Add security context from snippet for tungstenfabric container

Change-Id: I4db982e8f600288ec954d4c019f096bd8dcd7e52 Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
2020-07-08 12:42:01 -05:00 · 2020-07-08 12:42:01 -05:00 · 0807ecb354
commit 0807ecb354
parent afd68753c7
2 changed files with 4 additions and 2 deletions
--- a/nova/templates/daemonset-compute.yaml
+++ b/nova/templates/daemonset-compute.yaml
@ -210,8 +210,7 @@ spec:
          image: {{ .Values.images.tags.tf_compute_init }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
-            runAsUser: {{ .Values.pod.user.nova.uid }}
+{{ dict "envAll" $envAll "application" "nova" "container" "tungstenfabric_compute_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          volumeMounts:
            - name: tf-plugin-shared
              mountPath: /opt/plugin
--- a/nova/values.yaml
+++ b/nova/values.yaml
@ -2346,6 +2346,9 @@ pod:
        nova_compute_init:
          readOnlyRootFilesystem: true
          runAsUser: 0
+        tungstenfabric_compute_init:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
        ceph_perms:
          readOnlyRootFilesystem: true
          runAsUser: 0