From 809b329de8f27c88354a710653b8effe9dabda35 Mon Sep 17 00:00:00 2001
From: Rahul Khiyani <rk0850@att.com>
Date: Mon, 25 Feb 2019 16:49:07 -0500
Subject: [PATCH] Maas: Add pod/container security context

      - deployment-ingress-errors.yaml

This updates the maas chart to include the pod
security context on the pod template.

This also adds the container security context to set
readOnlyRootFilesystem to true

Change-Id: Id377f31aacc65e8ba31a360d9283fda225e7732a
---
 charts/maas/templates/deployment-ingress-errors.yaml | 2 ++
 charts/maas/values.yaml                              | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/charts/maas/templates/deployment-ingress-errors.yaml b/charts/maas/templates/deployment-ingress-errors.yaml
index a0381dc..a702d0f 100644
--- a/charts/maas/templates/deployment-ingress-errors.yaml
+++ b/charts/maas/templates/deployment-ingress-errors.yaml
@@ -35,6 +35,7 @@ spec:
       labels:
 {{ tuple $envAll "maas" "ingress-errors" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
     spec:
+{{ dict "envAll" $envAll "application" "ingress_errors" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       nodeSelector:
         {{ .Values.labels.rack.node_selector_key }}: {{ .Values.labels.rack.node_selector_value }}
@@ -44,6 +45,7 @@ spec:
           image: {{ .Values.images.tags.error_pages }}
           imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.maas_ingress_errors | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "ingress_errors" "container" "maas_ingress_errors" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - /tmp/maas-ingress-errors.sh
             - start
diff --git a/charts/maas/values.yaml b/charts/maas/values.yaml
index f475f43..493ae4f 100644
--- a/charts/maas/values.yaml
+++ b/charts/maas/values.yaml
@@ -238,6 +238,14 @@ pod:
       maas-rack: localhost/docker-default
     maas-region:
       maas-region: localhost/docker-default
+  security_context:
+    ingress_errors:
+      pod:
+        runAsUser: 99
+      container:
+        maas_ingress_errors:
+          runAsUser: 0
+          readOnlyRootFilesystem: true
   affinity:
     anti:
       type: