From f50a0c8d78f5f90fad33d788e2c39d544ddd0c3e Mon Sep 17 00:00:00 2001
From: RAHUL KHIYANI <rk0850@att.com>
Date: Thu, 30 May 2019 16:19:39 -0500
Subject: [PATCH] ETCD: Add pod/container security context

This updates the etcd chart to include the pod
security context on the pod template.

This also adds the container security context to set
readOnlyRootFilesystem flag to false

Change-Id: I34a8ab3e850779192491b9b127a82b82f05fa00b
---
 charts/etcd/templates/daemonset-anchor.yaml       |  2 ++
 .../etcd/templates/etc/_kubernetes-etcd.yaml.tpl  |  2 ++
 charts/etcd/values.yaml                           | 15 +++++++++++++++
 3 files changed, 19 insertions(+)

diff --git a/charts/etcd/templates/daemonset-anchor.yaml b/charts/etcd/templates/daemonset-anchor.yaml
index 0c9778e9..9b8eb01b 100644
--- a/charts/etcd/templates/daemonset-anchor.yaml
+++ b/charts/etcd/templates/daemonset-anchor.yaml
@@ -43,6 +43,7 @@ spec:
       labels:
 {{ $labels | indent 8 }}
     spec:
+{{ dict "envAll" $envAll "application" "anchor" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       hostNetwork: true
       {{- if .Values.anchor.dns_policy }}
       dnsPolicy: {{ .Values.anchor.dns_policy }}
@@ -63,6 +64,7 @@ spec:
           image: {{ .Values.images.tags.etcdctl }}
           imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.daemonset_anchor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "anchor" "container" "etcdctl" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - /tmp/bin/etcdctl_anchor
           env:
diff --git a/charts/etcd/templates/etc/_kubernetes-etcd.yaml.tpl b/charts/etcd/templates/etc/_kubernetes-etcd.yaml.tpl
index 263df1bd..501e12f4 100644
--- a/charts/etcd/templates/etc/_kubernetes-etcd.yaml.tpl
+++ b/charts/etcd/templates/etc/_kubernetes-etcd.yaml.tpl
@@ -32,12 +32,14 @@ metadata:
     {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
 {{- dict "envAll" $envAll "podName" .Values.service.name "containerNames" (list "etcd") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
 spec:
+{{ dict "envAll" $envAll "application" "etcd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
   hostNetwork: true
   containers:
     - name: etcd
       image: {{ .Values.images.tags.etcd }}
       imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.etcd_pod | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+{{ dict "envAll" $envAll "application" "etcd" "container" "etcd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
       env:
         - name: ETCD_NAME
           valueFrom:
diff --git a/charts/etcd/values.yaml b/charts/etcd/values.yaml
index cd1f98f8..7a00b634 100644
--- a/charts/etcd/values.yaml
+++ b/charts/etcd/values.yaml
@@ -97,6 +97,21 @@ dependencies:
        jobs:
          - etcd_backup_job
 pod:
+  security_context:
+    anchor:
+      pod:
+        runAsUser: 65534
+      container:
+        etcdctl:
+          runAsUser: 0
+          readOnlyRootFilesystem: false
+    etcd:
+      pod:
+        runAsUser: 65534
+      container:
+        etcd:
+          runAsUser: 0
+          readOnlyRootFilesystem: false
   mounts:
     daemonset_anchor:
       daemonset_anchor: