From 499950845459f89d7573e1e18b21fc72bf03091b Mon Sep 17 00:00:00 2001
From: RAHUL KHIYANI <rk0850@att.com>
Date: Wed, 17 Apr 2019 13:13:48 -0500
Subject: [PATCH] prometheus-process-exporter: Add pod/container security
 context

This updates the prometheus-process-exporter chart to include the pod
security context on the pod template. This changes the pod's
user from root to the nobody user instead

This also adds the container security context to set
allowPrivilegeEscalation to false and readOnlyRootFilesystem to true

Change-Id: I623227f9f9c878a8e7745f46f2cc77f6904005fb
---
 prometheus-process-exporter/templates/daemonset.yaml | 4 ++--
 prometheus-process-exporter/values.yaml              | 8 ++++++++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/prometheus-process-exporter/templates/daemonset.yaml b/prometheus-process-exporter/templates/daemonset.yaml
index f694963e6..9c78681d9 100644
--- a/prometheus-process-exporter/templates/daemonset.yaml
+++ b/prometheus-process-exporter/templates/daemonset.yaml
@@ -54,8 +54,7 @@ spec:
 {{ dict "envAll" $envAll "podName" "process-exporter" "containerNames" (list "process-exporter") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
     spec:
-      securityContext:
-        readOnlyRootFilesystem: true
+{{ dict "envAll" $envAll "application" "metrics" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
 {{ if .Values.pod.tolerations.process_exporter.enabled }}
 {{ tuple $envAll "process_exporter" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
@@ -71,6 +70,7 @@ spec:
         - name: process-exporter
 {{ tuple $envAll "process_exporter" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.process_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "metrics" "container" "process_exporter" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           args:
             - -procnames
             - {{ .Values.conf.processes }}
diff --git a/prometheus-process-exporter/values.yaml b/prometheus-process-exporter/values.yaml
index 3ea73f5c8..a4f10aa86 100644
--- a/prometheus-process-exporter/values.yaml
+++ b/prometheus-process-exporter/values.yaml
@@ -37,6 +37,14 @@ labels:
     node_selector_value: enabled
 
 pod:
+  security_context:
+    metrics:
+      pod:
+        runAsUser: 65534
+      container:
+        process_exporter:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
   affinity:
     anti:
       type: