From bc9bbe4e3455720e69616ff6f5c976cd5fc4cd24 Mon Sep 17 00:00:00 2001 From: RAHUL KHIYANI Date: Mon, 22 Apr 2019 10:17:38 -0500 Subject: [PATCH] prometheus-node-exporter: Fix security context This PS fixes the use of the security context macros for the node-exporter chart. Change-Id: I7009a5675096036ac9f214d70c853830b7132264 --- prometheus-node-exporter/templates/daemonset.yaml | 4 ++-- prometheus-node-exporter/values.yaml | 8 ++++++++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/prometheus-node-exporter/templates/daemonset.yaml b/prometheus-node-exporter/templates/daemonset.yaml index 721a146f3..0c14d9829 100644 --- a/prometheus-node-exporter/templates/daemonset.yaml +++ b/prometheus-node-exporter/templates/daemonset.yaml @@ -55,8 +55,7 @@ spec: {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} spec: - securityContext: - readOnlyRootFilesystem: true +{{ dict "envAll" $envAll "application" "metrics" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} {{ if .Values.pod.tolerations.node_exporter.enabled }} {{ tuple $envAll "node_exporter" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} @@ -72,6 +71,7 @@ spec: - name: node-exporter {{ tuple $envAll "node_exporter" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.node_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "metrics" "container" "node_exporter" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} command: - /tmp/node-exporter.sh ports: diff --git a/prometheus-node-exporter/values.yaml b/prometheus-node-exporter/values.yaml index faa17706f..f3b48b517 100644 --- a/prometheus-node-exporter/values.yaml +++ b/prometheus-node-exporter/values.yaml @@ -37,6 +37,14 @@ labels: node_selector_value: enabled pod: + security_context: + metrics: + pod: + runAsUser: 65534 + container: + node_exporter: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false affinity: anti: type: