fix(infra-monitoring): improve security of alertmanager-matrix bot

2024-02-29 14:07:46 +01:00 · 2024-02-29 14:07:46 +01:00 · 5e6aaaba9d
commit 5e6aaaba9d
parent 150153e653
3 changed files with 59 additions and 6 deletions
--- a/infra-monitoring/templates/alertmanager/alertmanager-config.yaml
+++ b/infra-monitoring/templates/alertmanager/alertmanager-config.yaml
@ -26,8 +26,8 @@ spec:
    {{- end }}
    {{- with .Values.alertmanager.receiver.matrix }}
    {{- if .enabled }}
-     - name: "matrix-default"
-       webhookConfigs:
+    - name: "matrix-default"
+      webhookConfigs:
        - url: "http://alertmanager-matrix:4051/{{ .default }}"
          sendResolved: {{ .sendResolved }}
    {{- range $receiver, $conf := .rooms }}
--- a/infra-monitoring/templates/alertmanager/matrix/release.yaml
+++ b/infra-monitoring/templates/alertmanager/matrix/release.yaml
@ -41,15 +41,67 @@ spec:
          {{- range $item := .rooms }}
          - {{ $item.room | quote }}
          {{- end }}
+      {{- if $.Values.alertmanager.ingress.enabled }}
      alertmanager: "https://{{ $.Values.alertmanager.ingress.host | default (printf "alertmanager.%s" $.Values.commons.ingress.domain) }}"
+      {{- else }}
+      alertmanager: "http://kube-prometheus-stack-alertmanager:9093"
+      {{- end }}
      showLabels: true
-
+      {{`
+      template:
+        html: >
+          {{ range .Alerts }}
+            <font color="{{.StatusString|color}}">
+              {{.StatusString|icon}}
+              <b>{{.StatusString|upper}}</b>
+            </font>
+            <b>{{.AlertName}}</b><br/>
+            {{if ne .Summary "" }}
+            Summary: {{.Summary}} 
+            {{end}}
+            {{if ne .Fingerprint ""}}
+              ({{.Fingerprint}})
+            {{end}}
+            {{if ne .GeneratorURL ""}}
+              <a href="{{.GeneratorURL}}">more</a>
+            {{end}}
+            {{- $labels := dict }}
+            {{- range $key, $value := .Alert.Labels }}
+            {{- $labels = set $labels $key $value }}
+            {{- end }}
+            <br/>
+            {{ coalesce $labels.exported_namespace $labels.namespace "unknown" }}
+            {{if $.ShowLabels}}
+              <br/>
+              <b>Labels:</b>
+              <table>
+              {{ range $key := omit $labels "alertname" "severity" "exported_namespace" "namespace" |
+                keys | sortAlpha }}
+                {{ $value := get $labels $key }}
+                <tr>
+                  <td>{{ $key }}</td>
+                  <td>{{ $value }}</td>
+                </tr>
+              {{ end }}
+              </table>
+             {{end}}
+             <br/>
+          {{- end -}}
+      `}}
    serviceAccount:
      create: false

+    podSecurityContext:
+      fsGroup: 1000
+
    securityContext:
-      runAsUser: 65534
-      runAsGroup: 65534
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - ALL
+      readOnlyRootFilesystem: true
+      runAsUser: 1000
+      runAsGroup: 1000

    resources:
      requests:
@ -57,6 +109,7 @@ spec:
        cpu: "100m"
      limits:
        memory: "256Mi"
+        cpu: 4

    tolerations:
      {{- toYaml $.Values.commons.tolerations | nindent 6 }}
--- a/infra-monitoring/templates/kube-prometheus-stack/release.yaml
+++ b/infra-monitoring/templates/kube-prometheus-stack/release.yaml
@ -116,7 +116,7 @@ spec:
        {{- if .Values.alertmanager.ingress.enabled }}
        externalUrl: "https://{{ $hostAlertmanager }}"
        {{- end }}
-        replicas: 1
+        replicas: 2
        alertmanagerConfiguration:
          name: "global-alertmanager-conf"
        alertmanagerConfigSelector: