From 4fdbf3c07a8e0175c4b3985f6e16862f3cc7c4bb Mon Sep 17 00:00:00 2001
From: Prateek Dodda <prateek.reddy.dodda@att.com>
Date: Fri, 8 Nov 2019 17:21:22 -0600
Subject: [PATCH] Implement Security Context for Nova

Implement container security context for the following Nova resources:
 - Nova server deployment

Change-Id: Ide4f413d4b27bfbffd4e941ff4f87aefe5a319a8
---
 nova/templates/deployment-placement.yaml | 1 +
 nova/values.yaml                         | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/nova/templates/deployment-placement.yaml b/nova/templates/deployment-placement.yaml
index cd02da6012..818c0c9d69 100644
--- a/nova/templates/deployment-placement.yaml
+++ b/nova/templates/deployment-placement.yaml
@@ -58,6 +58,7 @@ spec:
         - name: nova-placement-api
 {{ tuple $envAll "nova_placement" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.placement | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "nova" "container" "nova_placement_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - /tmp/nova-placement-api.sh
             - start
diff --git a/nova/values.yaml b/nova/values.yaml
index fa8669d0bc..f0ed44bf00 100644
--- a/nova/values.yaml
+++ b/nova/values.yaml
@@ -2203,6 +2203,9 @@ pod:
         nova_novncproxy:
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
+        nova_placement_api:
+          readOnlyRootFilesystem: false
+          allowPrivilegeEscalation: false
         nova_scheduler:
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false