Access requests to sidecar from thanos-query

[polRk]

Description

Current network polices restrict access to sidecar container from thanos query component. https://github.nmiku.com/thanos-io/kube-thanos/issues/272

Type of change

What type of changes does your code introduce to the kube-prometheus? Put an x in the box that apply.

• CHANGE (fix or feature that would cause existing functionality to not work as expected)
• FEATURE (non-breaking change which adds functionality)
• BUGFIX (non-breaking change which fixes an issue)
• ENHANCEMENT (non-breaking change which improves existing functionality)
• NONE (if none of the other choices apply. Example, tooling, build system, CI, docs, etc.)

Changelog entry

Allow request from thanos-query to prometheus-operated service.

 - Add NetworkPolicy rule allowing requests from thanos-query to prometheus-operated service.

[ArthurSens]

Hi @polRk, thanks for the fix!

Only one thing is missing, could you run make generate to make CI happy? 🙂

[ArthurSens]

Maybe we could add this patch only when Thanos is being used as well? Following the rule of least privileged, we don't want to give any access when it's not being used 🤔

[polRk]

Maybe we could add this patch only when Thanos is being used as well? Following the rule of least privileged, we don't want to give any access when it's not being used 🤔

I've been thinking about it. We can enable this rule if the thanos object is specified?

[ArthurSens]

Thanks!