From abf8d1bc6ef59979e3f9a310420c376a4829258c Mon Sep 17 00:00:00 2001
From: Frank Ritchie <fr801x@att.com>
Date: Mon, 4 Jan 2021 11:45:13 -0500
Subject: [PATCH] Run as ceph user and disallow privilege escalation

This PS is to address security best practices concerning running
containers as a non-privileged user and disallowing privilege
escalation. Ceph-client is used for the mgr and mds pods.

Change-Id: Idbd87408c17907eaae9c6398fbc942f203b51515
---
 ceph-client/Chart.yaml  | 2 +-
 ceph-client/values.yaml | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/ceph-client/Chart.yaml b/ceph-client/Chart.yaml
index eab8de70f..8bb63485b 100644
--- a/ceph-client/Chart.yaml
+++ b/ceph-client/Chart.yaml
@@ -15,6 +15,6 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Ceph Client
 name: ceph-client
-version: 0.1.2
+version: 0.1.3
 home: https://github.com/ceph/ceph-client
 ...
diff --git a/ceph-client/values.yaml b/ceph-client/values.yaml
index f8ab98b24..c422793d4 100644
--- a/ceph-client/values.yaml
+++ b/ceph-client/values.yaml
@@ -71,8 +71,9 @@ pod:
           runAsUser: 0
           readOnlyRootFilesystem: true
         mds:
-          runAsUser: 0
+          runAsUser: 64045
           readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
     mgr:
       pod:
         runAsUser: 65534
@@ -81,8 +82,9 @@ pod:
           runAsUser: 0
           readOnlyRootFilesystem: true
         mgr:
-          runAsUser: 0
+          runAsUser: 64045
           readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
     bootstrap:
       pod:
         runAsUser: 65534