Postgresql-exporter: Add security context for pod/container

This adds a security context to the postgresql exporter, which
changes the pod's user from root to the nobody user instead

This also adds the container security context to set
allowPrivilegeEscalation to false and readOnlyRootFilesystem to true

Change-Id: Ibe49f77ed2d0a588b5abe175318edd1c82a57cca

postgresql/templates/monitoring/prometheus/exporter-deployment.yaml

@@ -35,6 +35,7 @@ spec:
 {{ tuple $envAll "prometheus_postgresql_exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
       namespace: {{ .Values.endpoints.prometheus_postgresql_exporter.namespace }}
     spec:
+{{ dict "envAll" $envAll "application" "prometheus_postgresql_exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       nodeSelector:
         {{ .Values.labels.prometheus_postgresql_exporter.node_selector_key }}: {{ .Values.labels.prometheus_postgresql_exporter.node_selector_value }}
@@ -45,6 +46,7 @@ spec:
         - name: postgresql-exporter
 {{ tuple $envAll "prometheus_postgresql_exporter" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.prometheus_postgresql_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "prometheus_postgresql_exporter" "container" "postgresql_exporter" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           ports:
             - name: metrics
               containerPort: {{ tuple "prometheus_postgresql_exporter" "internal" "metrics" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}

postgresql/values.yaml

@@ -20,10 +20,18 @@ release_group: null
 
 pod:
   security_context:
+    prometheus_postgresql_exporter:
+      pod:
+        runAsUser: 65534
+      container:
+        postgresql_exporter:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
     server:
       container:
         set-volume-perms:
           runAsUser: 0
+          readOnlyRootFilesystem: true
       pod:
         allowPrivilegeEscalation: false
         runAsUser: 999