Merge pull request kubecost#756 from kubecost/develop

Merge develop into master

cost-analyzer/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
-appVersion: "1.72.0"
+appVersion: "1.73.0"
 description: A Helm chart that sets up Kubecost, Prometheus, and Grafana to monitor
   cloud costs.
 name: cost-analyzer
-version: 1.72.0
+version: 1.73.0

cost-analyzer/charts/grafana/values.yaml

@@ -212,7 +212,7 @@ grafana.ini:
     url: https://grafana.net
   auth.anonymous:
     enabled: true
-    org_role:  Admin
+    org_role:  Editor
     org_name: Main Org.
 
 ## LDAP Authentication can be enabled with the following values on grafana.ini

cost-analyzer/charts/prometheus/values.yaml

@@ -277,10 +277,10 @@ alertmanager:
   ## Security context to be added to alertmanager pods
   ##
   securityContext:
-    runAsUser: 65534
+    runAsUser: 1001
     runAsNonRoot: true
-    runAsGroup: 65534
-    fsGroup: 65534
+    runAsGroup: 1001
+    fsGroup: 1001
 
   service:
     annotations: {}
@@ -856,10 +856,10 @@ server:
   ## Security context to be added to server pods
   ##
   securityContext:
-    runAsUser: 65534
+    runAsUser: 1001
     runAsNonRoot: true
-    runAsGroup: 65534
-    fsGroup: 65534
+    runAsGroup: 1001
+    fsGroup: 1001
 
   service:
     annotations: {}
@@ -1016,7 +1016,7 @@ pushgateway:
   ## Security context to be added to push-gateway pods
   ##
   securityContext:
-    runAsUser: 65534
+    runAsUser: 1001
     runAsNonRoot: true
 
   service:

cost-analyzer/charts/thanos/values.yaml

@@ -113,7 +113,11 @@ store:
       #    hosts:
       #      - chart-example.local
   # Optional securityContext
-  securityContext: {}
+  securityContext:
+    fsGroup: 1001
+    runAsNonRoot: true
+    runAsUser: 1001
+
   resources: {}
   #  limits:
   #    cpu: 2000m
@@ -265,7 +269,11 @@ queryFrontend:
       labels: {}
 
   # Optional securityContext
-  securityContext: {}
+  securityContext:
+    fsGroup: 1001
+    runAsNonRoot: true
+    runAsUser: 1001
+
   resources: {}
   #  limits:
   #    cpu: 2000m
@@ -424,7 +432,11 @@ query:
       labels: {}
 
   # Optional securityContext
-  securityContext: {}
+  securityContext:
+    fsGroup: 1001
+    runAsNonRoot: true
+    runAsUser: 1001
+
   resources: {}
   #  limits:
   #    cpu: 2000m
@@ -547,7 +559,11 @@ compact:
   serviceAccount: ""
 
   # Optional securityContext
-  securityContext: {}
+  securityContext:
+    fsGroup: 1001
+    runAsNonRoot: true
+    runAsUser: 1001
+
   resources: {}
   #  limits:
   #    cpu: 2000m
@@ -646,7 +662,11 @@ bucket:
     #  maxUnavailable: 50%
 
   # Optional securityContext
-  securityContext: {}
+  securityContext:
+    fsGroup: 1001
+    runAsNonRoot: true
+    runAsUser: 1001
+
   resources: {}
   #  limits:
   #    cpu: 2000m

cost-analyzer/templates/cost-analyzer-checks-template.yaml

@@ -57,7 +57,14 @@ spec:
         {{- if .Values.imagePullSecrets }}
           imagePullSecrets:
           {{ toYaml .Values.imagePullSecrets | indent 2 }}
+        {{- end }}
+        {{- with .Values.nodeSelector }}
+          nodeSelector:
+          {{- toYaml . | nindent 12 }}
         {{- end }}
           restartPolicy: OnFailure
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1001
 {{- end -}}
 {{- end -}}

