Fluentd: Add security context for pods/containers

This adds the security context snippet to the fluentd and fluentd exporter templates. This changes the users for these two pods from root to the nobody user instead This also adds the container security context to explicitly set allowPrivilegeEscalation to false Change-Id: Ibf1da152f4aa78d425bbd00f514c2787d8ad9c5f
2019-01-03 14:19:39 -06:00 · 2019-01-03 14:19:39 -06:00 · e7232313ea
commit e7232313ea
parent 8dba8cb648
3 changed files with 11 additions and 0 deletions
--- a/fluent-logging/templates/deployment-fluentd.yaml
+++ b/fluent-logging/templates/deployment-fluentd.yaml
@ -94,6 +94,7 @@ spec:
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
    spec:
+{{ dict "envAll" $envAll "application" "fluentd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
      affinity:
 {{ tuple $envAll "fluentd" "internal" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
@ -106,6 +107,8 @@ spec:
        - name: fluentd
 {{ tuple $envAll "fluentd" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.fluentd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            allowPrivilegeEscalation: false
          command:
            - /tmp/fluentd.sh
            - start
--- a/fluent-logging/templates/monitoring/prometheus/exporter-deployment.yaml
+++ b/fluent-logging/templates/monitoring/prometheus/exporter-deployment.yaml
@ -41,6 +41,7 @@ spec:
      labels:
 {{ tuple $envAll "prometheus_fluentd_exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
+{{ dict "envAll" $envAll "application" "fluentd_exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
      nodeSelector:
        {{ .Values.labels.prometheus_fluentd_exporter.node_selector_key }}: {{ .Values.labels.prometheus_fluentd_exporter.node_selector_value | quote }}
@ -51,6 +52,8 @@ spec:
        - name: fluentd-exporter
 {{ tuple $envAll "prometheus_fluentd_exporter" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.prometheus_fluentd_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            allowPrivilegeEscalation: false
          command:
            - /tmp/fluentd-exporter.sh
            - start
--- a/fluent-logging/values.yaml
+++ b/fluent-logging/values.yaml
@ -527,6 +527,11 @@ network:
      port: 32329

 pod:
+  user:
+    fluentd:
+      uid: 65534
+    fluentd_exporter:
+      uid: 65534
  affinity:
    anti:
      type: