From 6fcdde451bb23b9281b2f25bd94a1d9eccea5d48 Mon Sep 17 00:00:00 2001
From: "BARTRA, RICK" <rb560u@att.com>
Date: Tue, 30 Apr 2019 15:41:59 -0400
Subject: [PATCH] Run apiserver-webhook containers with the 'nobody' user

The apiserver-webhook containers should run with a non-root user when
possible

Change-Id: Ia56794e4f39423cbb642c3aa518649abc2a51d5c
---
 charts/apiserver-webhook/templates/deployment.yaml | 1 +
 charts/apiserver-webhook/values.yaml               | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/charts/apiserver-webhook/templates/deployment.yaml b/charts/apiserver-webhook/templates/deployment.yaml
index a9ac0ba8..f37cd480 100644
--- a/charts/apiserver-webhook/templates/deployment.yaml
+++ b/charts/apiserver-webhook/templates/deployment.yaml
@@ -118,6 +118,7 @@ spec:
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
       dnsPolicy: ClusterFirst
+{{ dict "envAll" $envAll "application" "apiserver_webhook" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       containers:
         - name: apiserver
           image: {{ .Values.images.tags.apiserver }}
diff --git a/charts/apiserver-webhook/values.yaml b/charts/apiserver-webhook/values.yaml
index 52a93732..e23a36b4 100644
--- a/charts/apiserver-webhook/values.yaml
+++ b/charts/apiserver-webhook/values.yaml
@@ -247,6 +247,10 @@ pod:
     kubernetes_keystone_webhook_tests:
       init_container: null
       kubernetes_keystone_webhook_tests: null
+  security_context:
+    apiserver_webhook:
+      pod:
+        runAsUser: 65534
 conf:
   paths:
     base: '/etc/webhook_apiserver/'