From 236d686a6d06899cb9b32a534bcee9c050445287 Mon Sep 17 00:00:00 2001 From: Steve Wilkerson Date: Thu, 3 Jan 2019 15:50:03 -0600 Subject: [PATCH] Openstack exporter: Add security context for pod/container This adds a security context to the openstack exporter, which changes the pod's user from root to the nobody user instead This also adds the container security context to explicitly set allowPrivilegeEscalation to false Change-Id: Ie3f105ee8b489f7641b5b7256a2023ae35257343 --- prometheus-openstack-exporter/templates/deployment.yaml | 3 +++ prometheus-openstack-exporter/values.yaml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/prometheus-openstack-exporter/templates/deployment.yaml b/prometheus-openstack-exporter/templates/deployment.yaml index 3f16c105e..64a7cc7de 100644 --- a/prometheus-openstack-exporter/templates/deployment.yaml +++ b/prometheus-openstack-exporter/templates/deployment.yaml @@ -40,6 +40,7 @@ spec: labels: {{ tuple $envAll "prometheus-openstack-exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "openstack_exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.openstack_exporter.node_selector_key }}: {{ .Values.labels.openstack_exporter.node_selector_value | quote }} @@ -50,6 +51,8 @@ spec: - name: openstack-metrics-exporter {{ tuple $envAll "prometheus_openstack_exporter" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.prometheus_openstack_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + allowPrivilegeEscalation: false command: - /tmp/prometheus-openstack-exporter.sh - start diff --git a/prometheus-openstack-exporter/values.yaml b/prometheus-openstack-exporter/values.yaml index f1e9d47b9..621cd524b 100644 --- a/prometheus-openstack-exporter/values.yaml +++ b/prometheus-openstack-exporter/values.yaml @@ -38,6 +38,9 @@ labels: node_selector_value: enabled pod: + user: + openstack_exporter: + uid: 65534 affinity: anti: type: