From 9d72b805d021a7a31f3635a08ccf387cd0a748df Mon Sep 17 00:00:00 2001
From: pd2839 <pd2839@att.com>
Date: Mon, 1 Jul 2019 12:50:01 -0500
Subject: [PATCH] Using htk for glance security policies

Overriding the values in values.yaml

Change-Id: I52dd8b5513062242ad4f2c89bb4cc998dc5ef9c5
---
 glance/templates/deployment-api.yaml | 4 ++--
 glance/values.yaml                   | 6 ++++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/glance/templates/deployment-api.yaml b/glance/templates/deployment-api.yaml
index 26d7327765..f7d9aba4f8 100644
--- a/glance/templates/deployment-api.yaml
+++ b/glance/templates/deployment-api.yaml
@@ -57,9 +57,8 @@ spec:
 {{ tuple $envAll "api" $mounts_glance_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
         - name: glance-perms
 {{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }}
-          securityContext:
-            runAsUser: 0
 {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "glance" "container" "glance_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - chown
             - -R
@@ -73,6 +72,7 @@ spec:
         {{ if eq .Values.storage "rbd" }}
         - name: ceph-keyring-placement
 {{ tuple $envAll "glance_api" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "glance" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
             - name: RBD_STORE_USER
               value: {{ .Values.conf.glance.glance_store.rbd_store_user | quote }}
diff --git a/glance/values.yaml b/glance/values.yaml
index 30f11184b8..837be643be 100644
--- a/glance/values.yaml
+++ b/glance/values.yaml
@@ -818,6 +818,12 @@ pod:
       pod:
         runAsUser: 42424
       container:
+        glance_perms:
+          readOnlyRootFilesystem: true
+          runAsUser: 0
+        ceph_keyring_placement:
+          readOnlyRootFilesystem: true
+          runAsUser: 0
         glance_api:
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false