From 72e231c5c16f797032e27832d4054dc6390f7dab Mon Sep 17 00:00:00 2001
From: Steve Wilkerson <wilkers.steve@gmail.com>
Date: Thu, 3 Jan 2019 14:51:44 -0600
Subject: [PATCH] Alertmanager: Add security context for pod/container

This adds the security context snipper to the alertmanager pod.
This changes the default user from root to the nobody user instead

This also adds the container security context to explicitly set
allowPrivilegeEscalation to false

Change-Id: Ie4423c57e871a03ab4baea346ac777c9f2ca3e2e
---
 prometheus-alertmanager/templates/statefulset.yaml | 3 +++
 prometheus-alertmanager/values.yaml                | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/prometheus-alertmanager/templates/statefulset.yaml b/prometheus-alertmanager/templates/statefulset.yaml
index 3e8a0015b..29860f74e 100644
--- a/prometheus-alertmanager/templates/statefulset.yaml
+++ b/prometheus-alertmanager/templates/statefulset.yaml
@@ -45,6 +45,7 @@ spec:
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
+{{ dict "envAll" $envAll "application" "alertmanager" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       affinity:
 {{ tuple $envAll "alertmanager" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
@@ -70,6 +71,8 @@ spec:
         - name: alertmanager
 {{ tuple $envAll "alertmanager" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.alertmanager | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            allowPrivilegeEscalation: false
           command:
             - /tmp/alertmanager.sh
             - start
diff --git a/prometheus-alertmanager/values.yaml b/prometheus-alertmanager/values.yaml
index b5ef49819..355519c7e 100644
--- a/prometheus-alertmanager/values.yaml
+++ b/prometheus-alertmanager/values.yaml
@@ -38,6 +38,9 @@ labels:
     node_selector_value: enabled
 
 pod:
+  user:
+    alertmanager:
+      uid: 65534
   affinity:
     anti:
       type: