From 430586927c1edc6524279dc166923d791380b362 Mon Sep 17 00:00:00 2001
From: Prateek Dodda <prateek.reddy.dodda@att.com>
Date: Wed, 30 Oct 2019 14:25:12 -0500
Subject: [PATCH] Implement Security Context for Armada

Implement readOnlyRootFilesystem:true for init container

- Armada server deployment

Change-Id: Ifbc48bef07eab97c015b65a1941a526fc6a28c6d
---
 charts/armada/templates/deployment-api.yaml | 1 +
 charts/armada/values.yaml                   | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/charts/armada/templates/deployment-api.yaml b/charts/armada/templates/deployment-api.yaml
index 3b17d29c..70818bae 100644
--- a/charts/armada/templates/deployment-api.yaml
+++ b/charts/armada/templates/deployment-api.yaml
@@ -118,6 +118,7 @@ spec:
       terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
       initContainers:
 {{ tuple $envAll "api" $mounts_armada_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+{{ dict "envAll" $envAll "application" "armada" "container" "armada_api_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
       containers:
         - name: armada-api
 {{ tuple $envAll "api" | include "helm-toolkit.snippets.image" | indent 10 }}
diff --git a/charts/armada/values.yaml b/charts/armada/values.yaml
index 9016cbaa..1916fe9e 100644
--- a/charts/armada/values.yaml
+++ b/charts/armada/values.yaml
@@ -260,6 +260,9 @@ pod:
       pod:
         runAsUser: 65534
       container:
+        armada_api_init:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
         armada_api:
           readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false