From 1810da025f0df647511cdcaeb0cbe08a0712fe50 Mon Sep 17 00:00:00 2001
From: Phil Sphicas <phil.sphicas@att.com>
Date: Fri, 21 Feb 2020 16:44:23 -0800
Subject: [PATCH] Apply security context to tiller in Armada pod

Allows container security context to be applied to the tiller container
inside the Armada API pod, and sets the following: run as nobody (uid
65534), read-only root filesystem, deny privilege escalation. Also sets
the rest of the armada pod to run as armada (uid 1000).

Change-Id: I38eb32f54ca4c0a20c1c63fca2f4927ced6e9e81
---
 charts/armada/templates/deployment-api.yaml |  1 +
 charts/armada/values.yaml                   | 16 +++++++++++++---
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/charts/armada/templates/deployment-api.yaml b/charts/armada/templates/deployment-api.yaml
index 644147fe..7d43fc9b 100644
--- a/charts/armada/templates/deployment-api.yaml
+++ b/charts/armada/templates/deployment-api.yaml
@@ -160,6 +160,7 @@ spec:
         - name: tiller
 {{ tuple $envAll "tiller" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.tiller | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "armada" "container" "tiller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
             - name: TILLER_NAMESPACE
               value: {{ .Values.conf.tiller.namespace | quote }}
diff --git a/charts/armada/values.yaml b/charts/armada/values.yaml
index 97fa6407..2885c7c1 100644
--- a/charts/armada/values.yaml
+++ b/charts/armada/values.yaml
@@ -263,7 +263,7 @@ pod:
   security_context:
     armada:
       pod:
-        runAsUser: 65534
+        runAsUser: 1000
       container:
         armada_api_init:
           readOnlyRootFilesystem: true
@@ -271,6 +271,10 @@ pod:
         armada_api:
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
+        tiller:
+          runAsUser: 65534
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
   env:
     # NOTE(@drewwalters96): These configuration values change the Armada API's
     #    uWSGI configuration.
@@ -304,8 +308,14 @@ pod:
         volumes: []
         volumeMounts: []
       tiller:
-        volumes: []
-        volumeMounts: []
+        volumes:
+          - name: kubernetes-client-cache
+            emptyDir: {}
+        volumeMounts:
+          - name: kubernetes-client-cache
+            # Should be the `$HOME/.kube` of the `runAsUser` above
+            # as this is where tiller's kubernetes client roots its cache dir.
+            mountPath: /tmp/.kube
   affinity:
     anti:
       type: