Kube-State-Metrics: Add pod/container security context

This updates the kube-state-metrics chart to include the pod security context on the pod template. This changes the pod's user from root to the nobody user instead This also adds the container security context to explicitly set allowPrivilegeEscalation to false Change-Id: I17748b299a6e7a394cae63a0e713c49fbf68b4eb
2019-01-03 12:49:41 -06:00
parent 8dba8cb648
commit 4d50e6fa7a
2 changed files with 6 additions and 0 deletions
--- a/prometheus-kube-state-metrics/templates/deployment.yaml
+++ b/prometheus-kube-state-metrics/templates/deployment.yaml
@@ -108,6 +108,7 @@ spec:
      labels:
 {{ tuple $envAll "kube-state-metrics" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
+{{ dict "envAll" $envAll "application" "kube_state_metrics" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
      nodeSelector:
        {{ .Values.labels.kube_state_metrics.node_selector_key }}: {{ .Values.labels.kube_state_metrics.node_selector_value | quote }}
@@ -118,6 +119,8 @@ spec:
        - name: kube-state-metrics
 {{ tuple $envAll "kube_state_metrics" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.kube_state_metrics | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            allowPrivilegeEscalation: false
          command:
            - /tmp/kube-state-metrics.sh
          ports:
--- a/prometheus-kube-state-metrics/values.yaml
+++ b/prometheus-kube-state-metrics/values.yaml
@@ -37,6 +37,9 @@ labels:
    node_selector_value: enabled

 pod:
+  user:
+    kube_state_metrics:
+      uid: 65534
  affinity:
    anti:
      type: