Allow enabling user namespaces in Prometheus(Agent)/Alertmanager/ThanosRuler pods

[sebhoss]

Component(s)

• prometheus-operator
• Prometheus CR

What is missing? Please describe.

Since Kubernetes 1.33 we can now enable user namespaces which greatly increases the security of a cluster. It would be great if both the operator itself would set hostUsers to false to enable this and allow configuring this field in all managed Prometheus custom resources.

Describe alternatives you've considered.

We currently apply a patch on top of the operator bundle.yaml file and have no solution for Prometheus resources.

Environment Information.

Environment

Kubernetes Version: 1.33.2
Prometheus-Operator Version: 0.84.0

[simonpasquier]

It would be great if both the operator itself would set hostUsers to false to enable this and allow configuring this field in all managed Prometheus custom resources.

I don't think that the operator needs to set any value by default but it makes sense to expose the field in all the workload CRDs (not only Prometheus).

A workaround might be to use an admission webhook.

[sebhoss]

Oh yeah good point about the webhook, thanks!

[simonpasquier]

@nutmos is working on this.