Add missing security context to promethues and postgresql pods/containers

This updates the chart to include the pod security context on the pod template. This also adds the container security context to set readOnlyRootFilesystem flag to true Change-Id: Icb7a9de4d98bac1f0bcf6181b6e88695f4b09709
2020-07-07 16:12:32 -05:00 · 2020-07-07 16:12:32 -05:00 · b400a6c41d
commit b400a6c41d
parent 824f168efc
4 changed files with 18 additions and 0 deletions
--- a/postgresql/templates/monitoring/prometheus/exporter-job-create-user.yaml
+++ b/postgresql/templates/monitoring/prometheus/exporter-job-create-user.yaml
@ -31,6 +31,7 @@ spec:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
 {{ dict "envAll" $envAll "podName" "prometheus-postgresql-exporter-create-user" "containerNames" (list "prometheus-postgresql-exporter-create-user" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
    spec:
+{{ dict "envAll" $envAll "application" "create_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
@ -41,6 +42,7 @@ spec:
        - name: prometheus-postgresql-exporter-create-user
 {{ tuple $envAll "prometheus_postgresql_exporter_create_user" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.prometheus_postgresql_exporter_create_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "create_user" "container" "prometheus_postgresql_exporter_create_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          command:
            - /tmp/create-postgresql-exporter-user.sh
          env:
--- a/postgresql/values.yaml
+++ b/postgresql/values.yaml
@ -57,6 +57,13 @@ pod:
          runAsUser: 65534
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
+    create_user:
+      pod:
+        runAsUser: 65534
+      container:
+        prometheus_postgresql_exporter_create_user:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
  affinity:
    anti:
      type:
--- a/prometheus/templates/pod-helm-tests.yaml
+++ b/prometheus/templates/pod-helm-tests.yaml
@ -29,6 +29,7 @@ metadata:
 {{ dict "envAll" $envAll "podName" "prometheus-test" "containerNames" (list "init" "prometheus-helm-tests") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
    "helm.sh/hook": test-success
 spec:
+{{ dict "envAll" $envAll "application" "test" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
  serviceAccountName: {{ $serviceAccountName }}
  nodeSelector:
    {{ .Values.labels.test.node_selector_key }}: {{ .Values.labels.test.node_selector_value }}
@ -39,6 +40,7 @@ spec:
    - name: prometheus-helm-tests
 {{ tuple $envAll "helm_tests" | include "helm-toolkit.snippets.image" | indent 6 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+{{ dict "envAll" $envAll "application" "test" "container" "prometheus_helm_tests" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
      command:
        - /tmp/helm-tests.sh
      env:
--- a/prometheus/values.yaml
+++ b/prometheus/values.yaml
@ -58,6 +58,13 @@ pod:
        prometheus:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
+    test:
+      pod:
+        runAsUser: 65534
+      container:
+        prometheus_helm_tests:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
  affinity:
    anti:
      type: