diff --git a/Makefile b/Makefile
index cea04a402..536b5ada4 100644
--- a/Makefile
+++ b/Makefile
@@ -112,7 +112,7 @@ helm-sync-s3:
helm/hack/helm-package.sh kube-prometheus
helm/hack/sync-repo.sh
-generate-crd: openapi-gen po-crdgen
+generate-crd: generate-openapi po-crdgen
po-crdgen prometheus > example/prometheus-operator-crd/prometheus.crd.yaml
po-crdgen alertmanager > example/prometheus-operator-crd/alertmanager.crd.yaml
po-crdgen servicemonitor > example/prometheus-operator-crd/servicemonitor.crd.yaml
diff --git a/example/prometheus-operator-crd/alertmanager.crd.yaml b/example/prometheus-operator-crd/alertmanager.crd.yaml
index 98a92ffc7..eef0c6cb7 100644
--- a/example/prometheus-operator-crd/alertmanager.crd.yaml
+++ b/example/prometheus-operator-crd/alertmanager.crd.yaml
@@ -862,6 +862,70 @@ spec:
the server serves requests under a different route prefix. For example
for use with `kubectl proxy`.
type: string
+ securityContext:
+ description: PodSecurityContext holds pod-level security attributes
+ and common container settings. Some fields are also present in container.securityContext. Field
+ values of container.securityContext take precedence over field values
+ of PodSecurityContext.
+ properties:
+ fsGroup:
+ description: |-
+ A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:
+
+ 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw----
+
+ If unset, the Kubelet will not modify the ownership and permissions of any volume.
+ format: int64
+ type: integer
+ runAsNonRoot:
+ description: Indicates that the container must run as a non-root
+ user. If true, the Kubelet will validate the image at runtime
+ to ensure that it does not run as UID 0 (root) and fail to start
+ the container if it does. If unset or false, no such validation
+ will be performed. May also be set in SecurityContext. If set
+ in both SecurityContext and PodSecurityContext, the value specified
+ in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified. May
+ also be set in SecurityContext. If set in both SecurityContext
+ and PodSecurityContext, the value specified in SecurityContext
+ takes precedence for that container.
+ format: int64
+ type: integer
+ seLinuxOptions:
+ description: SELinuxOptions are the labels to be applied to the
+ container
+ properties:
+ level:
+ description: Level is SELinux level label that applies to the
+ container.
+ type: string
+ role:
+ description: Role is a SELinux role label that applies to the
+ container.
+ type: string
+ type:
+ description: Type is a SELinux type label that applies to the
+ container.
+ type: string
+ user:
+ description: User is a SELinux user label that applies to the
+ container.
+ type: string
+ supplementalGroups:
+ description: A list of groups applied to the first process run in
+ each container, in addition to the container's primary GID. If
+ unspecified, no groups will be added to any container.
+ items:
+ format: int64
+ type: integer
+ type: array
+ serviceAccountName:
+ description: ServiceAccountName is the name of the ServiceAccount to
+ use to run the Prometheus Pods.
+ type: string
storage:
description: StorageSpec defines the configured storage for a group
Prometheus servers.
diff --git a/pkg/client/monitoring/v1/openapi_generated.go b/pkg/client/monitoring/v1/openapi_generated.go
index 17987a489..b72ab3196 100644
--- a/pkg/client/monitoring/v1/openapi_generated.go
+++ b/pkg/client/monitoring/v1/openapi_generated.go
@@ -291,11 +291,24 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
},
},
},
+ "securityContext": {
+ SchemaProps: spec.SchemaProps{
+ Description: "SecurityContext holds pod-level security attributes and common container settings. This defaults to non root user with uid 1000 and gid 2000.",
+ Ref: ref("k8s.io/api/core/v1.PodSecurityContext"),
+ },
+ },
+ "serviceAccountName": {
+ SchemaProps: spec.SchemaProps{
+ Description: "ServiceAccountName is the name of the ServiceAccount to use to run the Prometheus Pods.",
+ Type: []string{"string"},
+ Format: "",
+ },
+ },
},
},
},
Dependencies: []string{
- "github.com/coreos/prometheus-operator/pkg/client/monitoring/v1.StorageSpec", "k8s.io/api/core/v1.Affinity", "k8s.io/api/core/v1.LocalObjectReference", "k8s.io/api/core/v1.ResourceRequirements", "k8s.io/api/core/v1.Toleration", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+ "github.com/coreos/prometheus-operator/pkg/client/monitoring/v1.StorageSpec", "k8s.io/api/core/v1.Affinity", "k8s.io/api/core/v1.LocalObjectReference", "k8s.io/api/core/v1.PodSecurityContext", "k8s.io/api/core/v1.ResourceRequirements", "k8s.io/api/core/v1.Toleration", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
},
"github.com/coreos/prometheus-operator/pkg/client/monitoring/v1.AlertmanagerStatus": {
Schema: spec.Schema{
diff --git a/pkg/client/monitoring/v1/types.go b/pkg/client/monitoring/v1/types.go
index 9286b7869..470159355 100644
--- a/pkg/client/monitoring/v1/types.go
+++ b/pkg/client/monitoring/v1/types.go
@@ -412,7 +412,7 @@ type AlertmanagerSpec struct {
Tolerations []v1.Toleration `json:"tolerations,omitempty"`
// SecurityContext holds pod-level security attributes and common container settings.
// This defaults to non root user with uid 1000 and gid 2000.
- SecurityContext *v1.PodSecurityContext
+ SecurityContext *v1.PodSecurityContext `json:"securityContext,omitempty"`
// ServiceAccountName is the name of the ServiceAccount to use to run the
// Prometheus Pods.
ServiceAccountName string `json:"serviceAccountName,omitempty"`