Create a SecurityContextConstraint object for Beyla on OpenShift (#901)

Signed-off-by: Pete Wall <pete.wall@grafana.com>

charts/feature-auto-instrumentation/README.md

@@ -69,5 +69,6 @@ Actual integration testing in a live environment should be done in the main [k8s
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | global.maxCacheSize | int | `100000` | Sets the max_cache_size for every prometheus.relabel component. ([docs](https://grafana.com/docs/alloy/latest/reference/components/prometheus.relabel/#arguments)) This should be at least 2x-5x your largest scrape target or samples appended rate. |
+| global.platform | string | `""` | The specific platform for this cluster. Will enable compatibility for some platforms. Supported options: (empty) or "openshift". |
 | global.scrapeInterval | string | `"60s"` | How frequently to scrape metrics. |
 <!-- markdownlint-enable no-space-in-emphasis -->

charts/feature-auto-instrumentation/templates/platform_specific/openshift/beyla-scc.yaml

@@ -0,0 +1,66 @@
+{{- if eq .Values.global.platform "openshift" }}
+---
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: {{ include "beyla.fullname" .Subcharts.beyla }}
+allowHostDirVolumePlugin: true
+allowHostIPC: false
+allowHostNetwork: true
+allowHostPID: true
+allowHostPorts: false
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: true
+allowedCapabilities: []
+defaultAddCapabilities: null
+defaultAllowPrivilegeEscalation: false
+forbiddenSysctls:
+  - '*'
+fsGroup:
+  type: RunAsAny
+groups: []
+priority: null
+readOnlyRootFilesystem: false
+requiredDropCapabilities: null
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+seccompProfiles:
+  - runtime/default
+supplementalGroups:
+  type: RunAsAny
+users:
+  - system:serviceaccount:{{ .Release.Namespace }}:{{ include "beyla.fullname" .Subcharts.beyla }}
+volumes:
+  - configMap
+  - hostPath
+  - projected
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "beyla.fullname" .Subcharts.beyla }}-scc
+rules:
+  - verbs:
+      - use
+    apiGroups:
+      - security.openshift.io
+    resources:
+      - securitycontextconstraints
+    resourceNames:
+      - {{ include "beyla.fullname" .Subcharts.beyla }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "beyla.fullname" .Subcharts.beyla }}-scc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "beyla.fullname" .Subcharts.beyla }}-scc
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "beyla.fullname" .Subcharts.beyla }}
+    namespace: {{ .Release.Namespace }}
+{{- end -}}

charts/feature-auto-instrumentation/values.schema.json

@@ -92,6 +92,9 @@
                 "maxCacheSize": {
                     "type": "integer"
                 },
+                "platform": {
+                    "type": "string"
+                },
                 "scrapeInterval": {
                     "type": "string"
                 }

charts/feature-auto-instrumentation/values.yaml

@@ -8,6 +8,10 @@ nameOverride: ""
 fullnameOverride: ""
 
 global:
+  # -- The specific platform for this cluster. Will enable compatibility for some platforms. Supported options: (empty) or "openshift".
+  # @section -- Global Settings
+  platform: ""
+
   # -- How frequently to scrape metrics.
   # @section -- Global Settings
   scrapeInterval: 60s

charts/k8s-monitoring-v1/templates/platform_specific/openshift/beyla-scc.yaml

@@ -0,0 +1,66 @@
+{{- if and (eq .Values.cluster.platform "openshift") .Values.beyla.enabled }}
+---
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: {{ include "beyla.fullname" .Subcharts.beyla }}
+allowHostDirVolumePlugin: true
+allowHostIPC: false
+allowHostNetwork: true
+allowHostPID: true
+allowHostPorts: false
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: true
+allowedCapabilities: []
+defaultAddCapabilities: null
+defaultAllowPrivilegeEscalation: false
+forbiddenSysctls:
+  - '*'
+fsGroup:
+  type: RunAsAny
+groups: []
+priority: null
+readOnlyRootFilesystem: false
+requiredDropCapabilities: null
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+seccompProfiles:
+  - runtime/default
+supplementalGroups:
+  type: RunAsAny
+users:
+  - system:serviceaccount:{{ .Release.Namespace }}:{{ include "beyla.fullname" .Subcharts.beyla }}
+volumes:
+  - configMap
+  - hostPath
+  - projected
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "beyla.fullname" .Subcharts.beyla }}-scc
+rules:
+  - verbs:
+      - use
+    apiGroups:
+      - security.openshift.io
+    resources:
+      - securitycontextconstraints
+    resourceNames:
+      - {{ include "beyla.fullname" .Subcharts.beyla }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "beyla.fullname" .Subcharts.beyla }}-scc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "beyla.fullname" .Subcharts.beyla }}-scc
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "beyla.fullname" .Subcharts.beyla }}
+    namespace: {{ .Release.Namespace }}
+{{- end -}}

charts/k8s-monitoring/Chart.lock

@@ -42,4 +42,4 @@ dependencies:
   repository: https://grafana.github.io/helm-charts
   version: 0.10.0
 digest: sha256:c42e09be38582ced6f973de7fd7d2f5d96c1e926e187936e0ee1d7ae295c9e0f
-generated: "2024-11-14T09:46:56.25405-07:00"
+generated: "2024-11-15T21:44:43.795407-07:00"