mirrors/kube-prometheus
1
0
Fork 0
mirror of https://github.com/prometheus-operator/kube-prometheus.git synced 2025-08-19 21:41:06 +02:00
Code Issues Projects Releases Wiki Activity
2,544 Commits 23 Branches 15 Tags
Commit Graph

2544 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Prometheus Operator Bot
7b602e1372 [bot] [main] Automated version update 2022-02-07 07:40:53 +00:00
Arthur Silva Sens
db61b3e18e
Merge pull request #1591 from paulfantom/automountServiceAccountToken 
disable injecting unnecessary variables allowing access to k8s API
 2022-02-05 18:28:33 +00:00
Paweł Krupa (paulfantom)
dd37165884 *: reduce kubescale threshold to single digit 2022-02-04 14:17:00 +01:00
Paweł Krupa
0a76dc71d0
Merge pull request #1617 from prometheus-operator/paulfantom-patch-1 2022-02-04 14:13:59 +01:00
Paweł Krupa (paulfantom)
8cb6979426 docs: add security considerations regarding automountServiceAccountToken 2022-02-04 14:10:01 +01:00
Paweł Krupa (paulfantom)
731843f4cd manifests: regenerate 2022-02-04 14:09:43 +01:00
Paweł Krupa (paulfantom)
3429bc77a4 disable injecting unnecessary variables allowing access to k8s API 2022-02-04 14:08:52 +01:00
Paweł Krupa
3436e1a92e
Merge pull request #1612 from ArthurSens/remove-hostport 2022-02-04 12:58:13 +01:00
Paweł Krupa
f51e9b14e9
Merge pull request #1616 from ArthurSens/as/kubescape 2022-02-04 12:23:03 +01:00
Paweł Krupa
57be33120d
Create dependabot.yml 2022-02-04 12:17:58 +01:00
ArthurSens
ce98a61205 Loosen Kubescape threshold 
Signed-off-by: ArthurSens <arthursens2005@gmail.com>
 2022-02-04 10:13:07 +00:00
ArthurSens
fb92a6dbe0 Document better why we use hostPort on node-exporter 
Signed-off-by: ArthurSens <arthursens2005@gmail.com>
 2022-02-03 15:47:43 +00:00
Paweł Krupa
087f479b2a
Merge pull request #1614 from arajkumar/sanitize-all-denylist-regex 2022-02-03 16:07:41 +01:00
Arunprasad Rajkumar
0eabbb5d0c
Sanitize all regex denylist in ksm-lite addon 
This is a follow up fix of https://github.com/prometheus-operator/kube-prometheus/pull/1613. @simonpasquier recommended to sanitize all denylist metrics.

Signed-off-by: Arunprasad Rajkumar <arajkuma@redhat.com>
 2022-02-03 19:52:44 +05:30
Paweł Krupa
15137a39a7
Merge pull request #1613 from arajkumar/sanitize-regex-denylist 2022-02-03 14:07:45 +01:00
Arunprasad Rajkumar
f16277e8e0
Sanitize regex denylist in ksm-lite addon 
The following metrics are missing from kube-state-metrics:
- kube_pod_container_status_terminated_reason
- kube_pod_init_container_status_terminated_reason
- kube_pod_status_scheduled_time

Previously, some metrics were removed from kube-state-metrics by adding the following --metric-denylist argument to the kube-state-metrics container

```
--metric-denylist=
kube_.+_created,
kube_.+_metadata_resource_version,
kube_replicaset_metadata_generation,
kube_replicaset_status_observed_generation,
kube_pod_restart_policy,
kube_pod_init_container_status_terminated,
kube_pod_init_container_status_running,
kube_pod_container_status_terminated,
kube_pod_container_status_running,
kube_pod_completion_time,
kube_pod_status_scheduled
```

--metric-denylist: Comma-separated list of metrics not to be enabled. This list comprises of exact metric names and/or regex patterns. The allowlist and denylist are mutually exclusive.

However, all the list of metrics is managed as RegEx, thus "kube_pod_container_status_terminated" denies .*kube_pod_container_status_terminated.*, that's why kube_pod_init_container_status_terminated_reason is missing

Co-authored-by: Florian Gleizes <fgleizes@redhat.com>
Signed-off-by: Arunprasad Rajkumar <arajkuma@redhat.com>
 2022-02-03 17:50:22 +05:30
Arthur Silva Sens
755d27bb46
Merge pull request #1610 from ArthurSens/as/linux-hardening 
Drop Linux capabilities
 2022-02-02 12:56:21 +00:00
Arthur Silva Sens
21e26c808a
Merge pull request #1609 from paulfantom/fix-1602 
jsonnet: filter out kube-proxy alerts when kube-proxy is disabled
 2022-02-01 17:23:51 +00:00
Paweł Krupa (paulfantom)
35f0bca4da manifests: regenerate 2022-02-01 16:22:57 +01:00
Paweł Krupa (paulfantom)
86ac6f79b1 jsonnet: filter out kube-proxy alerts when kube-proxy is disabled 
Signed-off-by: Paweł Krupa (paulfantom) <pawel@krupa.net.pl>
 2022-02-01 16:22:48 +01:00
Arthur Silva Sens
931af3241d Drop Linux capabilities 
Signed-off-by: GitHub <noreply@github.com>
 2022-02-01 09:25:21 +00:00
Paweł Krupa
6bfb07aac2
Merge pull request #1608 from ArthurSens/as/fixme 2022-01-31 19:44:45 +01:00
ArthurSens
e5610b2e8d Address FIXME 
Signed-off-by: ArthurSens <arthursens2005@gmail.com>
 2022-01-31 17:25:00 +00:00
Arthur Silva Sens
2e5337ee8e
Merge pull request #1607 from prometheus-operator/automated-updates-main 
[bot] [main] Automated version update
 2022-01-31 17:09:07 +00:00
Prometheus Operator Bot
dad37c968d [bot] [main] Automated version update 2022-01-31 17:04:19 +00:00
Paweł Krupa
85de14dd8d
Merge pull request #1606 from paulfantom/revert-1598 2022-01-31 18:01:24 +01:00
Paweł Krupa (paulfantom)
a44622ed54 Revert "workflows/versions: Enable auto-merge" 
This reverts commit f0d9be27b3722bb4adf9279576e472b40c97311b.
 2022-01-31 17:52:19 +01:00
Arthur Silva Sens
b113c45a18
Merge pull request #1600 from ArthurSens/readOnlyRootFilesystem 2022-01-28 11:59:47 +00:00
ArthurSens
98664db925 Adjust Kubescape threshold 
Signed-off-by: ArthurSens <arthursens2005@gmail.com>
 2022-01-27 16:05:39 +00:00
Arthur Silva Sens
57c46a2861 components/*: Forbid write access to root filesystem 
Signed-off-by: GitHub <noreply@github.com>
 2022-01-27 16:03:58 +00:00
Simon Pasquier
48b2bb6a72
Merge pull request #1601 from PhilipGough/kubescape-1 
docs: Update broken link
 2022-01-27 16:09:38 +01:00
Paweł Krupa
b68f3f0f07
Merge pull request #1556 from arajkumar/fix-thanos-sidecar-selector 2022-01-27 13:06:59 +01:00
Philip Gough
ea7141ffe2 docs: Update broken link 2022-01-27 10:52:09 +00:00
Philip Gough
3521698843
Merge pull request #1590 from PhilipGough/kubescape-1 
Document security audit exceptions for node-exporter
 2022-01-27 09:59:22 +00:00
Paweł Krupa
c2d6b3e8c6
Merge pull request #1598 from ArthurSens/as/dependency-automerge 2022-01-25 17:34:29 +01:00
ArthurSens
f0d9be27b3 workflows/versions: Enable auto-merge 
Signed-off-by: ArthurSens <arthursens2005@gmail.com>
 2022-01-25 15:30:57 +00:00
Philip Gough
586fc87b81 make: Lower the threshold for the security scan to account for documented exceptions 2022-01-24 10:58:08 +00:00
Philip Gough
b924650344 docs: Add details about security scanning of manifests and exceptions 2022-01-24 10:58:08 +00:00
Philip Gough
02f1550261 ci: Add exceptions for node-exporter to kubescape config 2022-01-24 10:45:52 +00:00
Arthur Silva Sens
4d004393e1
Merge pull request #1593 from prometheus-operator/as/forbid-privilege-scalation 
Explicitly declare allowPrivilegeEscalation to false in all components
 2022-01-24 10:38:33 +00:00
Arthur Silva Sens
2d02121731 kubescape: Adjust risk threshold 
Signed-off-by: GitHub <noreply@github.com>
 2022-01-24 10:31:48 +00:00
Arthur Silva Sens
b60b302499 Explicitly declare allowPrivilegeEscalation to false 
Although containers that do not run as privileged already have this set to false by kubernetes
Kubespace [asks us](https://hub.armo.cloud/docs/c-0016) to explicitly declare it to false where not needed.

Signed-off-by: Arthur Silva Sens <arthursens2005@gmail.com>
 2022-01-24 10:31:43 +00:00
Arthur Silva Sens
90ad3c99fc
Merge pull request #1594 from prometheus-operator/automated-updates-main 
[bot] [main] Automated version update
 2022-01-24 08:31:53 +00:00
Prometheus Operator Bot
ef40bc5759 [bot] [main] Automated version update 2022-01-24 07:43:49 +00:00
Arthur Silva Sens
f7d3019a8f
Merge pull request #1584 from PhilipGough/fix-1466 
Scan generated manifests with kubescape in CI
 2022-01-18 11:51:29 -03:00
Philip Gough
9c9f73f6c5 ci: Add check for security scan of manifest 2022-01-17 16:08:19 +00:00
Philip Gough
e286f74647 make: Target for security scan 2022-01-17 16:08:19 +00:00
Philip Gough
b8a05f4197 scripts: Adds kubescape to tooling 
https://github.com/armosec/kubescape allows us to
run a scan of the generated manifests and assess the
security risk.
 2022-01-17 16:08:19 +00:00
Philip Gough
d2cae36f84
Merge pull request #1586 from PhilipGough/go-version-bump 
build: Bump to build with Go 1.17
 2022-01-17 16:08:00 +00:00
Philip Gough
1344092b36 build: Bump to build with Go 1.17 2022-01-17 15:18:50 +00:00