From 479433aa80f67b127c1ca0516333136ff5337a5f Mon Sep 17 00:00:00 2001
From: RAHUL KHIYANI <rk0850@att.com>
Date: Tue, 9 Apr 2019 20:21:02 -0500
Subject: [PATCH] Promenade: Add security context for pod/container

This adds a security context to the promenade chart, which
changes the pod's user from root to the nobody user instead

This also adds the container security context to set
allowPrivilegeEscalation to false and readOnlyRootFilesystem to true

Change-Id: I269d034f6f8a1c14f2897bb375e899abc99e0c01
---
 charts/promenade/templates/deployment-api.yaml | 2 ++
 charts/promenade/values.yaml                   | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/charts/promenade/templates/deployment-api.yaml b/charts/promenade/templates/deployment-api.yaml
index b940d952..a91108b4 100644
--- a/charts/promenade/templates/deployment-api.yaml
+++ b/charts/promenade/templates/deployment-api.yaml
@@ -34,6 +34,7 @@ spec:
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
+{{ dict "envAll" $envAll "application" "promenade" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       affinity:
 {{ tuple $envAll "promenade" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
       nodeSelector:
@@ -45,6 +46,7 @@ spec:
           image: {{ .Values.images.tags.promenade }}
           imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "promenade" "container" "promenade_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - /opt/promenade/entrypoint.sh
             - server
diff --git a/charts/promenade/values.yaml b/charts/promenade/values.yaml
index 09d0fdbe..8cf2080d 100644
--- a/charts/promenade/values.yaml
+++ b/charts/promenade/values.yaml
@@ -157,6 +157,14 @@ endpoints:
       default: null
 
 pod:
+  security_context:
+    promenade:
+      pod:
+        runAsUser: 65534
+      container:
+        promenade_api:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
   affinity:
     anti:
       type: