Skip to content

compact: Add securityContext to Thanos compact container #333

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

compact: Add securityContext to Thanos compact container #333

wants to merge 2 commits into from

Conversation

@kaznak
Copy link

@kaznak kaznak commented Nov 10, 2025
edited
Loading

  • I added CHANGELOG entry for this change.
  • Change is not relevant to the end user.

Changes

The kube-thanos-compact-default-params.libsonnet file already defines a securityContextContainer parameter, but it is not currently used.

kube-thanos/jsonnet/kube-thanos/kube-thanos-compact-default-params.libsonnet

Lines 52 to 60 in 6fedb04

securityContextContainer:: {
runAsUser: defaults.securityContext.runAsUser,
runAsGroup: defaults.securityContext.runAsGroup,
runAsNonRoot: defaults.securityContext.runAsNonRoot,
seccompProfile: defaults.securityContext.seccompProfile,
allowPrivilegeEscalation: false,
readOnlyRootFilesystem: true,
capabilities: { drop: ['ALL'] },
},

Because of this missing reference, the generated manifests trigger Pod Security Admission warnings or may even be rejected under restricted policies.

This PR applies the securityContextContainer parameter to the compact container so that the generated manifests comply with restricted PodSecurity standards.

Verification

I applied the manifests generated from this branch to my cluster, and the Pod Security Admission warning was successfully suppressed.

kaznak added a commit to kaznak/kube-thanos that referenced this pull request Nov 10, 2025
@kaznak
update changelog for PR thanos-io#333
0c6f087
kaznak added a commit to kaznak/kube-thanos that referenced this pull request Nov 10, 2025
@kaznak
update CHANGELOG for PR thanos-io#333
3e729af
@kaznak kaznak changed the title compact: Add securityContext to Thanos compact container of the StatefulSets compact: Add securityContext to Thanos compact container Nov 10, 2025
@kaznak kaznak force-pushed the fix/compactor-use-securitycontextcontainer branch from 3e729af to ee89f75 Compare November 10, 2025 06:21
@kaznak kaznak marked this pull request as ready for review November 10, 2025 06:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kaznak