From 27dac1d2c10b6db82157d2af3dcd3ff047529754 Mon Sep 17 00:00:00 2001
From: PrateekDodda <pd2839@att.com>
Date: Wed, 5 Aug 2020 13:55:03 -0500
Subject: [PATCH] Add missing security context to Nova pods/containers

This updates the Nova chart to include the pod
security context on the pod template.

This also adds the container security context to set
readOnlyRootFilesystem flag to true

Change-Id: I10b12db8019beb42005764430711694a61c8d17b
---
 nova/templates/job-bootstrap.yaml  |  1 +
 nova/templates/job-cell-setup.yaml |  2 ++
 nova/values.yaml                   | 13 +++++++++++++
 3 files changed, 16 insertions(+)

diff --git a/nova/templates/job-bootstrap.yaml b/nova/templates/job-bootstrap.yaml
index 2a77ba6a1d..d42ba57c0f 100644
--- a/nova/templates/job-bootstrap.yaml
+++ b/nova/templates/job-bootstrap.yaml
@@ -46,6 +46,7 @@ spec:
 {{- if $envAll.Values.bootstrap.wait_for_computes.enabled }}
         - name: nova-wait-for-computes-init
 {{ tuple $envAll "nova_wait_for_computes_init" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "bootstrap" "container" "nova_wait_for_computes_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - /bin/bash
             - -c
diff --git a/nova/templates/job-cell-setup.yaml b/nova/templates/job-cell-setup.yaml
index 72953304a5..b8f0eed8b5 100644
--- a/nova/templates/job-cell-setup.yaml
+++ b/nova/templates/job-cell-setup.yaml
@@ -41,6 +41,7 @@ spec:
         - name: nova-cell-setup-init
 {{ tuple $envAll "nova_cell_setup_init" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova_cell_setup" "container" "nova_cell_setup_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
 {{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" .Values.manifests.certificates }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
@@ -59,6 +60,7 @@ spec:
         - name: nova-cell-setup
 {{ tuple $envAll "nova_cell_setup" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.cell_setup | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova_cell_setup" "container" "nova_cell_setup" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - /tmp/cell-setup.sh
           volumeMounts:
diff --git a/nova/values.yaml b/nova/values.yaml
index 4f3d54090c..4c74b13477 100644
--- a/nova/values.yaml
+++ b/nova/values.yaml
@@ -2412,9 +2412,22 @@ pod:
       pod:
         runAsUser: 42424
       container:
+        nova_wait_for_computes_init:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
         bootstrap:
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
+    nova_cell_setup:
+      pod:
+        runAsUser: 42424
+      container:
+        nova_cell_setup_init:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+        nova_cell_setup:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
     cell_setup:
       pod:
         runAsUser: 42424