cost-analyzer/templates/cost-analyzer-deployment-template.yaml

@@ -393,6 +393,8 @@ spec:
               value: "https://[email protected]/5245431"
             {{- end }}
             {{- end }}
+            - name: OUT_OF_CLUSTER_PROM_METRICS_ENABLED
+              value: {{ (quote .Values.kubecostModel.outOfClusterPromMetricsEnabled) | default (quote false) }}
             - name: CACHE_WARMING_ENABLED
               value: {{ (quote .Values.kubecostModel.warmCache) | default (quote true) }}
             - name: SAVINGS_CACHE_WARMING_ENABLED
@@ -403,6 +405,8 @@ spec:
               value: {{ (quote .Values.kubecostModel.etlToDisk) | default (quote true) }}
             - name : ETL_CLOUD_ASSETS_ENABLED
               value: {{ (quote .Values.kubecostModel.etlCloudAssets) | default (quote true) }}
+            - name: DIAGNOSTIC_ALERT_ENABLED
+              value: {{ (quote .Values.global.notifications.alertConfigs.kubecostHealth) | default (quote false) }}
             {{- if .Values.persistentVolume.dbPVEnabled }}
             - name: ETL_PATH_PREFIX
               value: "/var/db"
@@ -470,6 +474,10 @@ spec:
             - name: AUDIENCE_URI
               value: {{ .Values.saml.audienceURI }}
             {{- end }}
+            {{- if .Values.saml.nameIDFormat }}
+            - name: NAME_ID_FORMAT
+              value: {{ .Values.saml.nameIDFormat }}
+            {{- end}}
             {{- if .Values.saml.rbac.enabled }}
             - name: SAML_RBAC_ENABLED
               value: "true"

cost-analyzer/templates/cost-analyzer-network-costs-template.yaml

@@ -69,6 +69,10 @@ spec:
 {{- if .Values.networkCosts.priorityClassName }}
       priorityClassName: "{{ .Values.networkCosts.priorityClassName }}"
 {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 10 }}
+      {{- end }}
 {{- if .Values.networkCosts.tolerations }}
       tolerations:
 {{ toYaml .Values.networkCosts.tolerations | indent 8 }}

cost-analyzer/templates/cost-analyzer-prometheus-postgres-adapter-deployment.yaml

@@ -48,6 +48,10 @@ spec:
             {{- end }}
               - "-pg-prometheus-log-samples=true"
               - "-pg-password={{ .Values.remoteWrite.postgres.auth.password }}"
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 10 }}
+      {{- end }}
 {{- end }}
 {{- end }}
 {{- end }}

cost-analyzer/templates/cost-analyzer-psp.template.yaml

@@ -1,11 +1,9 @@
-{{- if .Values.podSecurityPolicy }}
-{{- if .Values.podSecurityPolicy.enabled }}
 apiVersion: {{ include "cost-analyzer.podSecurityPolicy.apiVersion" . }}
 kind: PodSecurityPolicy
 metadata:
     name: kubecost-cost-analyzer-psp
 spec:
-    privileged: true
+    privileged: false
     seLinux:
         rule: RunAsAny
     supplementalGroups:
@@ -16,5 +14,3 @@ spec:
         rule: RunAsAny
     volumes:
         - '*'
-{{- end }}
-{{- end }}

cost-analyzer/values-thanos.yaml

@@ -17,6 +17,9 @@ prometheus:
       storage.tsdb.min-block-duration: 2h
       storage.tsdb.max-block-duration: 2h
       storage.tsdb.retention: 2w
+    securityContext:
+      runAsNonRoot: true
+      runAsUser: 1001
     extraVolumes:
     - name: object-store-volume
       secret:
@@ -26,6 +29,9 @@ prometheus:
     sidecarContainers:
     - name: thanos-sidecar
       image: thanosio/thanos:v0.15.0
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1001
       args:
       - sidecar
       - --log.level=debug
@@ -111,6 +117,8 @@ thanos:
         memory: "1.5Gi"
 
   # Thanos Sidecar Service Discovery
+  # Disabling removes the prometheus sidecar from querier store discovery. This ensures
+  # that all clusters read from the same data in remote store. 
   sidecar:
     enabled: true
   bucket:

cost-analyzer/values.yaml

@@ -28,10 +28,11 @@ global:
       enabled: false # the example values below are never read unless enabled is set to true
       frontendUrl: http://localhost:9090 # optional, used for linkbacks
       globalSlackWebhookUrl: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX # optional, used for Slack alerts
+      kubecostHealth: false # Alerts generated for kubecost uptime. Uses the globalSlackWebhookUrl to deliver the alert
       globalAlertEmails:
         - [email protected]
         - [email protected]
-      alerts:
+      alerts: # Alerts generated by kubecost, about cluster data
           # Daily namespace budget alert on namespace `kubecost`
         - type: budget # supported: budget, recurringUpdate
           threshold: 50 # optional, required for budget alerts
@@ -120,6 +121,7 @@ saml: # enterprise key required to use
   idpMetadataURL: "https://dev-elu2z98r.auth0.com/samlp/metadata/c6nY4M37rBP0qSO1IYIqBPPyIPxLS8v2"
   appRootURL: "http://localhost:9090" # sample URL
   # audienceURI: "http://localhost:9090" # by convention, the same as the appRootURL, but any string uniquely identifying kubecost to your samp IDP. Optional if you follow the convention
+  # nameIDFormat: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" If your SAML provider requires a specific nameid format
   rbac:
     enabled: false
     groups:
@@ -181,11 +183,18 @@ kubecost:
 kubecostModel:
   image: "gcr.io/kubecost1/cost-model"
   imagePullPolicy: Always
+  # Enables the emission of the kubecost_cloud_credit_total and
+  # kubecost_cloud_expense_total metrics
+  outOfClusterPromMetricsEnabled: false
+  # Build local cost allocation cache
   warmCache: true
+  # Build local savings cache
   warmSavingsCache: true
+  # Run allocation ETL pipelines
   etl: true
   # The total number of days the ETL storage will build
-  etlStoreDurationDays: 120
+  etlStoreDurationDays: 90
+  # max number of concurrent Prometheus queries
   maxQueryConcurrency: 5
   # utcOffset represents a timezone in hours and minutes east (+) or west (-)
   # of UTC, itself, which is defined as +00:00.
@@ -200,6 +209,7 @@ kubecostModel:
     #  cpu: "800m"
     #  memory: "256Mi"
 
+# Basic Kubecost ingress, more examples available at https://github.com/kubecost/docs/blob/master/ingress-examples.md
 ingress:
   enabled: false
   annotations:
@@ -235,7 +245,7 @@ networkPolicy:
 podSecurityPolicy:
   enabled: false
 
-# Define persistence volume for cost-analyzer
+# Define persistence volume for cost-analyzer, more information at https://github.com/kubecost/docs/blob/master/storage.md
 persistentVolume:
   size: 32Gi
   dbSize: 32.0Gi
@@ -251,7 +261,7 @@ service:
   labels: {}
   annotations: {}
 
-# enabling long-term durable storage with Postgres requires an enterprise license
+# Enabling long-term durable storage with Postgres requires an enterprise license
 remoteWrite:
   postgres:
     enabled: false
@@ -381,11 +391,13 @@ prometheus:
             - expr: avg(sum(kube_pod_container_resource_requests_memory_bytes{namespace!="kube-system"}) by (pod, namespace, instance)) by (pod, namespace)
               record: kubecost_savings_pod_requests_memory_bytes
 
+## Module for measuring network costs
+## Ref: https://github.com/kubecost/docs/blob/master/network-allocation.md
 networkCosts:
   enabled: false
   podSecurityPolicy:
     enabled: false
-  image: gcr.io/kubecost1/kubecost-network-costs:v14.0
+  image: gcr.io/kubecost1/kubecost-network-costs:v14.1
   imagePullPolicy: Always
   # Traffic Logging will enable logging the top 5 destinations for each source
   # every 30 minutes. 
@@ -465,8 +477,10 @@ clusterController:
 reporting:
   # Kubecost bug report feature: Logs access/collection limited to .Release.Namespace
   # Ref: http://docs.kubecost.com/bug-report
-  logCollection: true 
-  productAnalytics: true 
+  logCollection: true
+  # Basic frontend analytics 
+  productAnalytics: true
+  # Report Javascript errors
   errorReporting: true
   valuesReporting: true
 
@@ -478,7 +492,7 @@ prometheusRule:
   enabled: false
   additionalLabels: {}
 
-supportNFS: true
+supportNFS: false
 # initChownDataImage ensures all Kubecost filepath permissions on PV or local storage are set up correctly.
 initChownDataImage: "busybox" # Supports a fully qualified Docker image, e.g. registry.hub.docker.com/library/busybox:latest
 initChownData: