From 34aca639f0951a84a73ed0e574afde1f1e22e191 Mon Sep 17 00:00:00 2001
From: RAHUL KHIYANI <rk0850@att.com>
Date: Tue, 9 Apr 2019 20:31:09 -0500
Subject: [PATCH] controller_manager: Add pod/container security context

This updates the controller_manager chart to include the pod
security context on the pod template

This also adds the container security context to set
readOnlyRootFilesystem to true

Change-Id: Icee324ef7ddbd230c7c99f4dc284e2866d9acf1a
---
 charts/controller_manager/templates/daemonset.yaml | 2 ++
 charts/controller_manager/values.yaml              | 7 +++++++
 2 files changed, 9 insertions(+)

diff --git a/charts/controller_manager/templates/daemonset.yaml b/charts/controller_manager/templates/daemonset.yaml
index d9baba84..0b6efac3 100644
--- a/charts/controller_manager/templates/daemonset.yaml
+++ b/charts/controller_manager/templates/daemonset.yaml
@@ -42,6 +42,7 @@ spec:
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
+{{ dict "envAll" $envAll "application" "kubernetes" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       nodeSelector:
         {{ .Values.labels.controller_manager.node_selector_key }}: {{ .Values.labels.controller_manager.node_selector_value }}
       dnsPolicy: {{ .Values.anchor.dns_policy }}
@@ -62,6 +63,7 @@ spec:
           - name: ETC_PATH
             value: /host{{ .Values.controller_manager.host_etc_path }}
 {{ tuple $envAll $envAll.Values.pod.resources.anchor_pod | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "kubernetes" "container" "anchor" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - /tmp/bin/anchor
           lifecycle:
diff --git a/charts/controller_manager/values.yaml b/charts/controller_manager/values.yaml
index 8d9a8e17..e9050398 100644
--- a/charts/controller_manager/values.yaml
+++ b/charts/controller_manager/values.yaml
@@ -78,6 +78,13 @@ dependencies:
   controller_manager:
 
 pod:
+  security_context:
+    kubernetes:
+      pod:
+        runAsUser: 0
+      container:
+        anchor:
+          readOnlyRootFilesystem: true
   mounts:
     controller_manager:
       init_container: null