From 9b5c1d493e187a9f67e9679416b21ff578a527f1 Mon Sep 17 00:00:00 2001
From: Rahul Khiyani <rk0850@att.com>
Date: Mon, 25 Feb 2019 16:39:43 -0500
Subject: [PATCH] Drydock: Add pod/container security context

This updates the drydock chart to include the pod
security context on the pod template. This changes the pod's
user from root to the nobody user instead

This also adds the container security context to set
allowPrivilegeEscalation to false and readOnlyRootFilesystem to true

Change-Id: I0882622e672e5918da82b58b76697b8974cf0b16
---
 charts/drydock/templates/deployment.yaml | 2 ++
 charts/drydock/values.yaml               | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/charts/drydock/templates/deployment.yaml b/charts/drydock/templates/deployment.yaml
index cc757419..246d2c16 100644
--- a/charts/drydock/templates/deployment.yaml
+++ b/charts/drydock/templates/deployment.yaml
@@ -35,6 +35,7 @@ spec:
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
+{{ dict "envAll" $envAll "application" "drydock" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       nodeSelector:
         {{ .Values.labels.api.node_selector_key }}: {{ .Values.labels.api.node_selector_value | quote }}
       serviceAccountName: {{ $serviceAccountName }}
@@ -48,6 +49,7 @@ spec:
           image: {{ .Values.images.tags.drydock }}
           imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "drydock" "container" "drydock_api" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
             - name: 'MAAS_API_KEY'
               valueFrom:
diff --git a/charts/drydock/values.yaml b/charts/drydock/values.yaml
index 3e7462cc..77e67a5a 100644
--- a/charts/drydock/values.yaml
+++ b/charts/drydock/values.yaml
@@ -55,6 +55,14 @@ network:
         nginx.ingress.kubernetes.io/rewrite-target: /
 
 pod:
+  security_context:
+    drydock:
+      pod:
+        runAsUser: 65534
+      container:
+        drydock_api:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
   lifecycle:
     upgrades:
       deployments: