From 25defd8ca7ec27ec02d91d01aa3b85a26bd4ee69 Mon Sep 17 00:00:00 2001
From: Rahul Khiyani <rk0850@att.com>
Date: Mon, 25 Feb 2019 16:28:41 -0500
Subject: [PATCH] Shipyard: Add pod/container security context            -
 deployment-shipyard

This updates the shipyard chart to include the pod
security context on the pod template.

This also adds the container security context to set
allowPrivilegeEscalation to false and readOnlyRootFilesystem to true

Change-Id: Idb1b848847eaec2b6e24389c063b7ece2973c4dc
---
 charts/shipyard/templates/deployment-shipyard.yaml |  3 +++
 charts/shipyard/values.yaml                        | 10 ++++++++++
 2 files changed, 13 insertions(+)

diff --git a/charts/shipyard/templates/deployment-shipyard.yaml b/charts/shipyard/templates/deployment-shipyard.yaml
index a8cb104c..ba50073f 100644
--- a/charts/shipyard/templates/deployment-shipyard.yaml
+++ b/charts/shipyard/templates/deployment-shipyard.yaml
@@ -40,6 +40,7 @@ spec:
         airflow-configmap-bin-hash: {{ tuple "configmap-airflow-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         airflow-configmap-etc-hash: {{ tuple "configmap-airflow-etc.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
+{{ dict "envAll" $envAll "application" "shipyard" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       nodeSelector:
         {{ .Values.labels.shipyard.node_selector_key }}: {{ .Values.labels.shipyard.node_selector_value }}
@@ -57,6 +58,7 @@ spec:
           image: {{ .Values.images.tags.shipyard }}
           imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.shipyard_api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "shipyard" "container" "shipyard_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           ports:
             - containerPort: {{ tuple "shipyard" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
           livenessProbe:
@@ -95,6 +97,7 @@ spec:
           image: {{ .Values.images.tags.airflow }}
           imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.airflow.web | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "shipyard" "container" "airflow_web" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
           - name: AIRFLOW_CONN_AIRFLOWS_OWN_DB
             valueFrom:
diff --git a/charts/shipyard/values.yaml b/charts/shipyard/values.yaml
index 03c3670d..db655763 100644
--- a/charts/shipyard/values.yaml
+++ b/charts/shipyard/values.yaml
@@ -678,6 +678,16 @@ conf:
       #Shipyard is not using this
     # End of Airflow config options
 pod:
+  security_context:
+    shipyard:
+      pod:
+        runAsUser: 1000
+      container:
+        shipyard_api:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        airflow_web:
+          allowPrivilegeEscalation: false
   mounts:
     airflow_scheduler:
       # TODO: This is only used if the standalone scheduler is enabled.