feat(manifests): Add securityContext to Thanos compact StatefulSets

kaznak · kaznak · commit dc20383b9eaa · 2025-11-10T14:53:18.000+09:00
diff --git a/examples/all/manifests/thanos-compact-shard0-statefulSet.yaml b/examples/all/manifests/thanos-compact-shard0-statefulSet.yaml
@@ -113,6 +113,17 @@ spec:
           requests:
             cpu: 0.123
             memory: 123Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsGroup: 65532
+          runAsNonRoot: true
+          runAsUser: 65534
+          seccompProfile:
+            type: RuntimeDefault
         terminationMessagePolicy: FallbackToLogsOnError
         volumeMounts:
         - mountPath: /var/thanos/compact
diff --git a/examples/all/manifests/thanos-compact-shard1-statefulSet.yaml b/examples/all/manifests/thanos-compact-shard1-statefulSet.yaml
@@ -113,6 +113,17 @@ spec:
           requests:
             cpu: 0.123
             memory: 123Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsGroup: 65532
+          runAsNonRoot: true
+          runAsUser: 65534
+          seccompProfile:
+            type: RuntimeDefault
         terminationMessagePolicy: FallbackToLogsOnError
         volumeMounts:
         - mountPath: /var/thanos/compact
diff --git a/examples/all/manifests/thanos-compact-shard2-statefulSet.yaml b/examples/all/manifests/thanos-compact-shard2-statefulSet.yaml
@@ -113,6 +113,17 @@ spec:
           requests:
             cpu: 0.123
             memory: 123Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsGroup: 65532
+          runAsNonRoot: true
+          runAsUser: 65534
+          seccompProfile:
+            type: RuntimeDefault
         terminationMessagePolicy: FallbackToLogsOnError
         volumeMounts:
         - mountPath: /var/thanos/compact
diff --git a/examples/all/manifests/thanos-compact-statefulSet.yaml b/examples/all/manifests/thanos-compact-statefulSet.yaml
@@ -103,6 +103,17 @@ spec:
           requests:
             cpu: 0.123
             memory: 123Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsGroup: 65532
+          runAsNonRoot: true
+          runAsUser: 65534
+          seccompProfile:
+            type: RuntimeDefault
         terminationMessagePolicy: FallbackToLogsOnError
         volumeMounts:
         - mountPath: /var/thanos/compact
diff --git a/jsonnet/kube-thanos/kube-thanos-compact.libsonnet b/jsonnet/kube-thanos/kube-thanos-compact.libsonnet
@@ -127,6 +127,7 @@ function(params) {
       ),
       resources: if tc.config.resources != {} then tc.config.resources else {},
       terminationMessagePolicy: 'FallbackToLogsOnError',
+      securityContext: tc.config.securityContextContainer,
     };
 
     {

Original file line number	Diff line number	Diff line change
`@@ -127,6 +127,7 @@ function(params) {`
`127`	`127`	`),`
`128`	`128`	`resources: if tc.config.resources != {} then tc.config.resources else {},`
`129`	`129`	`terminationMessagePolicy: 'FallbackToLogsOnError',`
	`130`	`+ securityContext: tc.config.securityContextContainer,`
`130`	`131`	`};`
`131`	`132`
`132`	`133`	`{`