Promenade: Add security context for pod/container

This adds a security context to the promenade chart, which changes the pod's user from root to the nobody user instead This also adds the container security context to set allowPrivilegeEscalation to false and readOnlyRootFilesystem to true Change-Id: I269d034f6f8a1c14f2897bb375e899abc99e0c01
2019-04-09 20:21:02 -05:00 · 2019-04-09 20:21:02 -05:00 · 479433aa80
parent 66ab47386f
commit 479433aa80
2 changed files with 10 additions and 0 deletions
--- a/charts/promenade/templates/deployment-api.yaml
+++ b/charts/promenade/templates/deployment-api.yaml
@ -34,6 +34,7 @@ spec:
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
    spec:
+{{ dict "envAll" $envAll "application" "promenade" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      affinity:
 {{ tuple $envAll "promenade" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
      nodeSelector:
@ -45,6 +46,7 @@ spec:
          image: {{ .Values.images.tags.promenade }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "promenade" "container" "promenade_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /opt/promenade/entrypoint.sh
            - server
--- a/charts/promenade/values.yaml
+++ b/charts/promenade/values.yaml
@ -157,6 +157,14 @@ endpoints:
      default: null

 pod:
+  security_context:
+    promenade:
+      pod:
+        runAsUser: 65534
+      container:
+        promenade_api:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
  affinity:
    anti:
      type: