From 8f74c54004604fde9a4f3baa5172860f027d7fc8 Mon Sep 17 00:00:00 2001 From: TrueCharts-Bot Date: Sat, 26 Feb 2022 00:42:56 +0000 Subject: [PATCH] Commit released Helm Chart and docs for TrueCharts Signed-off-by: TrueCharts-Bot --- charts/core/prometheus/CHANGELOG.md | 9 +++++++++ charts/core/prometheus/helm-values.md | 3 ++- charts/core/prometheus/security.md | 1 + docs/apps/core/prometheus/CHANGELOG.md | 9 +++++++++ docs/apps/core/prometheus/helm-values.md | 3 ++- docs/apps/core/prometheus/security.md | 1 + docs/index.yaml | 10 +++++----- 7 files changed, 29 insertions(+), 7 deletions(-) diff --git a/charts/core/prometheus/CHANGELOG.md b/charts/core/prometheus/CHANGELOG.md index 531279069e5..f137153e8cb 100644 --- a/charts/core/prometheus/CHANGELOG.md +++ b/charts/core/prometheus/CHANGELOG.md @@ -1,6 +1,15 @@ # Changelog
+ +### [prometheus-1.1.69](https://github.com/truecharts/apps/compare/prometheus-1.1.68...prometheus-1.1.69) (2022-02-26) + +#### Fix + +* enable hostNetworking and change port ([#1969](https://github.com/truecharts/apps/issues/1969)) + + + ### [prometheus-1.1.68](https://github.com/truecharts/apps/compare/prometheus-1.1.67...prometheus-1.1.68) (2022-02-26) diff --git a/charts/core/prometheus/helm-values.md b/charts/core/prometheus/helm-values.md index 62d19cd2ab4..39b3b390f5c 100644 --- a/charts/core/prometheus/helm-values.md +++ b/charts/core/prometheus/helm-values.md @@ -151,8 +151,9 @@ You will, however, be able to use all values referenced in the common chart here | kubelet.serviceMonitor.relabelings | list | `[]` | | | node-exporter.extraArgs."collector.filesystem.ignored-fs-types" | string | `"^(autofs|binfmt_misc|cgroup|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|mqueue|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|sysfs|tracefs)$"` | | | node-exporter.extraArgs."collector.filesystem.ignored-mount-points" | string | `"^/(dev|proc|sys|var/lib/docker/.+)($|/)"` | | -| node-exporter.hostNetwork | bool | `false` | | | node-exporter.service.labels.jobLabel | string | `"node-exporter"` | | +| node-exporter.service.port | int | `9910` | | +| node-exporter.service.targetPort | int | `9910` | | | node-exporter.serviceMonitor.enabled | bool | `true` | | | node-exporter.serviceMonitor.jobLabel | string | `"jobLabel"` | | | operator.configReloaderResources | object | `{}` | | diff --git a/charts/core/prometheus/security.md b/charts/core/prometheus/security.md index b80e91b608f..9635c4d37ee 100644 --- a/charts/core/prometheus/security.md +++ b/charts/core/prometheus/security.md @@ -52,6 +52,7 @@ hide: |:----------------|:------------------:|:-----------:|:------------------:|-----------------------------------------|-----------------------------------------| | Kubernetes Security Check | KSV001 | Process can elevate its own privileges | MEDIUM |
Expand... A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.


Container 'node-exporter' of DaemonSet 'RELEASE-NAME-node-exporter' should set 'securityContext.allowPrivilegeEscalation' to false
|
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv001
| | Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW |
Expand... The container should drop all default capabilities and add only those that are needed for its execution.


Container 'node-exporter' of DaemonSet 'RELEASE-NAME-node-exporter' should add 'ALL' to 'securityContext.capabilities.drop'
|
Expand...https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/appshield/ksv003
| +| Kubernetes Security Check | KSV009 | Access to host network | HIGH |
Expand... Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.


DaemonSet 'RELEASE-NAME-node-exporter' should not set 'spec.template.spec.hostNetwork' to true
|
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
https://avd.aquasec.com/appshield/ksv009
| | Kubernetes Security Check | KSV010 | Access to host PID | HIGH |
Expand... Sharing the host’s PID namespace allows visibility on host processes, potentially leaking information such as environment variables and configuration.


DaemonSet 'RELEASE-NAME-node-exporter' should not set 'spec.template.spec.hostPID' to true
|
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
https://avd.aquasec.com/appshield/ksv010
| | Kubernetes Security Check | KSV011 | CPU not limited | LOW |
Expand... Enforcing CPU limits prevents DoS via resource exhaustion.


Container 'node-exporter' of DaemonSet 'RELEASE-NAME-node-exporter' should set 'resources.limits.cpu'
|
Expand...https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits
https://avd.aquasec.com/appshield/ksv011
| | Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW |
Expand... An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.


Container 'node-exporter' of DaemonSet 'RELEASE-NAME-node-exporter' should set 'securityContext.readOnlyRootFilesystem' to true
|
Expand...https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/appshield/ksv014
| diff --git a/docs/apps/core/prometheus/CHANGELOG.md b/docs/apps/core/prometheus/CHANGELOG.md index 531279069e5..f137153e8cb 100644 --- a/docs/apps/core/prometheus/CHANGELOG.md +++ b/docs/apps/core/prometheus/CHANGELOG.md @@ -1,6 +1,15 @@ # Changelog
+ +### [prometheus-1.1.69](https://github.com/truecharts/apps/compare/prometheus-1.1.68...prometheus-1.1.69) (2022-02-26) + +#### Fix + +* enable hostNetworking and change port ([#1969](https://github.com/truecharts/apps/issues/1969)) + + + ### [prometheus-1.1.68](https://github.com/truecharts/apps/compare/prometheus-1.1.67...prometheus-1.1.68) (2022-02-26) diff --git a/docs/apps/core/prometheus/helm-values.md b/docs/apps/core/prometheus/helm-values.md index 62d19cd2ab4..39b3b390f5c 100644 --- a/docs/apps/core/prometheus/helm-values.md +++ b/docs/apps/core/prometheus/helm-values.md @@ -151,8 +151,9 @@ You will, however, be able to use all values referenced in the common chart here | kubelet.serviceMonitor.relabelings | list | `[]` | | | node-exporter.extraArgs."collector.filesystem.ignored-fs-types" | string | `"^(autofs|binfmt_misc|cgroup|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|mqueue|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|sysfs|tracefs)$"` | | | node-exporter.extraArgs."collector.filesystem.ignored-mount-points" | string | `"^/(dev|proc|sys|var/lib/docker/.+)($|/)"` | | -| node-exporter.hostNetwork | bool | `false` | | | node-exporter.service.labels.jobLabel | string | `"node-exporter"` | | +| node-exporter.service.port | int | `9910` | | +| node-exporter.service.targetPort | int | `9910` | | | node-exporter.serviceMonitor.enabled | bool | `true` | | | node-exporter.serviceMonitor.jobLabel | string | `"jobLabel"` | | | operator.configReloaderResources | object | `{}` | | diff --git a/docs/apps/core/prometheus/security.md b/docs/apps/core/prometheus/security.md index b80e91b608f..9635c4d37ee 100644 --- a/docs/apps/core/prometheus/security.md +++ b/docs/apps/core/prometheus/security.md @@ -52,6 +52,7 @@ hide: |:----------------|:------------------:|:-----------:|:------------------:|-----------------------------------------|-----------------------------------------| | Kubernetes Security Check | KSV001 | Process can elevate its own privileges | MEDIUM |
Expand... A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.


Container 'node-exporter' of DaemonSet 'RELEASE-NAME-node-exporter' should set 'securityContext.allowPrivilegeEscalation' to false
|
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv001
| | Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW |
Expand... The container should drop all default capabilities and add only those that are needed for its execution.


Container 'node-exporter' of DaemonSet 'RELEASE-NAME-node-exporter' should add 'ALL' to 'securityContext.capabilities.drop'
|
Expand...https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/appshield/ksv003
| +| Kubernetes Security Check | KSV009 | Access to host network | HIGH |
Expand... Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.


DaemonSet 'RELEASE-NAME-node-exporter' should not set 'spec.template.spec.hostNetwork' to true
|
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
https://avd.aquasec.com/appshield/ksv009
| | Kubernetes Security Check | KSV010 | Access to host PID | HIGH |
Expand... Sharing the host’s PID namespace allows visibility on host processes, potentially leaking information such as environment variables and configuration.


DaemonSet 'RELEASE-NAME-node-exporter' should not set 'spec.template.spec.hostPID' to true
|
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
https://avd.aquasec.com/appshield/ksv010
| | Kubernetes Security Check | KSV011 | CPU not limited | LOW |
Expand... Enforcing CPU limits prevents DoS via resource exhaustion.


Container 'node-exporter' of DaemonSet 'RELEASE-NAME-node-exporter' should set 'resources.limits.cpu'
|
Expand...https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits
https://avd.aquasec.com/appshield/ksv011
| | Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW |
Expand... An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.


Container 'node-exporter' of DaemonSet 'RELEASE-NAME-node-exporter' should set 'securityContext.readOnlyRootFilesystem' to true
|
Expand...https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/appshield/ksv014
| diff --git a/docs/index.yaml b/docs/index.yaml index a7d783742c6..f4d0750ce35 100644 --- a/docs/index.yaml +++ b/docs/index.yaml @@ -45120,7 +45120,7 @@ entries: truecharts.org/grade: U apiVersion: v2 appVersion: 0.54.0 - created: "2022-02-26T00:14:06.44075251Z" + created: "2022-02-26T00:42:55.317511796Z" dependencies: - name: common repository: https://truecharts.org @@ -45137,7 +45137,7 @@ entries: and Prometheus rules combined with documentation and scripts to provide easy to operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus Operator. - digest: 2d3e5de32eb07886f5193633756237510826503c24ff61f4bc2d3e1c9c750e48 + digest: 1eac1079054a25eb774a508f40662bf74d676a704361f5e86c28571eca34dea8 home: https://github.com/truecharts/apps/tree/master/charts/stable/prometheus icon: https://truecharts.org/_static/img/appicons/prometheus-icon.png keywords: @@ -45153,8 +45153,8 @@ entries: - https://github.com/prometheus-operator/kube-prometheus type: application urls: - - https://github.com/truecharts/apps/releases/download/prometheus-1.1.68/prometheus-1.1.68.tgz - version: 1.1.68 + - https://github.com/truecharts/apps/releases/download/prometheus-1.1.69/prometheus-1.1.69.tgz + version: 1.1.69 - annotations: truecharts.org/SCALE-support: "true" truecharts.org/catagories: | @@ -64790,4 +64790,4 @@ entries: urls: - https://github.com/truecharts/apps/releases/download/zwavejs2mqtt-9.0.24/zwavejs2mqtt-9.0.24.tgz version: 9.0.24 -generated: "2022-02-26T00:14:06.448022426Z" +generated: "2022-02-26T00:42:55.325350335Z"