From 5b513d333f646da06a79e4fe7a7d6d68088d31b1 Mon Sep 17 00:00:00 2001
From: Rahul Khiyani <rk0850@att.com>
Date: Tue, 26 Feb 2019 08:39:44 -0500
Subject: [PATCH] readOnlyRootFilesystem: true for Prometheus exporters charts

Fix for adding readOnlyRootFilesystem flag at pod
level

Change-Id: I3d81f9dca7e1bce0134a39a96b96ef7712d28d84
---
 prometheus-alertmanager/templates/statefulset.yaml      | 2 ++
 prometheus-kube-state-metrics/templates/deployment.yaml | 2 ++
 prometheus-node-exporter/templates/daemonset.yaml       | 2 ++
 prometheus-openstack-exporter/templates/deployment.yaml | 2 ++
 prometheus-process-exporter/templates/daemonset.yaml    | 2 ++
 5 files changed, 10 insertions(+)

diff --git a/prometheus-alertmanager/templates/statefulset.yaml b/prometheus-alertmanager/templates/statefulset.yaml
index 6c968eb8c..4f5a6d129 100644
--- a/prometheus-alertmanager/templates/statefulset.yaml
+++ b/prometheus-alertmanager/templates/statefulset.yaml
@@ -45,6 +45,8 @@ spec:
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
+      securityContext:
+        readOnlyRootFilesystem: true
 {{ dict "envAll" $envAll "application" "alertmanager" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       affinity:
diff --git a/prometheus-kube-state-metrics/templates/deployment.yaml b/prometheus-kube-state-metrics/templates/deployment.yaml
index cbdf68550..fd0835483 100644
--- a/prometheus-kube-state-metrics/templates/deployment.yaml
+++ b/prometheus-kube-state-metrics/templates/deployment.yaml
@@ -108,6 +108,8 @@ spec:
       labels:
 {{ tuple $envAll "kube-state-metrics" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
     spec:
+      securityContext:
+        readOnlyRootFilesystem: true
 {{ dict "envAll" $envAll "application" "kube_state_metrics" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       nodeSelector:
diff --git a/prometheus-node-exporter/templates/daemonset.yaml b/prometheus-node-exporter/templates/daemonset.yaml
index 73aaeabbf..b659ad775 100644
--- a/prometheus-node-exporter/templates/daemonset.yaml
+++ b/prometheus-node-exporter/templates/daemonset.yaml
@@ -53,6 +53,8 @@ spec:
 {{ tuple $envAll "node_exporter" "metrics" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
       namespace: {{ .Values.endpoints.node_metrics.namespace }}
     spec:
+      securityContext:
+        readOnlyRootFilesystem: true
       serviceAccountName: {{ $serviceAccountName }}
 {{ if .Values.pod.tolerations.node_exporter.enabled }}
 {{ tuple $envAll "node_exporter" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
diff --git a/prometheus-openstack-exporter/templates/deployment.yaml b/prometheus-openstack-exporter/templates/deployment.yaml
index 64a7cc7de..dc5bb8d85 100644
--- a/prometheus-openstack-exporter/templates/deployment.yaml
+++ b/prometheus-openstack-exporter/templates/deployment.yaml
@@ -40,6 +40,8 @@ spec:
       labels:
 {{ tuple $envAll "prometheus-openstack-exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
     spec:
+      securityContext:
+        readOnlyRootFilesystem: true
 {{ dict "envAll" $envAll "application" "openstack_exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       nodeSelector:
diff --git a/prometheus-process-exporter/templates/daemonset.yaml b/prometheus-process-exporter/templates/daemonset.yaml
index d1132fc10..72d3f2b90 100644
--- a/prometheus-process-exporter/templates/daemonset.yaml
+++ b/prometheus-process-exporter/templates/daemonset.yaml
@@ -51,6 +51,8 @@ spec:
       labels:
 {{ tuple $envAll "process_exporter" "metrics" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
     spec:
+      securityContext:
+        readOnlyRootFilesystem: true
       serviceAccountName: {{ $serviceAccountName }}
 {{ if .Values.pod.tolerations.process_exporter.enabled }}
 {{ tuple $envAll "process_exporter" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}