diff --git a/README-install-guide.md b/README-install-guide.md index f07248a..f83da4a 100644 --- a/README-install-guide.md +++ b/README-install-guide.md @@ -12,12 +12,12 @@ One must be used or there will be helm failure for nil pointers. ```bash helm upgrade --install kubecost \ - --repo https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/ cost-analyzer \ + --repo https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/ cost-analyzer \ --namespace kubecost --create-namespace \ - -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/cost-analyzer/disable-psps.yaml \ - -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/cost-analyzer/values-thanos.yaml \ - -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/cost-analyzer/values-restricted-podsecurity.yaml \ - -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/cost-analyzer/kubecost-primary-cluster-settings.yaml + -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/cost-analyzer/disable-psps.yaml \ + -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/cost-analyzer/values-thanos.yaml \ + -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/cost-analyzer/values-restricted-podsecurity.yaml \ + -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/cost-analyzer/kubecost-primary-cluster-settings.yaml ``` ### Multi Cluster Deployment: @@ -51,12 +51,12 @@ edit values-custom.yaml with any settings that differ from the repo defaults. ```bash helm upgrade --install kubecost \ - --repo https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/ cost-analyzer \ + --repo https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/ cost-analyzer \ --namespace kubecost --create-namespace \ - -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/cost-analyzer/disable-psps.yaml \ - -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/cost-analyzer/values-thanos.yaml \ - -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/cost-analyzer/values-restricted-podsecurity.yaml \ - -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/cost-analyzer/kubecost-primary-cluster-settings.yaml + -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/cost-analyzer/disable-psps.yaml \ + -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/cost-analyzer/values-thanos.yaml \ + -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/cost-analyzer/values-unrestricted-podsecurity.yaml \ + -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/cost-analyzer/kubecost-primary-cluster-settings.yaml -f path-to/values-custom.yaml ``` @@ -66,12 +66,12 @@ helm upgrade --install kubecost \ ```bash helm upgrade --install kubecost \ - --repo https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/ cost-analyzer \ + --repo https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/ cost-analyzer \ --namespace kubecost --create-namespace \ - -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/cost-analyzer/disable-psps.yaml \ - -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/cost-analyzer/values-thanos.yaml \ - -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/cost-analyzer/values-restricted-podsecurity.yaml \ - -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.1/cost-analyzer/kubecost-secondary-cluster-settings.yaml \ + -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/cost-analyzer/disable-psps.yaml \ + -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/cost-analyzer/values-thanos.yaml \ + -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/cost-analyzer/values-unrestricted-podsecurity.yaml \ + -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4.2/cost-analyzer/kubecost-secondary-cluster-settings.yaml \ -f path-to/values-custom.yaml ``` diff --git a/README.md b/README.md index 46e2b1e..3c89286 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,9 @@ ## Overview -This repository is designed to be an easy guide for the most common configurations of Kubecost in OpenShift clusters. It does not replace our [published documentation](https://guide.kubecost.com/) which will have details for many more use cases. +This repository is designed to be an easy guide for the most common configurations of Kubecost in OpenShift clusters and may be used where cluster security requirements are more locked down than is typical in standard distributions. It does not replace our [published documentation](https://guide.kubecost.com/) which will have details for many more use cases. + +The Kubecost version used in this helm cart uses GA release containers. The primary difference are helm templates have been modified to allow securityContext configuration changes and additional value-file templates. --- diff --git a/cost-analyzer/charts/prometheus/values.yaml b/cost-analyzer/charts/prometheus/values.yaml index 5f48315..ed80a80 100644 --- a/cost-analyzer/charts/prometheus/values.yaml +++ b/cost-analyzer/charts/prometheus/values.yaml @@ -1274,6 +1274,9 @@ serverFiles: - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] action: keep regex: true + - source_labels: [__meta_kubernetes_endpoints_name] + action: keep + regex: (kubecost-kube-state-metrics|kubecost-prometheus-node-exporter|kubecost-network-costs) - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] action: replace target_label: __scheme__ diff --git a/cost-analyzer/kubecost-primary-cluster-settings.yaml b/cost-analyzer/kubecost-primary-cluster-settings.yaml index dbcaa1e..25e7b87 100644 --- a/cost-analyzer/kubecost-primary-cluster-settings.yaml +++ b/cost-analyzer/kubecost-primary-cluster-settings.yaml @@ -1,12 +1,7 @@ kubecostModel: etlCloudAsset: true # set to true to enable kubecost to include out-of-cluster cloud resources (uses more memory) -prometheus: - nodeExporter: - enabled: false - kubeStateMetrics: - enabled: false - kube-state-metrics: - disabled: true +kubecostProductConfigs: + # grafanaURL: http://grafana.apps.openshiftapps.com/ # if enabling network costs, also set the given cloud provider to true networkCosts: @@ -15,4 +10,19 @@ networkCosts: services: amazon-web-services: false google-cloud-services: false - azure-cloud-services: false \ No newline at end of file + azure-cloud-services: false + +# optional +global: + grafana: + enabled: true + proxy: true + +# not required: +prometheus: + nodeExporter: + enabled: false + kubeStateMetrics: + enabled: false + kube-state-metrics: + disabled: true diff --git a/cost-analyzer/kubecost-secondary-cluster-settings.yaml b/cost-analyzer/kubecost-secondary-cluster-settings.yaml index 0eeb645..10ad15e 100644 --- a/cost-analyzer/kubecost-secondary-cluster-settings.yaml +++ b/cost-analyzer/kubecost-secondary-cluster-settings.yaml @@ -29,7 +29,7 @@ thanos: # if enabling network costs, also set the given cloud provider to true networkCosts: - enabled: false + enabled: true config: services: amazon-web-services: false diff --git a/cost-analyzer/templates/cost-analyzer-deployment-template.yaml b/cost-analyzer/templates/cost-analyzer-deployment-template.yaml index e5f4f6e..9ece7ad 100644 --- a/cost-analyzer/templates/cost-analyzer-deployment-template.yaml +++ b/cost-analyzer/templates/cost-analyzer-deployment-template.yaml @@ -50,7 +50,10 @@ spec: {{- end }} {{- end }} spec: - securityContext: {} + {{- if .Values.kubecostDeployment.podSecurityContext }} + securityContext: + {{- toYaml .Values.kubecostDeployment.podSecurityContext | nindent 8 }} + {{- end }} restartPolicy: Always serviceAccountName: {{ template "cost-analyzer.serviceAccountName" . }} volumes: @@ -60,6 +63,8 @@ spec: defaultMode: 420 secretName: kubecost-thanos {{- end }} + - name: tmp + emptyDir: {} - name: nginx-conf configMap: name: nginx-conf @@ -253,7 +258,8 @@ spec: - name: persistent-db mountPath: /var/db {{- end }} - securityContext: {} + securityContext: + runAsUser: 0 {{ end }} containers: {{- if .Values.global.amp.enabled }} @@ -303,13 +309,14 @@ spec: args: {{- toYaml .Values.kubecostModel.extraArgs | nindent 12 }} {{- end }} + {{- if .Values.kubecostModel.containerSecurityContext }} + securityContext: + {{- toYaml .Values.kubecostModel.containerSecurityContext | nindent 12 -}} + {{ end }} {{- if .Values.kubecostModel.imagePullPolicy }} imagePullPolicy: {{ .Values.kubecostModel.imagePullPolicy }} {{- else }} imagePullPolicy: Always - {{- end }} - {{- if .Values.kubecostModel.containerSecurityContext }} - {{- toYaml .Values.kubecostModel.containerSecurityContext | nindent 10 }} {{- end }} ports: - name: tcp-model @@ -904,7 +911,13 @@ spec: {{ toYaml .Values.kubecostFrontend.extraEnv | nindent 12 }} {{- end }} name: cost-analyzer-frontend + {{- if .Values.kubecostFrontend.containerSecurityContext }} + securityContext: + {{- toYaml .Values.kubecostFrontend.containerSecurityContext | nindent 12 }} + {{ end }} volumeMounts: + - name: tmp + mountPath: /tmp - name: nginx-conf mountPath: /etc/nginx/conf.d/ {{- if .Values.kubecostFrontend.tls }} @@ -919,9 +932,6 @@ spec: imagePullPolicy: {{ .Values.kubecostFrontend.imagePullPolicy }} {{- else }} imagePullPolicy: Always - {{- end }} - {{- if .Values.kubecostModel.containerSecurityContext }} - {{- toYaml .Values.kubecostFrontend.containerSecurityContext | nindent 10 }} {{- end }} readinessProbe: httpGet: @@ -955,4 +965,4 @@ spec: affinity: {{- toYaml . | nindent 8 }} {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/cost-analyzer/templates/cost-analyzer-network-costs-template.yaml b/cost-analyzer/templates/cost-analyzer-network-costs-template.yaml index c2c5475..b5d5423 100644 --- a/cost-analyzer/templates/cost-analyzer-network-costs-template.yaml +++ b/cost-analyzer/templates/cost-analyzer-network-costs-template.yaml @@ -31,12 +31,17 @@ spec: {{ toYaml .Values.imagePullSecrets | indent 2 }} {{- end }} hostNetwork: true + {{- if .Values.kubecostNetworkCosts.podSecurityContext }} + securityContext: + {{- toYaml .Values.kubecostNetworkCosts.podSecurityContext | nindent 8 }} + {{- end }} serviceAccountName: {{ template "cost-analyzer.serviceAccountName" . }} containers: - name: {{ template "cost-analyzer.networkCostsName" . }} image: {{ .Values.networkCosts.image }} {{- if .Values.kubecostNetworkCosts.containerSecurityContext }} - {{- toYaml .Values.kubecostNetworkCosts.containerSecurityContext | nindent 8 }} + securityContext: + {{- toYaml .Values.kubecostNetworkCosts.containerSecurityContext | nindent 10 }} {{- end }} {{- if .Values.networkCosts.extraArgs }} args: diff --git a/cost-analyzer/values-custom.yaml b/cost-analyzer/values-custom.yaml index bf41f4b..f4034c4 100644 --- a/cost-analyzer/values-custom.yaml +++ b/cost-analyzer/values-custom.yaml @@ -1,6 +1,5 @@ kubecostProductConfigs: clusterName: YOUR_CLUSTER_NAME - # projectID: "11111111" cloudIntegrationSecret: cloud-integration prometheus: server: diff --git a/cost-analyzer/values-restricted-podsecurity.yaml b/cost-analyzer/values-restricted-podsecurity.yaml index 39f01e1..db0162f 100644 --- a/cost-analyzer/values-restricted-podsecurity.yaml +++ b/cost-analyzer/values-restricted-podsecurity.yaml @@ -1,39 +1,35 @@ +kubecostDeployment: + podSecurityContext: {} kubecostModel: containerSecurityContext: - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL kubecostFrontend: containerSecurityContext: - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL kubecostNetworkCosts: - containerSecurityContext: - securityContext: - privileged: true - capabilities: - drop: - - ALL - # allowPrivilegeEscalation: false - # runAsNonRoot: true - seccompProfile: - type: RuntimeDefault + securityContext: {} + containerSecurityContext: {} + prometheus: server: containerSecurityContext: securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true runAsNonRoot: true seccompProfile: type: RuntimeDefault @@ -44,6 +40,7 @@ prometheus: containerSecurityContext: securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true runAsNonRoot: true seccompProfile: type: RuntimeDefault @@ -54,6 +51,7 @@ prometheus: containerSecurityContext: securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true runAsNonRoot: true seccompProfile: type: RuntimeDefault @@ -65,6 +63,7 @@ grafana: containerSecurityContext: securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true runAsNonRoot: true seccompProfile: type: RuntimeDefault @@ -75,6 +74,7 @@ grafana: containerSecurityContext: securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true runAsNonRoot: true seccompProfile: type: RuntimeDefault @@ -85,6 +85,7 @@ grafana: containerSecurityContext: securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true runAsNonRoot: true seccompProfile: type: RuntimeDefault @@ -96,6 +97,7 @@ thanos: containerSecurityContext: securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true runAsNonRoot: true seccompProfile: type: RuntimeDefault @@ -106,6 +108,7 @@ thanos: containerSecurityContext: securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true runAsNonRoot: true seccompProfile: type: RuntimeDefault @@ -116,6 +119,7 @@ thanos: containerSecurityContext: securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true runAsNonRoot: true seccompProfile: type: RuntimeDefault @@ -126,6 +130,7 @@ thanos: containerSecurityContext: securityContext: allowPrivilegeEscalation: false + readOnlyRootFilesystem: true runAsNonRoot: true seccompProfile: type: RuntimeDefault diff --git a/cost-analyzer/values-unrestricted-podsecurity.yaml b/cost-analyzer/values-unrestricted-podsecurity.yaml index 8f21f13..552a0e0 100644 --- a/cost-analyzer/values-unrestricted-podsecurity.yaml +++ b/cost-analyzer/values-unrestricted-podsecurity.yaml @@ -1,12 +1,12 @@ +kubecostDeployment: + podSecurityContext: {} kubecostModel: - containerSecurityContext: - securityContext: {} + containerSecurityContext: {} kubecostFrontend: - containerSecurityContext: - securityContext: {} + containerSecurityContext: {} kubecostNetworkCosts: - containerSecurityContext: - securityContext: {} + podSecurityContext: {} + containerSecurityContext: {} prometheus: server: containerSecurityContext: diff --git a/index.yaml b/index.yaml index 73f7f21..220e1cc 100644 --- a/index.yaml +++ b/index.yaml @@ -26,6 +26,6 @@ entries: digest: b4fc6cdeb1d06325c1a183bfbbfa54020f87167fec8a584c30328ebcf3d35fa8 name: cost-analyzer urls: - - kubecost-1.98.0-rc4.1.tgz + - kubecost-1.98.0-rc4.2.tgz version: 1.98.0 generated: "2022-11-10T12:51:09.397504141Z" diff --git a/kubecost-1.98.0-rc4.1.tgz b/kubecost-1.98.0-rc4.1.tgz deleted file mode 100644 index a77a137..0000000 Binary files a/kubecost-1.98.0-rc4.1.tgz and /dev/null differ diff --git a/kubecost-1.98.0-rc4.2.tgz b/kubecost-1.98.0-rc4.2.tgz new file mode 100644 index 0000000..1e27550 Binary files /dev/null and b/kubecost-1.98.0-rc4.2.tgz differ