From 7aaae02f1db99691dede208ff2f33f3bc3629cd1 Mon Sep 17 00:00:00 2001
From: Rahul Khiyani <rk0850@att.com>
Date: Mon, 25 Mar 2019 00:23:59 -0400
Subject: [PATCH] Postgresql-exporter: Add security context for pod/container

This adds a security context to the postgresql exporter, which
changes the pod's user from root to the nobody user instead

This also adds the container security context to set
allowPrivilegeEscalation to false and readOnlyRootFilesystem to true

Change-Id: Ibe49f77ed2d0a588b5abe175318edd1c82a57cca
---
 .../monitoring/prometheus/exporter-deployment.yaml        | 2 ++
 postgresql/values.yaml                                    | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/postgresql/templates/monitoring/prometheus/exporter-deployment.yaml b/postgresql/templates/monitoring/prometheus/exporter-deployment.yaml
index 506edf7a7..ce82f258a 100644
--- a/postgresql/templates/monitoring/prometheus/exporter-deployment.yaml
+++ b/postgresql/templates/monitoring/prometheus/exporter-deployment.yaml
@@ -35,6 +35,7 @@ spec:
 {{ tuple $envAll "prometheus_postgresql_exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
       namespace: {{ .Values.endpoints.prometheus_postgresql_exporter.namespace }}
     spec:
+{{ dict "envAll" $envAll "application" "prometheus_postgresql_exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       nodeSelector:
         {{ .Values.labels.prometheus_postgresql_exporter.node_selector_key }}: {{ .Values.labels.prometheus_postgresql_exporter.node_selector_value }}
@@ -45,6 +46,7 @@ spec:
         - name: postgresql-exporter
 {{ tuple $envAll "prometheus_postgresql_exporter" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.prometheus_postgresql_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "prometheus_postgresql_exporter" "container" "postgresql_exporter" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           ports:
             - name: metrics
               containerPort: {{ tuple "prometheus_postgresql_exporter" "internal" "metrics" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
diff --git a/postgresql/values.yaml b/postgresql/values.yaml
index 76b05514c..91a8ff4ed 100644
--- a/postgresql/values.yaml
+++ b/postgresql/values.yaml
@@ -20,10 +20,18 @@ release_group: null
 
 pod:
   security_context:
+    prometheus_postgresql_exporter:
+      pod:
+        runAsUser: 65534
+      container:
+        postgresql_exporter:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
     server:
       container:
         set-volume-perms:
           runAsUser: 0
+          readOnlyRootFilesystem: true
       pod:
         allowPrivilegeEscalation: false
         runAsUser: 999