From 96a3cf2f6ec58434dce2aef2f711fce01b98adaf Mon Sep 17 00:00:00 2001
From: Steve Wilkerson <wilkers.steve@gmail.com>
Date: Thu, 3 Jan 2019 15:02:35 -0600
Subject: [PATCH] Memcached: Add security context for exporter pod/container

This adds the security context to the memcached prometheus
exporter pod, which changes the default user from root to the
nobody user instead

This also adds the container security context to explicitly set
allowPrivilegeEscalation to false

Change-Id: I3401c1a67f17cef49a478be98f9ab42691b84d66
---
 .../templates/monitoring/prometheus/exporter-deployment.yaml   | 3 +++
 memcached/values.yaml                                          | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/memcached/templates/monitoring/prometheus/exporter-deployment.yaml b/memcached/templates/monitoring/prometheus/exporter-deployment.yaml
index 8a477d94e..33fda3965 100644
--- a/memcached/templates/monitoring/prometheus/exporter-deployment.yaml
+++ b/memcached/templates/monitoring/prometheus/exporter-deployment.yaml
@@ -40,6 +40,7 @@ spec:
 {{ tuple $envAll "prometheus_memcached_exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
       namespace: {{ .Values.endpoints.prometheus_memcached_exporter.namespace }}
     spec:
+{{ dict "envAll" $envAll "application" "memcached_exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       shareProcessNamespace: true
       serviceAccountName: {{ $rcControllerName | quote }}
       nodeSelector:
@@ -52,6 +53,8 @@ spec:
           image: {{ .Values.images.tags.prometheus_memcached_exporter }}
           imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.prometheus_memcached_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            allowPrivilegeEscalation: false
           command:
             - /tmp/memcached-exporter.sh
             - start
diff --git a/memcached/values.yaml b/memcached/values.yaml
index 9ca41237b..3ff5bfe3e 100644
--- a/memcached/values.yaml
+++ b/memcached/values.yaml
@@ -144,6 +144,9 @@ manifests:
       service_exporter: true
 
 pod:
+  user:
+    memcached_exporter:
+      uid: 65534
   affinity:
     anti:
       topologyKey: