rc4

kubecost · Nov 3, 2022 · ab56b31 · ab56b31
1 parent 4c4e8a3
commit ab56b31
Show file tree

Hide file tree

Showing 19 changed files with 194 additions and 317 deletions.
diff --git a/README.md b/README.md
@@ -41,7 +41,11 @@ Update CLUSTER_NAME and other configuration in [values-openshift.yaml](values-op
 Then install against the local cost-analyzer repo using following helm install command:
 
 ```bash
-helm upgrade --install kubecost --repo https://raw.githubusercontent.com/kubecost/openshift-helm-chart/main cost-analyzer --namespace kubecost --create-namespace -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/main/values-openshift.yaml
+helm upgrade --install kubecost \
+ --repo https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4/ cost-analyzer \
+ --namespace kubecost --create-namespace \
+ -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4/cost-analyzer/values-thanos.yaml
+ -f https://raw.githubusercontent.com/kubecost/openshift-helm-chart/1.98.0-rc.4/cost-analyzer/disable-psps.yaml
 ```
 
 Wait for all pods to be ready.
@@ -55,9 +59,9 @@ Kubecost will be collecting data, please wait 5-15 minutes before the UI to refl
 #### Prerequisites:
 
 - You have created a Grafana Cloud account & You have permissions to create Grafana Cloud API keys
-- Add required service account for grafana-agent to `hostmount-anyuid` SCC:
+- Add required service account for grafana-agent to `hostmount-65532` SCC:
 
-`oc adm policy add-scc-to-user hostmount-anyuid system:serviceaccount:kubecost:grafana-agent`
+`oc adm policy add-scc-to-user hostmount-65532 system:serviceaccount:kubecost:grafana-agent`
 
 #### Installation:
 

diff --git a/archive/cost-analyzer-ocp-1.92.0.tgz b/archive/cost-analyzer-ocp-1.92.0.tgz
diff --git a/archive/cost-analyzer-ocp-1.95.0.tgz b/archive/cost-analyzer-ocp-1.95.0.tgz
diff --git a/archive/cost-analyzer-ocp-1.96.0.tgz b/archive/cost-analyzer-ocp-1.96.0.tgz
diff --git a/cost-analyzer-1.98.0-rc.4.tgz b/cost-analyzer-1.98.0-rc.4.tgz
diff --git a/cost-analyzer/charts/grafana/values.yaml b/cost-analyzer/charts/grafana/values.yaml
@@ -35,9 +35,7 @@ image:
   # pullSecrets:
   #   - myRegistrKeySecretName
 
-securityContext:
-  runAsUser: 472
-  fsGroup: 472
+securityContext: {}
 
 downloadDashboardsImage:
   repository: curlimages/curl

diff --git a/cost-analyzer/charts/prometheus/charts/kube-state-metrics/values.yaml b/cost-analyzer/charts/prometheus/charts/kube-state-metrics/values.yaml
@@ -63,10 +63,7 @@ podSecurityPolicy:
     # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
 
 
-securityContext:
-  enabled: true
-  runAsUser: 65534
-  fsGroup: 65534
+securityContext: {}
 
 ## Node labels for pod assignment
 ## Ref: https://kubernetes.io/docs/user-guide/node-selection/

diff --git a/cost-analyzer/charts/prometheus/templates/server-deployment.yaml b/cost-analyzer/charts/prometheus/templates/server-deployment.yaml
@@ -187,11 +187,7 @@ spec:
 {{ toYaml .Values.server.affinity | indent 8 }}
     {{- end }}
       terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }}
-      securityContext:
-        runAsUser: 1001020000
-        runAsNonRoot: true
-        runAsGroup: 1001020000
-        fsGroup: 1001020000
+      securityContext: {}
       volumes:
         {{- if .Values.selfsignedCertConfigMapName }}
         - name: {{ .Values.selfsignedCertConfigMapName }}

diff --git a/cost-analyzer/charts/prometheus/templates/server-serviceaccount.yaml b/cost-analyzer/charts/prometheus/templates/server-serviceaccount.yaml
@@ -7,6 +7,10 @@ metadata:
   labels:
     {{- include "prometheus.server.labels" . | nindent 4 }}
   name: {{ template "prometheus.serviceAccountName.server" . }}
+{{- if .Values.serviceAccount.annotations }}
+  annotations:
+{{ toYaml .Values.serviceAccount.annotations | indent 4 }}
+{{- end }}
 {{- end }}
 {{- end }}
 {{ end }}
diff --git a/cost-analyzer/charts/prometheus/values.yaml b/cost-analyzer/charts/prometheus/values.yaml
@@ -276,11 +276,7 @@ alertmanager:
 
   ## Security context to be added to alertmanager pods
   ##
-  securityContext:
-    runAsUser: 65534
-    runAsNonRoot: true
-    runAsGroup: 65534
-    fsGroup: 65534
+  securityContext: {}
 
   service:
     annotations: {}
@@ -858,11 +854,7 @@ server:
 
   ## Security context to be added to server pods
   ##
-  securityContext:
-    runAsUser: 65534
-    runAsNonRoot: true
-    runAsGroup: 65534
-    fsGroup: 65534
+  securityContext: {}
 
   service:
     annotations: {}
@@ -1018,11 +1010,7 @@ pushgateway:
 
   ## Security context to be added to push-gateway pods
   ##
-  securityContext:
-    runAsUser: 65534
-    runAsNonRoot: true
-    runAsGroup: 65534
-    fsGroup: 65534
+  securityContext: {}
 
   service:
     annotations:

diff --git a/cost-analyzer/charts/thanos/values.yaml b/cost-analyzer/charts/thanos/values.yaml
@@ -122,11 +122,7 @@ store:
       #    hosts:
       #      - chart-example.local
   # Optional securityContext
-  securityContext:
-    runAsUser: 1001020000
-    runAsNonRoot: true
-    runAsGroup: 1001020000
-    fsGroup: 1001020000
+  securityContext: {}
 
   resources: {}
   #  limits:
@@ -295,11 +291,7 @@ queryFrontend:
       labels: {}
 
   # Optional securityContext
-  securityContext:
-    runAsUser: 1001020000
-    runAsNonRoot: true
-    runAsGroup: 1001020000
-    fsGroup: 1001020000
+  securityContext: {}
 
   resources: {}
   #  limits:
@@ -462,11 +454,7 @@ query:
       labels: {}
 
   # Optional securityContext
-  securityContext:
-    runAsUser: 1001020000
-    runAsNonRoot: true
-    runAsGroup: 1001020000
-    fsGroup: 1001020000
+  securityContext: {}
 
   resources: {}
   #  limits:
@@ -593,11 +581,7 @@ compact:
   serviceAccount: ""
 
   # Optional securityContext
-  securityContext:
-    runAsUser: 1001020000
-    runAsNonRoot: true
-    runAsGroup: 1001020000
-    fsGroup: 1001020000
+  securityContext: {}
 
   resources: {}
   #  limits:
@@ -700,11 +684,7 @@ bucket:
     #  maxUnavailable: 50%
 
   # Optional securityContext
-  securityContext:
-    runAsUser: 1001020000
-    runAsNonRoot: true
-    runAsGroup: 1001020000
-    fsGroup: 1001020000
+  securityContext: {}
 
   resources: {}
   #  limits:

diff --git a/cost-analyzer/disable-psps.yaml b/cost-analyzer/disable-psps.yaml
@@ -0,0 +1,18 @@
+# Kubecost PSP
+podSecurityPolicy:
+    enabled: false
+
+# Network Costs PSP
+networkCosts:
+  podSecurityPolicy:
+    enabled: false
+
+# Prometheus PSP
+prometheus:
+  podSecurityPolicy:
+    enabled: false
+
+# Grafana PSP
+grafana:
+  rbac:
+    pspEnabled: false
diff --git a/cost-analyzer/templates/cost-analyzer-deployment-template.yaml b/cost-analyzer/templates/cost-analyzer-deployment-template.yaml
@@ -50,11 +50,7 @@ spec:
 {{- end }}
 {{- end }}
     spec:
-      securityContext:
-        runAsUser: 1001020000
-        runAsNonRoot: true
-        runAsGroup: 1001020000
-        fsGroup: 1001020000
+      securityContext: {}
       restartPolicy: Always
       serviceAccountName: {{ template "cost-analyzer.serviceAccountName" . }}
       volumes:
@@ -257,11 +253,7 @@ spec:
             - name: persistent-db
               mountPath: /var/db
             {{- end }}
-          securityContext:
-            runAsUser: 1001020000
-            runAsNonRoot: true
-            runAsGroup: 1001020000
-            fsGroup: 1001020000
+          securityContext: {}
 {{ end }}
       containers:
         {{- if .Values.global.amp.enabled }}

diff --git a/cost-analyzer/values-agent.yaml b/cost-analyzer/values-agent.yaml
@@ -39,9 +39,7 @@ prometheus:
       storage.tsdb.min-block-duration: 2h
       storage.tsdb.max-block-duration: 2h
       storage.tsdb.retention: 10h
-    securityContext:
-      runAsNonRoot: true
-      runAsUser: 1001
+    securityContext: {}
     extraSecretMounts:
       - name: object-store-volume
         mountPath: /etc/thanos/config
@@ -51,9 +49,7 @@ prometheus:
     sidecarContainers:
     - name: thanos-sidecar
       image: thanosio/thanos:v0.22.0
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 1001
+      securityContext: {}
       args:
       - sidecar
       - --log.level=debug

diff --git a/cost-analyzer/values-thanos.yaml b/cost-analyzer/values-thanos.yaml
@@ -7,7 +7,7 @@ global:
 # will greatly assist in reduction memory bloat in query.
 kubecostModel:
   maxQueryConcurrency: 5
-  # This configuration is applied to thanos only. Expresses the resolution to 
+  # This configuration is applied to thanos only. Expresses the resolution to
   # use for longer query ranges. Options: raw, 5m, 1h - Default: raw
   maxSourceResolution: 5m
 
@@ -17,11 +17,7 @@ prometheus:
       storage.tsdb.min-block-duration: 2h
       storage.tsdb.max-block-duration: 2h
       storage.tsdb.retention: 2w
-    securityContext:
-      runAsUser: 1001020000
-      runAsNonRoot: true
-      runAsGroup: 1001020000
-      fsGroup: 1001020000
+    securityContext: {}
     extraVolumes:
     - name: object-store-volume
       secret:
@@ -68,7 +64,7 @@ prometheus:
         subPath: ""
       - name: object-store-volume
         mountPath: /etc/config
-    
+
 thanos:
   store:
     enabled: true
@@ -79,10 +75,10 @@ thanos:
         value: "100"
       - name: GODEBUG
         value: "madvdontneed=1"
-    resources: 
+    resources:
       requests:
         memory: "2.5Gi"
-  query: 
+  query:
     enabled: true
     timeout: 3m
     # Maximum number of queries processed concurrently by query node.
@@ -105,7 +101,7 @@ thanos:
     compressResponses: true
     # Downstream Tripper Configuration
     downstreamTripper:
-      enabled: true 
+      enabled: true
       idleConnectionTimeout: 90s
       responseHeaderTimeout: 2m
       tlsHandshakeTimeout: 10s
@@ -114,10 +110,10 @@ thanos:
       maxIdleConnectionsPerHost: 100
       maxConnectionsPerHost: 0
     # Response Cache Configuration
-    # Configure either a max size constraint or max items. 
+    # Configure either a max size constraint or max items.
     responseCache:
       enabled: true
-      # Maximum memory size of the cache in bytes. A unit suffix (KB, MB, GB) may be applied.      
+      # Maximum memory size of the cache in bytes. A unit suffix (KB, MB, GB) may be applied.
       maxSize: 1.25GB
       # Maximum number of entries in the cache.
       maxSizeItems: 0
@@ -134,7 +130,7 @@ thanos:
 
   # Thanos Sidecar Service Discovery
   # Disabling removes the prometheus sidecar from querier store discovery. This ensures
-  # that all clusters read from the same data in remote store. 
+  # that all clusters read from the same data in remote store.
   sidecar:
     enabled: true
   bucket:

diff --git a/cost-analyzer/values.yaml b/cost-analyzer/values.yaml
@@ -472,6 +472,8 @@ prometheus:
         - source_labels: [__meta_kubernetes_pod_label_app]
           action: keep
           regex:  {{ template "cost-analyzer.networkCostsName" . }}
+  serviceAccount:
+    annotations: {}
   server:
     # If clusterIDConfigmap is defined, instead use user-generated configmap with key CLUSTER_ID
     # to use as unique cluster ID in kubecost cost-analyzer deployment.
@@ -733,11 +735,7 @@ grafana:
   rbac:
     # Manage the Grafana Pod Security Policy
     pspEnabled: true
-  securityContext:
-    runAsUser: 1001020000
-    runAsNonRoot: true
-    runAsGroup: 1001020000
-    fsGroup: 1001020000
+  securityContext: {}
   datasources:
     datasources.yaml:
       apiVersion: 1