openstack/openstack-helm-infra
Code Issues Proposed changes

prometheus-process-exporter: Add pod/container security context

Browse Source 
This updates the prometheus-process-exporter chart to include the pod
security context on the pod template. This changes the pod's
user from root to the nobody user instead

This also adds the container security context to set
allowPrivilegeEscalation to false and readOnlyRootFilesystem to true

Change-Id: I623227f9f9c878a8e7745f46f2cc77f6904005fb
This commit is contained in:
RAHUL KHIYANI 2019-04-17 13:13:48 -05:00 committed by Matt McEuen
parent 9771b16e87
commit 4999508454
2 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
prometheus-process-exporter/templates/daemonset.yaml
View File

@ -54,8 +54,7 @@ spec:
{{ dict "envAll" $envAll "podName" "process-exporter" "containerNames" (list "process-exporter") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
spec:
securityContext:
readOnlyRootFilesystem: true
{{ dict "envAll" $envAll "application" "metrics" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
{{ if .Values.pod.tolerations.process_exporter.enabled }}
{{ tuple $envAll "process_exporter" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
@ -71,6 +70,7 @@ spec:
- name: process-exporter
{{ tuple $envAll "process_exporter" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.process_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "metrics" "container" "process_exporter" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
args:
- -procnames
- {{ .Values.conf.processes }}

8
prometheus-process-exporter/values.yaml
View File

@ -37,6 +37,14 @@ labels:
node_selector_value: enabled
pod:
security_context:
metrics:
pod:
runAsUser: 65534
container:
process_exporter:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
affinity:
anti:
type: