From f742ebd6ae59d757d3bbf4a759e4718a3ef3c7ec Mon Sep 17 00:00:00 2001
From: "DODDA, PRATEEK REDDY (PD2839)" <pd2839@att.com>
Date: Thu, 2 Jul 2020 12:35:36 -0500
Subject: [PATCH] Add missing security context to Neutron pods/containers

This updates the Neutron chart to include the pod
security context on the pod template.

This also adds the container security context to set
readOnlyRootFilesystem flag to true

Change-Id: I50ccec785eb3b18d6c00df2ad5f566a72db4604d
---
 neutron/templates/daemonset-l2gw-agent.yaml | 3 +--
 neutron/values.yaml                         | 4 ++++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/neutron/templates/daemonset-l2gw-agent.yaml b/neutron/templates/daemonset-l2gw-agent.yaml
index c07fb43ca8..f564bab910 100644
--- a/neutron/templates/daemonset-l2gw-agent.yaml
+++ b/neutron/templates/daemonset-l2gw-agent.yaml
@@ -95,8 +95,7 @@ spec:
         - name: neutron-l2gw-agent
 {{ tuple $envAll "neutron_l2gw" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.agent.l2gw | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
-            privileged: true
+{{ dict "envAll" $envAll "application" "neutron_l2gw_agent" "container" "neutron_l2gw_agent" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
             - name: RPC_PROBE_TIMEOUT
               value: "{{ .Values.pod.probes.rpc_timeout }}"
diff --git a/neutron/values.yaml b/neutron/values.yaml
index 730d55d094..fbb0bdfc29 100644
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@@ -451,6 +451,10 @@ pod:
     neutron_l2gw_agent:
       pod:
         runAsUser: 42424
+      container:
+        neutron_l2gw_agent:
+          readOnlyRootFilesystem: true
+          privileged: true
     neutron_bagpipe_bgp:
       pod:
         runAsUser: 42424