From 0807ecb3545fc9d15e0e55d18316d39724795087 Mon Sep 17 00:00:00 2001
From: Andrii Ostapenko <andrii.ostapenko@att.com>
Date: Wed, 8 Jul 2020 12:42:01 -0500
Subject: [PATCH] Add security context from snippet for tungstenfabric
 container

Change-Id: I4db982e8f600288ec954d4c019f096bd8dcd7e52
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
---
 nova/templates/daemonset-compute.yaml | 3 +--
 nova/values.yaml                      | 3 +++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml
index 94aae13165..f0708ef7b8 100644
--- a/nova/templates/daemonset-compute.yaml
+++ b/nova/templates/daemonset-compute.yaml
@@ -210,8 +210,7 @@ spec:
           image: {{ .Values.images.tags.tf_compute_init }}
           imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.compute | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          securityContext:
-            runAsUser: {{ .Values.pod.user.nova.uid }}
+{{ dict "envAll" $envAll "application" "nova" "container" "tungstenfabric_compute_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           volumeMounts:
             - name: tf-plugin-shared
               mountPath: /opt/plugin
diff --git a/nova/values.yaml b/nova/values.yaml
index 1462cb5fe4..768e8abefe 100644
--- a/nova/values.yaml
+++ b/nova/values.yaml
@@ -2346,6 +2346,9 @@ pod:
         nova_compute_init:
           readOnlyRootFilesystem: true
           runAsUser: 0
+        tungstenfabric_compute_init:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
         ceph_perms:
           readOnlyRootFilesystem: true
           runAsUser: 0