Limit Ceph OSD Container Security Contexts

Wherever possible, the ceph-osd containers need to run with the
least amount of privilege required. In some cases there are
privileges granted but are not needed. This patchset modifies
those container's security contexts to reduce them to only what
is needed.

Change-Id: I0d6633efae7452fee4ce98d3e7088a55123f0a78

ceph-osd/Chart.yaml

@@ -15,6 +15,6 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Ceph OSD
 name: ceph-osd
-version: 0.1.26
+version: 0.1.27
 home: https://github.com/ceph/ceph
 ...

ceph-osd/values.yaml

@@ -56,9 +56,11 @@ pod:
       container:
         ceph_init_dirs:
           runAsUser: 0
+          allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
         ceph_log_ownership:
           runAsUser: 0
+          allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
         osd_init:
           runAsUser: 0
@@ -69,7 +71,8 @@ pod:
           privileged: true
           readOnlyRootFilesystem: true
         log_runner:
-          runAsUser: 0
+          runAsUser: 65534
+          allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
     bootstrap:
       pod:

releasenotes/notes/ceph-osd.yaml

@@ -27,4 +27,5 @@ ceph-osd:
   - 0.1.24 Ceph OSD Init Improvements
   - 0.1.25 Export crash dumps when Ceph daemons crash
   - 0.1.26 Mount /var/crash inside ceph-osd pods
+  - 0.1.27 Limit Ceph OSD Container Security Contexts
 ...