From 0679ed49bd92d90e0774d3f500e1a3dd3c59ec2f Mon Sep 17 00:00:00 2001
From: Steve Wilkerson <wilkers.steve@gmail.com>
Date: Thu, 3 Jan 2019 14:32:59 -0600
Subject: [PATCH] Elasticsearch: Add security context for exporter
 pod/container

This adds the security context snippet for the elasticsearch
prometheus exporter pod. This changes the pod's user from root to
the nobody user instead

This also adds the container security context to explicitly set
allowPrivilegeEscalation to false

Change-Id: If692fccaf4dd362b28fecb4656036289a3a97122
---
 .../templates/monitoring/prometheus/exporter-deployment.yaml   | 3 +++
 elasticsearch/values.yaml                                      | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/elasticsearch/templates/monitoring/prometheus/exporter-deployment.yaml b/elasticsearch/templates/monitoring/prometheus/exporter-deployment.yaml
index c53c748b4..198aabf79 100644
--- a/elasticsearch/templates/monitoring/prometheus/exporter-deployment.yaml
+++ b/elasticsearch/templates/monitoring/prometheus/exporter-deployment.yaml
@@ -39,6 +39,7 @@ spec:
       labels:
 {{ tuple $envAll "elasticsearch" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
     spec:
+{{ dict "envAll" $envAll "application" "elasticsearch_exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       nodeSelector:
         {{ .Values.labels.elasticsearch.node_selector_key }}: {{ .Values.labels.elasticsearch.node_selector_value | quote }}
@@ -49,6 +50,8 @@ spec:
         - name: elasticsearch-exporter
 {{ tuple $envAll "prometheus_elasticsearch_exporter" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            allowPrivilegeEscalation: false
           command:
             - /tmp/elasticsearch-exporter.sh
             - start
diff --git a/elasticsearch/values.yaml b/elasticsearch/values.yaml
index cfcd75472..ab323d781 100644
--- a/elasticsearch/values.yaml
+++ b/elasticsearch/values.yaml
@@ -98,6 +98,9 @@ dependencies:
           service: elasticsearch
 
 pod:
+  user:
+    elasticsearch_exporter:
+      uid: 99
   affinity:
       anti:
         type: