Alertmanager: Add security context for pod/container

This adds the security context snipper to the alertmanager pod. This changes the default user from root to the nobody user instead This also adds the container security context to explicitly set allowPrivilegeEscalation to false Change-Id: Ie4423c57e871a03ab4baea346ac777c9f2ca3e2e
2019-01-03 14:51:44 -06:00 · 2019-01-03 14:51:44 -06:00 · 72e231c5c1
commit 72e231c5c1
parent 3819986398
2 changed files with 6 additions and 0 deletions
--- a/prometheus-alertmanager/templates/statefulset.yaml
+++ b/prometheus-alertmanager/templates/statefulset.yaml
@ -45,6 +45,7 @@ spec:
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
    spec:
+{{ dict "envAll" $envAll "application" "alertmanager" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
      affinity:
 {{ tuple $envAll "alertmanager" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
@ -70,6 +71,8 @@ spec:
        - name: alertmanager
 {{ tuple $envAll "alertmanager" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.alertmanager | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            allowPrivilegeEscalation: false
          command:
            - /tmp/alertmanager.sh
            - start
--- a/prometheus-alertmanager/values.yaml
+++ b/prometheus-alertmanager/values.yaml
@ -38,6 +38,9 @@ labels:
    node_selector_value: enabled

 pod:
+  user:
+    alertmanager:
+      uid: 65534
  affinity:
    anti:
      type: