chore: mirror k8s-monitoring-2.0.12

upstream_repo:

charts/k8s-monitoring/templates/platform_specific/openshift/alloy-logs-scc.yaml

@@ -0,0 +1,84 @@
+{{- if and (index .Values "alloy-logs").enabled (eq .Values.global.platform "openshift") }}
+{{- $usesHostPathVolumes := (index .Values "alloy-logs").alloy.mounts.varlog }}
+---
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: {{ include "alloy.fullname" (index .Subcharts "alloy-logs") }}
+allowHostDirVolumePlugin: {{ $usesHostPathVolumes }}
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: false
+allowPrivilegedContainer: false
+allowedCapabilities:
+- CHOWN
+- DAC_OVERRIDE
+- FOWNER
+- FSETID
+- KILL
+- SETGID
+- SETUID
+- SETPCAP
+- NET_BIND_SERVICE
+- NET_RAW
+- SYS_CHROOT
+- MKNOD
+- AUDIT_WRITE
+- SETFCAP
+defaultAddCapabilities: null
+defaultAllowPrivilegeEscalation: false
+forbiddenSysctls:
+- '*'
+fsGroup:
+  type: RunAsAny
+groups: []
+priority: null
+readOnlyRootFilesystem: false  # Set because Grafana Alloy needs to write to /tmp/alloy
+requiredDropCapabilities: null
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+seccompProfiles:
+  - runtime/default
+supplementalGroups:
+  type: RunAsAny
+users: []
+volumes:
+{{- if $usesHostPathVolumes }}
+- hostPath
+{{- end }}
+- configMap
+- emptyDir
+- projected
+- secret
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "alloy.fullname" (index .Subcharts "alloy-logs") }}-scc
+rules:
+- verbs:
+    - use
+  apiGroups:
+    - security.openshift.io
+  resources:
+    - securitycontextconstraints
+  resourceNames:
+    - {{ include "alloy.fullname" (index .Subcharts "alloy-logs") }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "alloy.fullname" (index .Subcharts "alloy-logs") }}-scc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "alloy.fullname" (index .Subcharts "alloy-logs") }}-scc
+subjects:
+- kind: ServiceAccount
+  name: {{ include "alloy.fullname" (index .Subcharts "alloy-logs") }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}

charts/k8s-monitoring/templates/platform_specific/openshift/alloy-metrics-scc.yaml

@@ -0,0 +1,80 @@
+{{- if and (index .Values "alloy-metrics").enabled (eq .Values.global.platform "openshift") }}
+---
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: {{ include "alloy.fullname" (index .Subcharts "alloy-metrics") }}
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: false
+allowPrivilegedContainer: false
+allowedCapabilities:
+- CHOWN
+- DAC_OVERRIDE
+- FOWNER
+- FSETID
+- KILL
+- SETGID
+- SETUID
+- SETPCAP
+- NET_BIND_SERVICE
+- NET_RAW
+- SYS_CHROOT
+- MKNOD
+- AUDIT_WRITE
+- SETFCAP
+defaultAddCapabilities: null
+defaultAllowPrivilegeEscalation: false
+forbiddenSysctls:
+- '*'
+fsGroup:
+  type: RunAsAny
+groups: []
+priority: null
+readOnlyRootFilesystem: false  # Set because Grafana Alloy needs to write to /tmp/alloy
+requiredDropCapabilities: null
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+seccompProfiles:
+  - runtime/default
+supplementalGroups:
+  type: RunAsAny
+users: []
+volumes:
+- configMap
+- emptyDir
+- projected
+- secret
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "alloy.fullname" (index .Subcharts "alloy-metrics") }}-scc
+rules:
+- verbs:
+    - use
+  apiGroups:
+    - security.openshift.io
+  resources:
+    - securitycontextconstraints
+  resourceNames:
+    - {{ include "alloy.fullname" (index .Subcharts "alloy-metrics") }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "alloy.fullname" (index .Subcharts "alloy-metrics") }}-scc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "alloy.fullname" (index .Subcharts "alloy-metrics") }}-scc
+subjects:
+- kind: ServiceAccount
+  name: {{ include "alloy.fullname" (index .Subcharts "alloy-metrics") }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}

charts/k8s-monitoring/templates/platform_specific/openshift/alloy-profiles-scc.yaml

@@ -0,0 +1,80 @@
+{{- if and (index .Values "alloy-profiles").enabled (eq .Values.global.platform "openshift") }}
+---
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: {{ include "alloy.fullname" (index .Subcharts "alloy-profiles") }}
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: false
+allowPrivilegedContainer: true
+allowedCapabilities:
+- CHOWN
+- DAC_OVERRIDE
+- FOWNER
+- FSETID
+- KILL
+- SETGID
+- SETUID
+- SETPCAP
+- NET_BIND_SERVICE
+- NET_RAW
+- SYS_CHROOT
+- MKNOD
+- AUDIT_WRITE
+- SETFCAP
+defaultAddCapabilities: null
+defaultAllowPrivilegeEscalation: false
+forbiddenSysctls:
+- '*'
+fsGroup:
+  type: RunAsAny
+groups: []
+priority: null
+readOnlyRootFilesystem: false  # Set because Grafana Alloy needs to write to /tmp/alloy
+requiredDropCapabilities: null
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+seccompProfiles:
+  - runtime/default
+supplementalGroups:
+  type: RunAsAny
+users: []
+volumes:
+- configMap
+- emptyDir
+- projected
+- secret
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "alloy.fullname" (index .Subcharts "alloy-profiles") }}-scc
+rules:
+- verbs:
+    - use
+  apiGroups:
+    - security.openshift.io
+  resources:
+    - securitycontextconstraints
+  resourceNames:
+    - {{ include "alloy.fullname" (index .Subcharts "alloy-profiles") }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "alloy.fullname" (index .Subcharts "alloy-profiles") }}-scc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "alloy.fullname" (index .Subcharts "alloy-profiles") }}-scc
+subjects:
+- kind: ServiceAccount
+  name: {{ include "alloy.fullname" (index .Subcharts "alloy-profiles") }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}

charts/k8s-monitoring/templates/platform_specific/openshift/alloy-receiver-scc.yaml

@@ -0,0 +1,80 @@
+{{- if and (index .Values "alloy-receiver").enabled (eq .Values.global.platform "openshift") }}
+---
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: {{ include "alloy.fullname" (index .Subcharts "alloy-receiver") }}
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: false
+allowPrivilegedContainer: false
+allowedCapabilities:
+- CHOWN
+- DAC_OVERRIDE
+- FOWNER
+- FSETID
+- KILL
+- SETGID
+- SETUID
+- SETPCAP
+- NET_BIND_SERVICE
+- NET_RAW
+- SYS_CHROOT
+- MKNOD
+- AUDIT_WRITE
+- SETFCAP
+defaultAddCapabilities: null
+defaultAllowPrivilegeEscalation: false
+forbiddenSysctls:
+- '*'
+fsGroup:
+  type: RunAsAny
+groups: []
+priority: null
+readOnlyRootFilesystem: false  # Set because Grafana Alloy needs to write to /tmp/alloy
+requiredDropCapabilities: null
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+seccompProfiles:
+  - runtime/default
+supplementalGroups:
+  type: RunAsAny
+users: []
+volumes:
+- configMap
+- emptyDir
+- projected
+- secret
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "alloy.fullname" (index .Subcharts "alloy-receiver") }}-scc
+rules:
+- verbs:
+    - use
+  apiGroups:
+    - security.openshift.io
+  resources:
+    - securitycontextconstraints
+  resourceNames:
+    - {{ include "alloy.fullname" (index .Subcharts "alloy-receiver") }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "alloy.fullname" (index .Subcharts "alloy-receiver") }}-scc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "alloy.fullname" (index .Subcharts "alloy-receiver") }}-scc
+subjects:
+- kind: ServiceAccount
+  name: {{ include "alloy.fullname" (index .Subcharts "alloy-receiver") }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}

charts/k8s-monitoring/templates/platform_specific/openshift/alloy-singleton-scc.yaml

@@ -0,0 +1,80 @@
+{{- if and (index .Values "alloy-singleton").enabled (eq .Values.global.platform "openshift") }}
+---
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: {{ include "alloy.fullname" (index .Subcharts "alloy-singleton") }}
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: false
+allowPrivilegedContainer: false
+allowedCapabilities:
+- CHOWN
+- DAC_OVERRIDE
+- FOWNER
+- FSETID
+- KILL
+- SETGID
+- SETUID
+- SETPCAP
+- NET_BIND_SERVICE
+- NET_RAW
+- SYS_CHROOT
+- MKNOD
+- AUDIT_WRITE
+- SETFCAP
+defaultAddCapabilities: null
+defaultAllowPrivilegeEscalation: false
+forbiddenSysctls:
+- '*'
+fsGroup:
+  type: RunAsAny
+groups: []
+priority: null
+readOnlyRootFilesystem: false  # Set because Grafana Alloy needs to write to /tmp/alloy
+requiredDropCapabilities: null
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+seccompProfiles:
+  - runtime/default
+supplementalGroups:
+  type: RunAsAny
+users: []
+volumes:
+- configMap
+- emptyDir
+- projected
+- secret
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "alloy.fullname" (index .Subcharts "alloy-singleton") }}-scc
+rules:
+- verbs:
+    - use
+  apiGroups:
+    - security.openshift.io
+  resources:
+    - securitycontextconstraints
+  resourceNames:
+    - {{ include "alloy.fullname" (index .Subcharts "alloy-singleton") }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "alloy.fullname" (index .Subcharts "alloy-singleton") }}-scc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "alloy.fullname" (index .Subcharts "alloy-singleton") }}-scc
+subjects:
+- kind: ServiceAccount
+  name: {{ include "alloy.fullname" (index .Subcharts "alloy-singleton") }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}