From 530e765815837ec56a67fc3024fe5576d08e2a00 Mon Sep 17 00:00:00 2001
From: Steve Wilkerson <wilkers.steve@gmail.com>
Date: Thu, 3 Jan 2019 15:26:44 -0600
Subject: [PATCH] Mariadb: Add security context for mysql exporter
 pod/container

This adds a security context to the mysql prometheus exporter pod,
which changes the user from root to the nobody user (uid 99 here)
instead

This also adds the container security context to explicitly set
allowPrivilegeEscalation to false

Change-Id: I5ddebb059e3c31c231fdc4c24190a65f23e37785
---
 .../templates/monitoring/prometheus/exporter-deployment.yaml   | 3 +++
 mariadb/values.yaml                                            | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/mariadb/templates/monitoring/prometheus/exporter-deployment.yaml b/mariadb/templates/monitoring/prometheus/exporter-deployment.yaml
index 00b3f6ecc..05bf2a9f0 100644
--- a/mariadb/templates/monitoring/prometheus/exporter-deployment.yaml
+++ b/mariadb/templates/monitoring/prometheus/exporter-deployment.yaml
@@ -38,6 +38,7 @@ spec:
 {{ tuple $envAll "prometheus_mysql_exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
       namespace: {{ .Values.endpoints.prometheus_mysql_exporter.namespace }}
     spec:
+{{ dict "envAll" $envAll "application" "mysql_exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       shareProcessNamespace: true
       serviceAccountName: {{ $serviceAccountName }}
       nodeSelector:
@@ -49,6 +50,8 @@ spec:
         - name: mysql-exporter
 {{ tuple $envAll "prometheus_mysql_exporter" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.prometheus_mysql_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            allowPrivilegeEscalation: false
           command:
             - /tmp/mysqld-exporter.sh
             - start
diff --git a/mariadb/values.yaml b/mariadb/values.yaml
index 62051ca68..1bd894335 100644
--- a/mariadb/values.yaml
+++ b/mariadb/values.yaml
@@ -51,6 +51,9 @@ labels:
     node_selector_value: enabled
 
 pod:
+  user:
+    mysql_exporter:
+      uid: 99
   affinity:
     anti:
       type: