost-analyzer/disable-psps.yaml \
- -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/cost-analyzer/values-thanos.yaml \
- -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/cost-analyzer/values-restricted-podsecurity.yaml \
- -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/cost-analyzer/kubecost-primary-cluster-settings.yaml
+ -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/cost-analyzer/disable-psps.yaml \
+ -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/cost-analyzer/values-thanos.yaml \
+ -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/cost-analyzer/values-restricted-podsecurity.yaml \
+ -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/cost-analyzer/kubecost-primary-cluster-settings.yaml
 ```
 
 ### Multi Cluster Deployment:
@@ -51,12 +51,12 @@ edit values-custom.yaml with any settings that differ from the repo defaults.
 
 ```bash
 helm upgrade --install kubecost \
- --repo https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/ cost-analyzer \
+ --repo https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/ cost-analyzer \
  --namespace kubecost --create-namespace \
- -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/cost-analyzer/disable-psps.yaml \
- -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/cost-analyzer/values-thanos.yaml \
- -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/cost-analyzer/values-restricted-podsecurity.yaml \
- -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/cost-analyzer/kubecost-primary-cluster-settings.yaml
+ -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/cost-analyzer/disable-psps.yaml \
+ -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/cost-analyzer/values-thanos.yaml \
+ -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/cost-analyzer/values-unrestricted-podsecurity.yaml \
+ -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/cost-analyzer/kubecost-primary-cluster-settings.yaml
  -f path-to/values-custom.yaml
 ```
 
@@ -66,12 +66,12 @@ helm upgrade --install kubecost \
 
 ```bash
 helm upgrade --install kubecost \
- --repo https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/ cost-analyzer \
+ --repo https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/ cost-analyzer \
  --namespace kubecost --create-namespace \
- -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/cost-analyzer/disable-psps.yaml \
- -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/cost-analyzer/values-thanos.yaml \
- -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/cost-analyzer/values-restricted-podsecurity.yaml \
- -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/cost-analyzer/kubecost-secondary-cluster-settings.yaml \
+ -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/cost-analyzer/disable-psps.yaml \
+ -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/cost-analyzer/values-thanos.yaml \
+ -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/cost-analyzer/values-unrestricted-podsecurity.yaml \
+ -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/cost-analyzer/kubecost-secondary-cluster-settings.yaml \
  -f path-to/values-custom.yaml
 ```
 

README.md

@@ -2,7 +2,9 @@
 
 ## Overview
 
-This repository is designed to be an easy guide for the most common configurations of Kubecost in OpenShift clusters. It does not replace our [published documentation](https://guide.kubecost.com/) which will have details for many more use cases.
+This repository is designed to be an easy guide for the most common configurations of Kubecost in OpenShift clusters and may be used where cluster security requirements are more locked down than is typical in standard distributions. It does not replace our [published documentation](https://guide.kubecost.com/) which will have details for many more use cases.
+
+The Kubecost version used in this helm cart uses GA release containers. The primary difference are helm templates have been modified to allow securityContext configuration changes and additional value-file templates.
 
 ---
 

cost-analyzer/charts/prometheus/values.yaml

@@ -1274,6 +1274,9 @@ serverFiles:
           - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
             action: keep
             regex: true
+          - source_labels: [__meta_kubernetes_endpoints_name]
+            action: keep
+            regex: (kubecost-kube-state-metrics|kubecost-prometheus-node-exporter|kubecost-network-costs)
           - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]
             action: replace
             target_label: __scheme__

cost-analyzer/kubecost-primary-cluster-settings.yaml

@@ -1,12 +1,7 @@
 kubecostModel:
   etlCloudAsset: true # set to true to enable kubecost to include out-of-cluster cloud resources  (uses more memory)
-prometheus:
-  nodeExporter:
-    enabled: false
-  kubeStateMetrics:
-    enabled: false
-  kube-state-metrics:
-    disabled: true
+kubecostProductConfigs:
+  # grafanaURL: http://grafana.apps.openshiftapps.com/
 
 # if enabling network costs, also set the given cloud provider to true
 networkCosts:
@@ -15,4 +10,19 @@ networkCosts:
     services:
       amazon-web-services: false
       google-cloud-services: false
-      azure-cloud-services: false
+      azure-cloud-services: false
+
+# optional
+global:
+  grafana:
+    enabled: true
+    proxy: true
+
+# not required:
+prometheus:
+  nodeExporter:
+    enabled: false
+  kubeStateMetrics:
+    enabled: false
+  kube-state-metrics:
+    disabled: true

cost-analyzer/kubecost-secondary-cluster-settings.yaml

@@ -29,7 +29,7 @@ thanos:
 
 # if enabling network costs, also set the given cloud provider to true
 networkCosts:
-  enabled: false
+  enabled: true
   config:
     services:
       amazon-web-services: false

cost-analyzer/templates/cost-analyzer-deployment-template.yaml

@@ -50,7 +50,10 @@ spec:
 {{- end }}
 {{- end }}
     spec:
-      securityContext: {}
+      {{- if .Values.kubecostDeployment.podSecurityContext }}
+      securityContext:
+        {{- toYaml .Values.kubecostDeployment.podSecurityContext | nindent 8 }}
+      {{- end }}
       restartPolicy: Always
       serviceAccountName: {{ template "cost-analyzer.serviceAccountName" . }}
       volumes:
@@ -60,6 +63,8 @@ spec:
             defaultMode: 420
             secretName: kubecost-thanos
       {{- end }}
+        - name: tmp
+          emptyDir: {}
         - name: nginx-conf
           configMap:
             name: nginx-conf
@@ -253,7 +258,8 @@ spec:
             - name: persistent-db
               mountPath: /var/db
             {{- end }}
-          securityContext: {}
+          securityContext:
+            runAsUser: 0
 {{ end }}
       containers:
         {{- if .Values.global.amp.enabled }}
@@ -303,13 +309,14 @@ spec:
           args:
           {{- toYaml .Values.kubecostModel.extraArgs | nindent 12 }}
         {{- end }}
+        {{- if .Values.kubecostModel.containerSecurityContext }}
+          securityContext:
+            {{- toYaml .Values.kubecostModel.containerSecurityContext | nindent 12 -}}
+        {{ end }}
         {{- if .Values.kubecostModel.imagePullPolicy }}
           imagePullPolicy: {{ .Values.kubecostModel.imagePullPolicy }}
         {{- else }}
           imagePullPolicy: Always
-        {{- end }}
-        {{- if .Values.kubecostModel.containerSecurityContext }}
-          {{- toYaml .Values.kubecostModel.containerSecurityContext | nindent 10 }}
         {{- end }}
           ports:
           - name: tcp-model
@@ -904,7 +911,13 @@ spec:
             {{ toYaml .Values.kubecostFrontend.extraEnv | nindent 12 }}
             {{- end }}
           name: cost-analyzer-frontend
+        {{- if .Values.kubecostFrontend.containerSecurityContext }}
+          securityContext:
+            {{- toYaml .Values.kubecostFrontend.containerSecurityContext | nindent 12 }}
+        {{ end }}
           volumeMounts:
+            - name: tmp
+              mountPath: /tmp
             - name: nginx-conf
               mountPath: /etc/nginx/conf.d/
             {{- if .Values.kubecostFrontend.tls }}
@@ -919,9 +932,6 @@ spec:
           imagePullPolicy: {{ .Values.kubecostFrontend.imagePullPolicy }}
         {{- else }}
           imagePullPolicy: Always
-        {{- end }}
-        {{- if .Values.kubecostModel.containerSecurityContext }}
-          {{- toYaml .Values.kubecostFrontend.containerSecurityContext | nindent 10 }}
         {{- end }}
           readinessProbe:
             httpGet:
@@ -955,4 +965,4 @@ spec:
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-{{- end }}
+{{- end }}

cost-analyzer/templates/cost-analyzer-network-costs-template.yaml

@@ -31,12 +31,17 @@ spec:
       {{ toYaml .Values.imagePullSecrets | indent 2 }}
     {{- end }}
       hostNetwork: true
+      {{- if .Values.kubecostNetworkCosts.podSecurityContext }}
+      securityContext:
+        {{- toYaml .Values.kubecostNetworkCosts.podSecurityContext | nindent 8 }}
+      {{- end }}
       serviceAccountName: {{ template "cost-analyzer.serviceAccountName" . }}
       containers:
       - name: {{ template "cost-analyzer.networkCostsName" . }}
         image: {{ .Values.networkCosts.image }}
         {{- if .Values.kubecostNetworkCosts.containerSecurityContext }}
-          {{- toYaml .Values.kubecostNetworkCosts.containerSecurityContext | nindent 8 }}
+        securityContext:
+          {{- toYaml .Values.kubecostNetworkCosts.containerSecurityContext | nindent 10 }}
         {{- end }}
         {{- if .Values.networkCosts.extraArgs }}
         args:

cost-analyzer/values-custom.yaml

@@ -1,6 +1,5 @@
 kubecostProductConfigs:
   clusterName: YOUR_CLUSTER_NAME
-  # projectID: "11111111"
   cloudIntegrationSecret: cloud-integration
 prometheus:
   server:

cost-analyzer/values-restricted-podsecurity.yaml

@@ -1,39 +1,35 @@
+kubecostDeployment:
+  podSecurityContext: {}
 kubecostModel:
   containerSecurityContext:
-    securityContext:
-      allowPrivilegeEscalation: false
-      runAsNonRoot: true
-      seccompProfile:
-        type: RuntimeDefault
-      capabilities:
-        drop:
-          - ALL
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+    capabilities:
+      drop:
+        - ALL
 kubecostFrontend:
   containerSecurityContext:
-    securityContext:
-      allowPrivilegeEscalation: false
-      runAsNonRoot: true
-      seccompProfile:
-        type: RuntimeDefault
-      capabilities:
-        drop:
-          - ALL
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+    capabilities:
+      drop:
+        - ALL
 kubecostNetworkCosts:
-  containerSecurityContext:
-    securityContext:
-      privileged: true
-      capabilities:
-        drop:
-          - ALL
-      # allowPrivilegeEscalation: false
-      # runAsNonRoot: true
-      seccompProfile:
-        type: RuntimeDefault
+  securityContext: {}
+  containerSecurityContext: {}
+
 prometheus:
   server:
     containerSecurityContext:
       securityContext:
         allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
@@ -44,6 +40,7 @@ prometheus:
     containerSecurityContext:
       securityContext:
         allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
@@ -54,6 +51,7 @@ prometheus:
     containerSecurityContext:
       securityContext:
         allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
@@ -65,6 +63,7 @@ grafana:
     containerSecurityContext:
       securityContext:
         allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
@@ -75,6 +74,7 @@ grafana:
     containerSecurityContext:
       securityContext:
         allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
@@ -85,6 +85,7 @@ grafana:
     containerSecurityContext:
       securityContext:
         allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
@@ -96,6 +97,7 @@ thanos:
     containerSecurityContext:
       securityContext:
         allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
@@ -106,6 +108,7 @@ thanos:
     containerSecurityContext:
       securityContext:
         allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
@@ -116,6 +119,7 @@ thanos:
     containerSecurityContext:
       securityContext:
         allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
@@ -126,6 +130,7 @@ thanos:
     containerSecurityContext:
       securityContext:
         allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault

cost-analyzer/values-unrestricted-podsecurity.yaml

@@ -1,12 +1,12 @@
+kubecostDeployment:
+  podSecurityContext: {}
 kubecostModel:
-  containerSecurityContext:
-    securityContext: {}
+  containerSecurityContext: {}
 kubecostFrontend:
-  containerSecurityContext:
-    securityContext: {}
+  containerSecurityContext: {}
 kubecostNetworkCosts:
-  containerSecurityContext:
-    securityContext: {}
+  podSecurityContext: {}
+  containerSecurityContext: {}
 prometheus:
   server:
     containerSecurityContext:

index.yaml

@@ -26,6 +26,6 @@ entries:
     digest: b4fc6cdeb1d06325c1a183bfbbfa54020f87167fec8a584c30328ebcf3d35fa8
     name: cost-analyzer
     urls:
-    - kubecost-1.98.0-rc4.1.tgz
+    - kubecost-1.98.0-rc4.2.tgz
     version: 1.98.0
 generated: "2022-11-10T12:51:09.397504141Z"