From 8afa84729ff2257e18bcfb3660a69df5550ef6d9 Mon Sep 17 00:00:00 2001
From: Rahul Khiyani <rahul.khiyani@att.com>
Date: Mon, 25 Nov 2019 10:41:50 -0600
Subject: [PATCH] Calicoctl-utility: Add pod/container security context

This updates the calicoctl-utility chart to include the pod
security context on the pod template.

This also adds the container security context to set
readOnlyRootFilesystem flag to false

Change-Id: I5fa54165f0409ca56dd8aafeda028a7398122c4b
---
 .../templates/deployment-calicoctl-utility.yaml        |  5 ++---
 charts/calicoctl-utility/values.yaml                   | 10 ++++++++--
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/charts/calicoctl-utility/templates/deployment-calicoctl-utility.yaml b/charts/calicoctl-utility/templates/deployment-calicoctl-utility.yaml
index 1e21c97a..622be693 100644
--- a/charts/calicoctl-utility/templates/deployment-calicoctl-utility.yaml
+++ b/charts/calicoctl-utility/templates/deployment-calicoctl-utility.yaml
@@ -111,9 +111,7 @@ spec:
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
 {{ tuple . | include "helm-toolkit.snippets.release_uuid"  | indent 8}}
     spec:
-      securityContext:
-        runAsUser: {{ $envAll.Values.pod.sec_context.run_as_user }}
-        allowPrivilegeEscalation: false
+{{ dict "envAll" $envAll "application" "calicoctl_util" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       nodeSelector:
         {{ .Values.labels.utility.node_selector_key }}: {{ .Values.labels.utility.node_selector_value }}
@@ -121,6 +119,7 @@ spec:
         - name: {{ printf "%s" $envAll.Release.Name }}
 {{ tuple $envAll "calicoctl_utility" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.calicoctl_utility | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "calicoctl_util" "container" "calicoctl_utility" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - "bootstrap.sh"
           readinessProbe:
diff --git a/charts/calicoctl-utility/values.yaml b/charts/calicoctl-utility/values.yaml
index d46daf48..491fe4b9 100644
--- a/charts/calicoctl-utility/values.yaml
+++ b/charts/calicoctl-utility/values.yaml
@@ -30,6 +30,14 @@ images:
       - calicoctl_utility
 
 pod:
+  security_context:
+    calicoctl_util:
+      pod:
+        runAsUser: 65534
+      container:
+        calicoctl_utility:
+          allowPrivilegeEscalation: true
+          readOnlyRootFilesystem: false
   resources:
     enabled: true
     jobs:
@@ -50,8 +58,6 @@ pod:
   dns_policy: "ClusterFirstWithHostNet"
   replicas:
     utility: 1
-  sec_context:
-    run_as_user: 65534
 
 release_group: null