Openshift Security Context Constraints and updated ClusterRole with access to internal prometheus. (#267)

* Add OpenShift support with SecurityContextConstraints and updated ClusterRole permissions

* fix: changed roleRef

* feat: changes to clusterrolebinding and own values file for openshift

* fix: added scheme value to be able to switch between http and https

* feat: update OpenShift support with service account name change, SCC adjustments, and enhanced probe configurations

* Update charts/opencost/templates/_helpers.tpl

Co-authored-by: Ishaan Mittal <ishaanmittal123@gmail.com>
Signed-off-by: Simen Andre Vikestrand Skogum <v0nNemizez@gmail.com>

* Update charts/opencost/templates/scc.yaml

Co-authored-by: Ishaan Mittal <ishaanmittal123@gmail.com>
Signed-off-by: Simen Andre Vikestrand Skogum <v0nNemizez@gmail.com>

* fix: removing duplicate code

* fix: update SCC condition to use enableSCC value in scc.yaml, renaming file

* fix: update OpenShift SCC condition to use enableSCC value in clusterrolebinding.yaml

* fix: remove unused testvalues.yaml file

* fix: correct formatting of enableSCC value in values.yaml

* Update charts/opencost/templates/scc.yaml

Co-authored-by: Ishaan Mittal <ishaanmittal123@gmail.com>
Signed-off-by: Simen Andre Vikestrand Skogum <v0nNemizez@gmail.com>

* feat: add OpenShift specific values file for Opencost deployment

* Update charts/opencost/templates/clusterrolebinding.yaml

Co-authored-by: Ishaan Mittal <ishaanmittal123@gmail.com>
Signed-off-by: Simen Andre Vikestrand Skogum <v0nNemizez@gmail.com>

* feat: update OpenShift cluster role to enable Prometheus access

* fix: linting

* Update charts/opencost/templates/_helpers.tpl

Co-authored-by: Ishaan Mittal <ishaanmittal123@gmail.com>
Signed-off-by: Simen Andre Vikestrand Skogum <v0nNemizez@gmail.com>

* Update charts/opencost/templates/clusterrole.yaml

Co-authored-by: Ishaan Mittal <ishaanmittal123@gmail.com>
Signed-off-by: Simen Andre Vikestrand Skogum <v0nNemizez@gmail.com>

* feat: add scheme configuration for Thanos query service

* feat: add scheme configuration for in-cluster Prometheus

---------

Signed-off-by: Simen Andre Vikestrand Skogum <v0nNemizez@gmail.com>
Co-authored-by: Simen Andrè Vikestrand Skogum <sas@eika.no>
Co-authored-by: Ishaan Mittal <ishaanmittal123@gmail.com>

Author: 3 people

.gitignore

@@ -1 +1,2 @@
 .DS_Store
+.idea

charts/opencost/Chart.yaml

@@ -9,7 +9,9 @@ keywords:
   - finops
   - monitoring
   - opencost
-version: 2.0.2
+
+version: 2.1.0
+
 maintainers:
   - name: jessegoodier
   - name: toscott

charts/opencost/templates/_helpers.tpl

@@ -84,7 +84,7 @@ Create the name of the controller service account to use
   {{- if .Values.serviceAccount.create -}}
     {{- default (include "opencost.fullname" .) .Values.serviceAccount.name }}
   {{- else -}}
-    {{- default "default" .Values.serviceAccount.name }}
+    {{- default "opencost" .Values.serviceAccount.name }}
   {{- end -}}
 {{- end -}}
 
@@ -102,8 +102,9 @@ Create the name of the controller service account to use
     {{- $host := tpl .Values.opencost.prometheus.internal.serviceName . }}
     {{- $ns := tpl .Values.opencost.prometheus.internal.namespaceName . }}
     {{- $clusterName := .Values.clusterName }}
+    {{- $scheme := .Values.opencost.prometheus.internal.scheme | default "http"}}
     {{- $port := .Values.opencost.prometheus.internal.port | int }}
-    {{- printf "http://%s.%s.svc.%s:%d" $host $ns $clusterName $port -}}
+    {{- printf "%s://%s.%s.svc.%s:%d" $scheme $host $ns $clusterName $port -}}
   {{- end -}}
 {{- end -}}
 
@@ -118,7 +119,8 @@ Check that either thanos external or internal is defined
     {{- $ns := .Values.opencost.prometheus.thanos.internal.namespaceName }}
     {{- $clusterName := .Values.clusterName }}
     {{- $port := .Values.opencost.prometheus.thanos.internal.port | int }}
-    {{- printf "http://%s.%s.svc.%s:%d" $host $ns $clusterName $port -}}
+    {{- $scheme := .Values.opencost.prometheus.thanos.internal.scheme | default "http"}}
+    {{- printf "%s://%s.%s.svc.%s:%d" $scheme $host $ns $clusterName $port -}}
   {{- end -}}
 {{- end -}}
 
@@ -192,6 +194,11 @@ apiVersion: networking.k8s.io/v1beta1
 {{- end -}}
 {{- end -}}
 
+
+{{- define "opencost.sccName" -}}
+{{include "opencost.fullname" .}}-scc
+{{- end -}}
+
 {{- /*
   Compute a checksum based on the rendered content of specific ConfigMaps and Secrets.
 */ -}}
@@ -209,3 +216,4 @@ apiVersion: networking.k8s.io/v1beta1
 {{- end -}}
 {{- $checksum | sha256sum -}}
 {{- end -}}
+

charts/opencost/templates/clusterrole.yaml

@@ -78,4 +78,19 @@ rules:
       - get
       - list
       - watch
+
+{{- if and .Values.opencost.platforms.openshift.enabled .Values.opencost.platforms.openshift.enablePromAccess }}
+  - apiGroups:
+      - monitoring.coreos.com
+    resources:
+      - prometheuses
+      - thanosrulers
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+{{- end }}
 {{- end }}

charts/opencost/templates/clusterrolebinding.yaml

@@ -39,3 +39,19 @@ subjects:
     namespace: {{ include "opencost.namespace" . }}
 ---
 {{- end }}
+
+{{- if and .Values.opencost.platforms.openshift.enabled .Values.opencost.platforms.openshift.enableSCC }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: opencost-scc-binding
+  namespace: {{include "opencost.namespace" .}}
+subjects:
+  - kind: ServiceAccount
+    name: {{template "opencost.serviceAccountName"}}
+    namespace: {{include "opencost.namespace" .}}
+roleRef:
+  kind: Role
+  name: system:openshift:scc:{{ include "opencost.sccName" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end}}

charts/opencost/templates/scc.yaml

@@ -0,0 +1,41 @@
+{{- if and .Values.opencost.platforms.openshift.enabled .Values.opencost.platforms.openshift.enableSCC }}
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: {{include "opencost.sccName" .}}
+priority: 10
+allowPrivilegedContainer: false
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: false
+readOnlyRootFilesystem: false
+allowedCapabilities:
+  - CHOWN
+  - FOWNER
+  - FSETID
+  - KILL
+  - NET_BIND_SERVICE
+  - SETFCAP
+  - SETGID
+  - SETPCAP
+  - SETUID
+runAsUser:
+  type: MustRunAs
+  uid: 1001
+seLinuxContext:
+  type: MustRunAs
+fsGroup:
+  type: RunAsAny
+supplementalGroups:
+  type: RunAsAny
+volumes:
+  - configMap
+  - downwardAPI
+  - emptyDir
+  - persistentVolumeClaim
+  - projected
+  - secret
+{{- end}}

charts/opencost/values-openshift.yaml

@@ -0,0 +1,7 @@
+# This Helm values file is a modified version of `values.yaml`.
+# This file is meant to be used by users deploying Opencost to OpenShift (OCP) clusters. For more configuration options, see `values.yaml`.
+opencost:
+  platforms:
+    openshift:
+      enabled: true
+

charts/opencost/values.yaml

@@ -350,6 +350,8 @@ opencost:
       namespaceName: prometheus-system
       # -- Service port of in-cluster Prometheus
       port: 80
+      # -- Scheme to use for in-cluster Prometheus
+      scheme: http
     amp:
       # -- Use Amazon Managed Service for Prometheus (AMP)
       enabled: false  # If true, opencost will be configured to remote_write and query from Amazon Managed Service for Prometheus.
@@ -364,6 +366,7 @@ opencost:
         serviceName: my-thanos-query
         namespaceName: opencost
         port: 10901
+        scheme: http
       external:
         enabled: false
         url: 'https://thanos-query.example.com/thanos'
@@ -547,6 +550,9 @@ opencost:
       monitoringServiceAccountName: prometheus-k8s
       # -- Namespace of the Prometheus serviceaccount to bind to the Resource Reader Role Binding.
       monitoringServiceAccountNamespace: openshift-monitoring
-
+      # -- If true, set Security Context Constraints on serviceaccount for read/write premissions
+      enableSCC: false
+      # -- If true, enable internal prom access
+      enablePromAccess: false
 # -- A list of volumes to be added to the pod
 extraVolumes: []