prometheus-openstack-exporter: Add container security context

This adds the container security context to set readOnlyRootFilesystem to true and allowPrivilegeEscalation to false Change-Id: I7b2f78b51b6ff219c371893f975a30fd89f1719b
hossein-alit · Mar 20, 2019 · 518794c · 518794c
1 parent e97faaa
commit 518794c
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 6 deletions.
diff --git a/prometheus-openstack-exporter/templates/deployment.yaml b/prometheus-openstack-exporter/templates/deployment.yaml
@@ -42,8 +42,6 @@ spec:
  annotations:
 {{ dict "envAll" $envAll "podName" "prometheus-openstack-exporter" "containerNames" (list "openstack-metrics-exporter") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
  spec:
- securityContext:
- readOnlyRootFilesystem: true
 {{ dict "envAll" $envAll "application" "openstack_exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
  serviceAccountName: {{ $serviceAccountName }}
  nodeSelector:
@@ -55,8 +53,7 @@ spec:
  - name: openstack-metrics-exporter
 {{ tuple $envAll "prometheus_openstack_exporter" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.prometheus_openstack_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
- securityContext:
- allowPrivilegeEscalation: false
+{{ dict "envAll" $envAll "application" "openstack_exporter" "container" "openstack_metrics_exporter" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
  command:
  - /tmp/prometheus-openstack-exporter.sh
  - start

diff --git a/prometheus-openstack-exporter/values.yaml b/prometheus-openstack-exporter/values.yaml
@@ -42,9 +42,14 @@ pod:
  type: apparmor
  openstack-metrics-exporter:
  openstack-metrics-exporter: localhost/docker-default
- user:
+ security_context:
  openstack_exporter:
- uid: 65534
+ pod:
+ runAsUser: 65534
+ container:
+ openstack_metrics_exporter:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
  affinity:
  anti:
  type: