Skip to content
This repository has been archived by the owner on Feb 22, 2022. It is now read-only.

Commit

Permalink
[stable/elastalert] Add ServiceAccount and PodSecurityPolicy to Elast…
Browse files Browse the repository at this point in the history 
…alert (#21850)

* Add ServiceAccount and PodSecurityPolicy to Elastalert

Signed-off-by: Etienne Tremel <[email protected]>

* Use podSecurityPolicy.create

Signed-off-by: Etienne Tremel <[email protected]>
  • Loading branch information
@etiennetremel
etiennetremel authored Apr 10, 2020
1 parent 2ab568e commit 25f7b33
Show file tree
Hide file tree
Showing 9 changed files with 157 additions and 35 deletions.
2 changes: 1 addition & 1 deletion stable/elastalert/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v1
description: ElastAlert is a simple framework for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch.
name: elastalert
version: 1.2.4
version: 1.3.0
appVersion: 0.2.1
home: https://github.com/Yelp/elastalert
icon: https://static-www.elastic.co/assets/blteb1c97719574938d/logo-elastic-elasticsearch-lt.svg
Expand Down
70 changes: 37 additions & 33 deletions stable/elastalert/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,36 +49,40 @@ The command removes all the Kubernetes components associated with the chart and

## Configuration

| Parameter | Description | Default |
|-----------------------------------|--------------------------------------------------------------------------------------------|---------------------------------|
| `image.repository` | docker image | jertel/elastalert-docker |
| `image.tag` | docker image tag | 0.2.1 |
| `image.pullPolicy` | image pull policy | IfNotPresent |
| `podAnnotations` | Annotations to be added to pods | {} |
| `command` | command override for container | `NULL` |
| `args` | args override for container | `NULL` |
| `replicaCount` | number of replicas to run | 1 |
| `elasticsearch.host` | elasticsearch endpoint to use | elasticsearch |
| `elasticsearch.port` | elasticsearch port to use | 80 |
| `elasticsearch.useSsl` | whether or not to connect to es_host using SSL | False |
| `elasticsearch.username` | Username for ES with basic auth | `NULL` |
| `elasticsearch.password` | Password for ES with basic auth | `NULL` |
| `elasticsearch.verifyCerts` | whether or not to verify TLS certificates | True |
| `elasticsearch.clientCert` | path to a PEM certificate to use as the client certificate | /certs/client.pem |
| `elasticsearch.clientKey` | path to a private key file to use as the client key | /certs/client-key.pem |
| `elasticsearch.caCerts` | path to a CA cert bundle to use to verify SSL connections | /certs/ca.pem |
| `elasticsearch.certsVolumes` | certs volumes, required to mount ssl certificates when elasticsearch has tls enabled | `NULL` |
| `elasticsearch.certsVolumeMounts` | mount certs volumes, required to mount ssl certificates when elasticsearch has tls enabled | `NULL` |
| `extraConfigOptions` | Additional options to propagate to all rules, cannot be `alert`, `type`, `name` or `index` | `{}` |
| `optEnv` | Additional pod environment variable definitions | [] |
| `extraVolumes` | Additional volume definitions | [] |
| `extraVolumeMounts` | Additional volumeMount definitions | [] |
| `resources` | Container resource requests and limits | {} |
| `rules` | Rule and alert configuration for Elastalert | {} example shown in values.yaml |
| `runIntervalMins` | Default interval between alert checks, in minutes | 1 |
| `realertIntervalMins` | Time between alarms for same rule, in minutes | `NULL` |
| `alertRetryLimitMins` | Time to retry failed alert deliveries, in minutes | 2880 (2 days) |
| `bufferTimeMins` | Default rule buffer time, in minutes | 15 |
| `writebackIndex` | Name or prefix of elastalert index(es) | elastalert_status |
| `nodeSelector` | Node selector for deployment | {} |
| `tolerations` | Tolerations for deployment | [] |
| Parameter | Description | Default |
|-----------------------------------|-------------------------------------------------------------------------------------------------------------------------------|---------------------------------|
| `image.repository` | docker image | jertel/elastalert-docker |
| `image.tag` | docker image tag | 0.2.1 |
| `image.pullPolicy` | image pull policy | IfNotPresent |
| `podAnnotations` | Annotations to be added to pods | {} |
| `command` | command override for container | `NULL` |
| `args` | args override for container | `NULL` |
| `replicaCount` | number of replicas to run | 1 |
| `elasticsearch.host` | elasticsearch endpoint to use | elasticsearch |
| `elasticsearch.port` | elasticsearch port to use | 80 |
| `elasticsearch.useSsl` | whether or not to connect to es_host using SSL | False |
| `elasticsearch.username` | Username for ES with basic auth | `NULL` |
| `elasticsearch.password` | Password for ES with basic auth | `NULL` |
| `elasticsearch.verifyCerts` | whether or not to verify TLS certificates | True |
| `elasticsearch.clientCert` | path to a PEM certificate to use as the client certificate | /certs/client.pem |
| `elasticsearch.clientKey` | path to a private key file to use as the client key | /certs/client-key.pem |
| `elasticsearch.caCerts` | path to a CA cert bundle to use to verify SSL connections | /certs/ca.pem |
| `elasticsearch.certsVolumes` | certs volumes, required to mount ssl certificates when elasticsearch has tls enabled | `NULL` |
| `elasticsearch.certsVolumeMounts` | mount certs volumes, required to mount ssl certificates when elasticsearch has tls enabled | `NULL` |
| `extraConfigOptions` | Additional options to propagate to all rules, cannot be `alert`, `type`, `name` or `index` | `{}` |
| `optEnv` | Additional pod environment variable definitions | [] |
| `extraVolumes` | Additional volume definitions | [] |
| `extraVolumeMounts` | Additional volumeMount definitions | [] |
| `serviceAccount.create` | Specifies whether a service account should be created. | `true` |
| `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the fullname template | |
| `serviceAccount.annotations` | ServiceAccount annotations | |
| `podSecurityPolicy.create` | Create pod security policy resources | `false` |
| `resources` | Container resource requests and limits | {} |
| `rules` | Rule and alert configuration for Elastalert | {} example shown in values.yaml |
| `runIntervalMins` | Default interval between alert checks, in minutes | 1 |
| `realertIntervalMins` | Time between alarms for same rule, in minutes | `NULL` |
| `alertRetryLimitMins` | Time to retry failed alert deliveries, in minutes | 2880 (2 days) |
| `bufferTimeMins` | Default rule buffer time, in minutes | 15 |
| `writebackIndex` | Name or prefix of elastalert index(es) | elastalert_status |
| `nodeSelector` | Node selector for deployment | {} |
| `tolerations` | Tolerations for deployment | [] |
11 changes: 11 additions & 0 deletions stable/elastalert/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,3 +23,14 @@ If release name contains chart name it will be used as a full name.
{{- end -}}
{{- end -}}
{{- end -}}

{{/*
Create the name of the service account to use
*/}}
{{- define "elastalert.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "elastalert.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
3 changes: 2 additions & 1 deletion stable/elastalert/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ spec:
app: {{ template "elastalert.name" . }}
release: {{ .Release.Name }}
spec:
serviceAccountName: {{ include "elastalert.serviceAccountName" . }}
containers:
- name: elastalert
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
Expand Down Expand Up @@ -86,5 +87,5 @@ spec:
{{- end }}
{{- if .Values.extraVolumes }}
{{ toYaml .Values.extraVolumes | indent 8 }}
{{- end }}
{{- end }}
{{- end }}
39 changes: 39 additions & 0 deletions stable/elastalert/templates/podsecuritypolicy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
{{- if .Values.podSecurityPolicy.create }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "elastalert.fullname" . }}
labels:
app: {{ template "elastalert.name" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
# Prevents running in privileged mode
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
volumes:
- configMap
- secret
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: MustRunAs
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: MustRunAs
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
{{- end }}
20 changes: 20 additions & 0 deletions stable/elastalert/templates/role.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
{{- if .Values.podSecurityPolicy.create }}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: {{ template "elastalert.fullname" . }}
labels:
app: {{ template "elastalert.name" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups:
- policy
resources:
- podsecuritypolicies
resourceNames:
- {{ template "elastalert.fullname" . }}
verbs:
- use
{{- end -}}
18 changes: 18 additions & 0 deletions stable/elastalert/templates/rolebinding.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{{- if .Values.podSecurityPolicy.create }}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: {{ template "elastalert.fullname" . }}
labels:
app: {{ template "elastalert.name" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "elastalert.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "elastalert.serviceAccountName" . }}
{{- end -}}
15 changes: 15 additions & 0 deletions stable/elastalert/templates/serviceaccount.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "elastalert.serviceAccountName" . }}
labels:
app: {{ template "elastalert.name" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}
14 changes: 14 additions & 0 deletions stable/elastalert/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,20 @@ rules: {}
# pagerduty_service_key: dummy
# pagerduty_client_name: Elastalert Deadman Switch

serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name:

# Enable pod security policy
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
podSecurityPolicy:
create: false

# Support using node selectors and tolerations
# nodeSelector:
# "node-role.kubernetes.io/infra_worker": "true"
Expand Down

0 comments on commit 25f7b33

Please sign in to comment.