From 20c1ae4edfa4e0d8b98d845d219a5311daa862bb Mon Sep 17 00:00:00 2001
From: pd2839 <pd2839@att.com>
Date: Mon, 25 Feb 2019 16:11:47 -0600
Subject: [PATCH] Implement Security Context for Deckhand

Implement container and pod level security context for the following
Deckhand resources:

- Deckhand server deployment

Change-Id: I23cd742cc3b76b4e5de67d3b8bb195ec3899fc0f
---
 charts/deckhand/templates/deployment.yaml | 2 ++
 charts/deckhand/values.yaml               | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/charts/deckhand/templates/deployment.yaml b/charts/deckhand/templates/deployment.yaml
index 22491b82..24f9137c 100644
--- a/charts/deckhand/templates/deployment.yaml
+++ b/charts/deckhand/templates/deployment.yaml
@@ -39,6 +39,7 @@ spec:
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
       serviceAccountName: {{ $serviceAccountName }}
+{{ dict "envAll" $envAll "application" "deckhand" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       nodeSelector:
         {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value }}
       terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.deckhand.timeout | default "30" }}
@@ -62,6 +63,7 @@ spec:
           image: {{ .Values.images.tags.deckhand }}
           imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "deckhand" "container" "deckhand_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           ports:
             - containerPort: {{ tuple "deckhand" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
           livenessProbe:
diff --git a/charts/deckhand/values.yaml b/charts/deckhand/values.yaml
index fe866533..701c54aa 100644
--- a/charts/deckhand/values.yaml
+++ b/charts/deckhand/values.yaml
@@ -324,6 +324,14 @@ conf:
     formatter_simple:
       format: "%(asctime)s.%(msecs)03d %(process)d %(levelname)s: %(message)s"
 pod:
+  security_context:
+    deckhand:
+      pod:
+        runAsUser: 65534
+      container:
+        deckhand_api:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
   mounts:
     deckhand_db_init:
       init_container: null