Robot Upgrade: kube-state-metrics chart upgrade from 4.22.* to 7.2.0

[weizhoublue]

I am robot, upgrade: project kube-state-metrics chart upgrade from 4.22.* to 7.2.0

[gemini-code-assist]

Summary of Changes

Hello @weizhoublue, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request performs a significant automated upgrade of the kube-state-metrics Helm chart and its application version. The upgrade introduces several new features, security enhancements, and configuration options, while also removing deprecated components like Pod Security Policies. Key improvements include better integration with Prometheus monitoring, advanced network policy controls, and more granular control over deployment and pod lifecycle settings.

Highlights

• Major Version Upgrade: Upgraded the kube-state-metrics Helm chart from version 4.22.* to 7.2.0, and the underlying kube-state-metrics application from v2.6.0 to v2.18.0, introducing numerous new features and breaking changes.
• Pod Security Policy Removal: Removed all Pod Security Policy (PSP) related resources and configurations, aligning with Kubernetes' deprecation of PSPs.
• Kube-RBAC-Proxy Integration: Introduced optional integration with kube-rbac-proxy to secure metrics endpoints with HTTPS and RBAC, enhancing the security posture of the deployment.
• Custom Resource State Metrics: Added support for collecting metrics from custom resources through a new customResourceState configuration, allowing for more flexible monitoring.
• Enhanced Network Policy Options: Implemented new templates for both Kubernetes NetworkPolicy and CiliumNetworkPolicy, providing greater control over network access for the kube-state-metrics pods.
• Improved Prometheus Monitoring Configuration: Added a new ScrapeConfig resource for Prometheus and significantly enhanced ServiceMonitor options, including per-endpoint configurations, bearer token secrets, and detailed scrape limits.
• Deployment and Pod Configuration Enhancements: Expanded configuration options for deployment strategy, revision history, pod labels, init containers, DNS settings, and detailed probe configurations (startup, liveness, readiness).
• RBAC Updates: Updated Role-Based Access Control (RBAC) rules to remove deprecated API groups, include new resources like endpointslices and ingressclasses, and add necessary permissions for kube-rbac-proxy and customResourceState.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• charts/kube-state-metrics/config
  • Updated the VERSION environment variable to 7.2.0.
• charts/kube-state-metrics/kube-state-metrics/Chart.yaml
  • Added Artifact Hub annotations for license and links.
  • Updated appVersion to 2.18.0.
  • Added URLs for maintainers.
  • Updated chart version to 7.2.0.
  • Updated dependency version for kube-state-metrics to 7.2.0.
• charts/kube-state-metrics/kube-state-metrics/README.md
  • Updated usage instructions to reflect OCI Artifact distribution.
  • Added sections for upgrading to v6.0.0 and v3.0.0, detailing breaking changes.
  • Included configuration details for kube-rbac-proxy.
• charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/Chart.yaml
  • Added Artifact Hub annotations for license and links.
  • Updated appVersion to 2.18.0.
  • Added URLs for maintainers.
  • Updated chart version to 7.2.0.
• charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/README.md
  • Updated usage instructions to reflect OCI Artifact distribution.
  • Added sections for upgrading to v6.0.0 and v3.0.0, detailing breaking changes.
  • Included configuration details for kube-rbac-proxy.
• charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/NOTES.txt
  • Added conditional notes for kube-rbac-proxy enablement, detailing HTTPS metrics and required RBAC permissions.
• charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/_helpers.tpl
  • Modified customLabels to support templating.
  • Added selectorOverride logic to kube-state-metrics.selectorLabels.
  • Introduced new helper templates for scrapeconfig.scrapeLimits, kube-state-metrics.imagePullSecrets, kube-state-metrics.image, kubeRBACProxy.image, and kube-state-metrics.crsConfigMapName.
• charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/ciliumnetworkpolicy.yaml
  • Added new template for creating CiliumNetworkPolicy resources.
• charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/crs-configmap.yaml
  • Added new template for creating a ConfigMap to hold custom resource state configuration.
• charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/deployment.yaml
  • Added support for labels and podLabels in deployment metadata.
  • Configured deployment strategy and revisionHistoryLimit.
  • Added automountServiceAccountToken to pod specification.
  • Introduced initContainers, dnsConfig, and dnsPolicy options.
  • Updated container arguments to support kubeRBACProxy and customResourceState.
  • Integrated kube-rbac-proxy-http and kube-rbac-proxy-telemetry sidecar containers when kubeRBACProxy is enabled.
  • Enhanced probe configurations (startup, liveness, readiness) with kubeRBACProxy awareness.
  • Updated volume mounts to include kube-rbac-proxy-config and customresourcestate-config.
• charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/extra-manifests.yaml
  • Added new template for deploying extra manifests defined in values.yaml.
• charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/networkpolicy.yaml
  • Added new template for creating Kubernetes NetworkPolicy resources.
• charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/pdb.yaml
  • Simplified PodDisruptionBudget API version to policy/v1.
• charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/podsecuritypolicy.yaml
  • Removed the Pod Security Policy template.
• charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/psp-clusterrole.yaml
  • Removed the Pod Security Policy ClusterRole template.
• charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/psp-clusterrolebinding.yaml
  • Removed the Pod Security Policy ClusterRoleBinding template.
• charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/rbac-configmap.yaml
  • Added new template for creating a ConfigMap to configure kube-rbac-proxy.
• charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/role.yaml
  • Updated API groups for various resources (daemonsets, deployments, ingresses, replicasets) to remove deprecated extensions API.
  • Added endpointslices, ingressclasses, clusterrolebindings, clusterroles, and roles to the list of collectable resources.
  • Included RBAC rules necessary for kubeRBACProxy and customResourceState functionality.
• charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/scrapeconfig.yaml
  • Added new template for creating Prometheus ScrapeConfig resources.
• charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/service.yaml
  • Added support for ipDualStack configuration.
  • Introduced loadBalancerSourceRanges for LoadBalancer services.
  • Updated targetPort names to http and metrics for clarity.
• charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/serviceaccount.yaml
  • Added automountServiceAccountToken to the ServiceAccount definition.
  • Updated imagePullSecrets to use the new helper template.
• charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/servicemonitor.yaml
  • Added annotations, targetLabels, podTargetLabels, and namespaceSelector to ServiceMonitor configuration.
  • Introduced granular endpoint configurations for http and metrics, including support for bearerTokenFile and bearerTokenSecret.
• charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/templates/verticalpodautoscaler.yaml
  • Added recommenders and controlledValues to VPA specification.
  • Modified controlledResources to accept a YAML block.
  • Updated targetRef.kind to conditionally be StatefulSet when autosharding is enabled.
• charts/kube-state-metrics/kube-state-metrics/charts/kube-state-metrics/values.yaml
  • Updated image configuration to support registry and dynamic tag based on appVersion.
  • Added global section for imagePullSecrets and imageRegistry.
  • Introduced updateStrategy and revisionHistoryLimit for deployments.
  • Added automountServiceAccountToken option.
  • Expanded service configuration with ipDualStack and loadBalancerSourceRanges.
  • Added selectorOverride for labels.
  • Introduced a comprehensive kubeRBACProxy configuration block.
  • Added env for additional environment variables.
  • Refined prometheus.monitor settings with http and metrics endpoint-specific configurations.
  • Added a new prometheus.scrapeconfig block for ScrapeConfig resources.
  • Removed the podSecurityPolicy configuration block.
  • Introduced a new networkPolicy configuration block for Kubernetes or Cilium policies.
  • Updated securityContext with runAsNonRoot and seccompProfile.
  • Enhanced containerSecurityContext with readOnlyRootFilesystem, allowPrivilegeEscalation, and dropped capabilities.
  • Updated affinity to support string templating.
  • Removed kubeTargetVersionOverride.
  • Added a customResourceState configuration block.
  • Introduced extraManifests, containers, and initContainers blocks for extensibility.
  • Added dnsPolicy and dnsConfig options.
  • Included detailed startupProbe, livenessProbe, and readinessProbe configurations.
  • Expanded verticalPodAutoscaler configuration with recommenders, controlledValues, and updatePolicy details.

Activity

• The pull request was opened by a robot user, 'weizhoublue', indicating an automated chart upgrade process.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request upgrades the kube-state-metrics Helm chart from version 4.22.* to 7.2.0, introducing new features, updating dependencies, and removing deprecated APIs like PodSecurityPolicy. No specific security vulnerabilities were identified in these changes. However, a critical issue exists in the wrapper chart configuration: the appVersion is updated to 2.18.0, but the application image tag remains pinned to v2.3.0 in an unchanged values file. This discrepancy will cause runtime failures due to incompatible CLI arguments between the new chart and the old image and must be resolved for a successful upgrade.

[gemini-code-assist]

The appVersion is updated to 2.18.0, but the wrapper chart's values file (charts/kube-state-metrics/kube-state-metrics/values.yaml) is not updated and still overrides the image tag to v2.3.0.

This will cause runtime failures because the new chart templates use features and command-line arguments that are not available or have different names in the v2.3.0 image. For example:

• The chart uses --metric-allowlist and --metric-denylist, but the v2.3.0 image expects --metric-whitelist and --metric-blacklist.
• Other new features configured in the chart might also be incompatible.

To fix this, the image tag in charts/kube-state-metrics/kube-state-metrics/values.yaml should be updated to be compatible with appVersion: 2.18.0 (e.g., v2.18.0), or removed to use the default from the subchart. Since that file is not part of this PR, you might need to update it in a separate change or include it here. Without this change, the deployment will be broken.