prometheus-process-exporter: Add pod/container security context

This updates the prometheus-process-exporter chart to include the pod security context on the pod template. This changes the pod's user from root to the nobody user instead This also adds the container security context to set allowPrivilegeEscalation to false and readOnlyRootFilesystem to true Change-Id: I623227f9f9c878a8e7745f46f2cc77f6904005fb
2019-04-17 13:13:48 -05:00 · 2019-04-17 13:13:48 -05:00 · 4999508454
parent 9771b16e87
commit 4999508454
2 changed files with 10 additions and 2 deletions
--- a/prometheus-process-exporter/templates/daemonset.yaml
+++ b/prometheus-process-exporter/templates/daemonset.yaml
@ -54,8 +54,7 @@ spec:
 {{ dict "envAll" $envAll "podName" "process-exporter" "containerNames" (list "process-exporter") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
    spec:
-      securityContext:
-        readOnlyRootFilesystem: true
+{{ dict "envAll" $envAll "application" "metrics" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
 {{ if .Values.pod.tolerations.process_exporter.enabled }}
 {{ tuple $envAll "process_exporter" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
@ -71,6 +70,7 @@ spec:
        - name: process-exporter
 {{ tuple $envAll "process_exporter" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.process_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "metrics" "container" "process_exporter" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          args:
            - -procnames
            - {{ .Values.conf.processes }}
--- a/prometheus-process-exporter/values.yaml
+++ b/prometheus-process-exporter/values.yaml
@ -37,6 +37,14 @@ labels:
    node_selector_value: enabled

 pod:
+  security_context:
+    metrics:
+      pod:
+        runAsUser: 65534
+      container:
+        process_exporter:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
  affinity:
    anti:
      type: