Add security context to query-frontend container (#863)

* Add security context to query-frontend container

Signed-off-by: Ruben Vargas <[email protected]>

* Update tests

Signed-off-by: Ruben Vargas <[email protected]>

* Add changelog entry

Signed-off-by: Ruben Vargas <[email protected]>

* mount tmp for tempo-query container as an emptydir to make writable

Signed-off-by: Ruben Vargas <[email protected]>

---------

Signed-off-by: Ruben Vargas <[email protected]>

.chloggen/set_security_context.yaml

@@ -0,0 +1,16 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. operator, github action)
+component: operator
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Add security context to tempo-query container
+
+# One or more tracking issues related to the change
+issues: [864]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:

internal/manifests/compactor/compactor.go

@@ -112,7 +112,7 @@ func deployment(params manifestutils.Params) (*v1.Deployment, error) {
 								},
 								{
 									Name:      manifestutils.TmpStorageVolumeName,
-									MountPath: manifestutils.TmpStoragePath,
+									MountPath: manifestutils.TmpTempoStoragePath,
 								},
 							},
 							Resources:       resources(tempo),

internal/manifests/compactor/compactor_test.go

@@ -126,7 +126,7 @@ func TestBuildCompactor(t *testing.T) {
 								},
 								{
 									Name:      manifestutils.TmpStorageVolumeName,
-									MountPath: manifestutils.TmpStoragePath,
+									MountPath: manifestutils.TmpTempoStoragePath,
 								},
 							},
 							Ports: []corev1.ContainerPort{

internal/manifests/distributor/distributor.go

@@ -236,7 +236,7 @@ func deployment(params manifestutils.Params) *v1.Deployment {
 								},
 								{
 									Name:      manifestutils.TmpStorageVolumeName,
-									MountPath: manifestutils.TmpStoragePath,
+									MountPath: manifestutils.TmpTempoStoragePath,
 								},
 							},
 							Resources:       resources(tempo),

internal/manifests/distributor/distributor_test.go

@@ -166,7 +166,7 @@ func TestBuildDistributor(t *testing.T) {
 				},
 				{
 					Name:      manifestutils.TmpStorageVolumeName,
-					MountPath: manifestutils.TmpStoragePath,
+					MountPath: manifestutils.TmpTempoStoragePath,
 				},
 			},
 		},
@@ -325,7 +325,7 @@ func TestBuildDistributor(t *testing.T) {
 				},
 				{
 					Name:      manifestutils.TmpStorageVolumeName,
-					MountPath: manifestutils.TmpStoragePath,
+					MountPath: manifestutils.TmpTempoStoragePath,
 				},
 				{
 					Name:      "ca-custom",
@@ -409,7 +409,7 @@ func TestBuildDistributor(t *testing.T) {
 				},
 				{
 					Name:      manifestutils.TmpStorageVolumeName,
-					MountPath: manifestutils.TmpStoragePath,
+					MountPath: manifestutils.TmpTempoStoragePath,
 				},
 			},
 		},

internal/manifests/manifestutils/constants.go

@@ -18,8 +18,10 @@ const (
 	// TmpStorageVolumeName declares the name of the volume containing temporary storage for tempo.
 	TmpStorageVolumeName = "tempo-tmp-storage"
 
-	// TmpStoragePath declares the path of temporary storage for tempo.
-	TmpStoragePath = "/var/tempo"
+	// TmpTempoStoragePath declares the path of temporary storage for tempo.
+	TmpTempoStoragePath = "/var/tempo"
+	// TmpStoragePath   declares generic default /tmp storage path.
+	TmpStoragePath = "/tmp"
 
 	// HttpPortName declares the name of the tempo http port.
 	HttpPortName = "http"

internal/manifests/querier/querier.go

@@ -116,7 +116,7 @@ func deployment(params manifestutils.Params) (*v1.Deployment, error) {
 								},
 								{
 									Name:      manifestutils.TmpStorageVolumeName,
-									MountPath: manifestutils.TmpStoragePath,
+									MountPath: manifestutils.TmpTempoStoragePath,
 								},
 							},
 							Resources:       resources(tempo),

internal/manifests/querier/querier_test.go

@@ -133,7 +133,7 @@ func TestBuildQuerier(t *testing.T) {
 								},
 								{
 									Name:      manifestutils.TmpStorageVolumeName,
-									MountPath: manifestutils.TmpStoragePath,
+									MountPath: manifestutils.TmpTempoStoragePath,
 								},
 							},
 							Ports: []corev1.ContainerPort{

internal/manifests/queryfrontend/query_frontend.go

@@ -171,7 +171,7 @@ func deployment(params manifestutils.Params) (*appsv1.Deployment, error) {
 								},
 								{
 									Name:      manifestutils.TmpStorageVolumeName,
-									MountPath: manifestutils.TmpStoragePath,
+									MountPath: manifestutils.TmpTempoStoragePath,
 								},
 							},
 							Resources:       resources(tempo),
@@ -239,7 +239,8 @@ func deployment(params manifestutils.Params) (*appsv1.Deployment, error) {
 					MountPath: manifestutils.TmpStoragePath,
 				},
 			},
-			Resources: tempoQueryResources(tempo),
+			Resources:       tempoQueryResources(tempo),
+			SecurityContext: manifestutils.TempoContainerSecurityContext(),
 		}
 		jaegerQueryVolume := corev1.Volume{
 			Name: manifestutils.TmpStorageVolumeName + "-query",

internal/manifests/queryfrontend/query_frontend_test.go

@@ -175,7 +175,7 @@ func getExpectedDeployment(withJaeger bool) *v1.Deployment {
 								},
 								{
 									Name:      manifestutils.TmpStorageVolumeName,
-									MountPath: manifestutils.TmpStoragePath,
+									MountPath: manifestutils.TmpTempoStoragePath,
 								},
 							},
 							Resources: corev1.ResourceRequirements{
@@ -262,6 +262,7 @@ func getExpectedDeployment(withJaeger bool) *v1.Deployment {
 					corev1.ResourceMemory: *resource.NewQuantity(32212256, resource.BinarySI),
 				},
 			},
+			SecurityContext: manifestutils.TempoContainerSecurityContext(),
 		}
 		jaegerQueryVolume := corev1.Volume{
 			Name: manifestutils.TmpStorageVolumeName + "-query",