Postgresql-exporter: Add security context for pod/container

This adds a security context to the postgresql exporter, which changes the pod's user from root to the nobody user instead This also adds the container security context to set allowPrivilegeEscalation to false and readOnlyRootFilesystem to true Change-Id: Ibe49f77ed2d0a588b5abe175318edd1c82a57cca
2019-03-25 00:23:59 -04:00 · 2019-03-25 00:23:59 -04:00 · 7aaae02f1d
parent d27e548f8f
commit 7aaae02f1d
2 changed files with 10 additions and 0 deletions
--- a/postgresql/templates/monitoring/prometheus/exporter-deployment.yaml
+++ b/postgresql/templates/monitoring/prometheus/exporter-deployment.yaml
@ -35,6 +35,7 @@ spec:
 {{ tuple $envAll "prometheus_postgresql_exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
      namespace: {{ .Values.endpoints.prometheus_postgresql_exporter.namespace }}
    spec:
+{{ dict "envAll" $envAll "application" "prometheus_postgresql_exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
      nodeSelector:
        {{ .Values.labels.prometheus_postgresql_exporter.node_selector_key }}: {{ .Values.labels.prometheus_postgresql_exporter.node_selector_value }}
@ -45,6 +46,7 @@ spec:
        - name: postgresql-exporter
 {{ tuple $envAll "prometheus_postgresql_exporter" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.prometheus_postgresql_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "prometheus_postgresql_exporter" "container" "postgresql_exporter" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          ports:
            - name: metrics
              containerPort: {{ tuple "prometheus_postgresql_exporter" "internal" "metrics" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
--- a/postgresql/values.yaml
+++ b/postgresql/values.yaml
@ -20,10 +20,18 @@ release_group: null

 pod:
  security_context:
+    prometheus_postgresql_exporter:
+      pod:
+        runAsUser: 65534
+      container:
+        postgresql_exporter:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
    server:
      container:
        set-volume-perms:
          runAsUser: 0
+          readOnlyRootFilesystem: true
      pod:
        allowPrivilegeEscalation: false
        runAsUser: 999