From 154e0b5464a6571073d820c71ad39221dec87d6b Mon Sep 17 00:00:00 2001
From: "KHIYANI, RAHUL (rk0850)" <rk0850@att.com>
Date: Thu, 31 Oct 2019 22:53:23 -0500
Subject: [PATCH] Apiserver: Add pod/container security context

This updates the apiserver chart to include the pod
security context on the pod template.

This also adds the container security context to set
readOnlyRootFilesystem flag to false

Change-Id: I76d80c4cbf40d1e3e518a3d2969c86f4d5c8c3f4
---
 charts/apiserver/templates/daemonset.yaml | 2 ++
 charts/apiserver/values.yaml              | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/charts/apiserver/templates/daemonset.yaml b/charts/apiserver/templates/daemonset.yaml
index 5620dd34..a77d2a12 100644
--- a/charts/apiserver/templates/daemonset.yaml
+++ b/charts/apiserver/templates/daemonset.yaml
@@ -45,6 +45,7 @@ spec:
         scheduler.alpha.kubernetes.io/critical-pod: ''
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
+{{ dict "envAll" $envAll "application" "kubernetes_apiserver_anchor" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       nodeSelector:
         {{ .Values.labels.kubernetes_apiserver.node_selector_key }}: {{ .Values.labels.kubernetes_apiserver.node_selector_value }}
       dnsPolicy: {{ .Values.anchor.dns_policy }}
@@ -60,6 +61,7 @@ spec:
           image: {{ .Values.images.tags.anchor }}
           imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple $envAll $envAll.Values.pod.resources.anchor_pod | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "kubernetes_apiserver_anchor" "container" "anchor" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
           - name: MANIFEST_PATH
             value: /host{{ .Values.anchor.kubelet.manifest_path }}/{{ .Values.service.name }}.yaml
diff --git a/charts/apiserver/values.yaml b/charts/apiserver/values.yaml
index 4ebb5dcc..9be49129 100644
--- a/charts/apiserver/values.yaml
+++ b/charts/apiserver/values.yaml
@@ -265,6 +265,14 @@ endpoints:
       #     key: null
 
 pod:
+  security_context:
+    kubernetes_apiserver_anchor:
+      pod:
+        runAsUser: 65534
+      container:
+        anchor:
+          runAsUser: 0
+          readOnlyRootFilesystem: false
   mounts:
     kubernetes_apiserver:
       init_container: null