thanos-io · kaznak · Nov 10, 2025 · Nov 10, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -34,6 +34,7 @@ We use *breaking* word for marking changes that are not backward compatible (rel
 - [#310](https://github.com/thanos-io/kube-thanos/pull/310) Ruler: Add host anti-affinity to ruler
 - [#313](https://github.com/thanos-io/kube-thanos/pull/313) Add per-container SecurityContext
 - [#330](https://github.com/thanos-io/kube-thanos/pull/330) Query: Add query url support to jsonnet library
+- [#333](https://github.com/thanos-io/kube-thanos/pull/333) Compact: Add securityContext to Thanos compact container
 
 ### Fixed
 

diff --git a/examples/all/manifests/thanos-compact-shard0-statefulSet.yaml b/examples/all/manifests/thanos-compact-shard0-statefulSet.yaml
@@ -113,6 +113,17 @@ spec:
           requests:
             cpu: 0.123
             memory: 123Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsGroup: 65532
+          runAsNonRoot: true
+          runAsUser: 65534
+          seccompProfile:
+            type: RuntimeDefault
         terminationMessagePolicy: FallbackToLogsOnError
         volumeMounts:
         - mountPath: /var/thanos/compact

diff --git a/examples/all/manifests/thanos-compact-shard1-statefulSet.yaml b/examples/all/manifests/thanos-compact-shard1-statefulSet.yaml
@@ -113,6 +113,17 @@ spec:
           requests:
             cpu: 0.123
             memory: 123Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsGroup: 65532
+          runAsNonRoot: true
+          runAsUser: 65534
+          seccompProfile:
+            type: RuntimeDefault
         terminationMessagePolicy: FallbackToLogsOnError
         volumeMounts:
         - mountPath: /var/thanos/compact

diff --git a/examples/all/manifests/thanos-compact-shard2-statefulSet.yaml b/examples/all/manifests/thanos-compact-shard2-statefulSet.yaml
@@ -113,6 +113,17 @@ spec:
           requests:
             cpu: 0.123
             memory: 123Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsGroup: 65532
+          runAsNonRoot: true
+          runAsUser: 65534
+          seccompProfile:
+            type: RuntimeDefault
         terminationMessagePolicy: FallbackToLogsOnError
         volumeMounts:
         - mountPath: /var/thanos/compact

diff --git a/examples/all/manifests/thanos-compact-statefulSet.yaml b/examples/all/manifests/thanos-compact-statefulSet.yaml
@@ -103,6 +103,17 @@ spec:
           requests:
             cpu: 0.123
             memory: 123Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsGroup: 65532
+          runAsNonRoot: true
+          runAsUser: 65534
+          seccompProfile:
+            type: RuntimeDefault
         terminationMessagePolicy: FallbackToLogsOnError
         volumeMounts:
         - mountPath: /var/thanos/compact

diff --git a/jsonnet/kube-thanos/kube-thanos-compact.libsonnet b/jsonnet/kube-thanos/kube-thanos-compact.libsonnet
@@ -127,6 +127,7 @@ function(params) {
       ),
       resources: if tc.config.resources != {} then tc.config.resources else {},
       terminationMessagePolicy: 'FallbackToLogsOnError',
+      securityContext: tc.config.securityContextContainer,
     };
 
     {
-Original file line number
+Diff line change
@@ Expand Up / @@ -127,6 +127,7 @@ function(params) { @@
           ),
           resources: if tc.config.resources != {} then tc.config.resources else {},
           terminationMessagePolicy: 'FallbackToLogsOnError',
+          securityContext: tc.config.securityContextContainer,
         };
         {
@@ Expand Down @@