From 880c6503c8c584dc5d63ca329348012dd5907865 Mon Sep 17 00:00:00 2001
From: "KHIYANI, RAHUL (rk0850)" <rk0850@att.com>
Date: Tue, 21 Jul 2020 12:38:38 -0500
Subject: [PATCH] Add security context template for promenade charts

This changes adds security context template at pod level to
set run as user value

This also adds security context template at container level to
set readOnly-fs flag

Change-Id: Iba720e687218987cfefe7a9f08630fb11e8eac12
---
 .../apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl | 2 ++
 charts/apiserver/values.yaml                               | 7 +++++++
 .../templates/etc/_kubernetes-controller-manager.yaml.tpl  | 2 ++
 charts/controller_manager/values.yaml                      | 6 ++++++
 charts/haproxy/templates/etc/_haproxy.yaml.tpl             | 2 ++
 charts/haproxy/values.yaml                                 | 7 +++++++
 .../scheduler/templates/etc/_kubernetes-scheduler.yaml.tpl | 2 ++
 charts/scheduler/values.yaml                               | 3 +++
 8 files changed, 31 insertions(+)

diff --git a/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl b/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl
index f38a40c9..2cf3c5ca 100644
--- a/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl
+++ b/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl
@@ -50,12 +50,14 @@ metadata:
     {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
 {{- dict "envAll" $envAll "podName" "apiserver" "containerNames" (list "apiserver") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
 spec:
+{{ dict "envAll" $envAll "application" "apiserver" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
   hostNetwork: true
   shareProcessNamespace: true
   containers:
     - name: apiserver
       image: {{ .Values.images.tags.apiserver }}
 {{ tuple $envAll $envAll.Values.pod.resources.kubernetes_apiserver | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+{{ dict "envAll" $envAll "application" "apiserver" "container" "apiserver" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
       env:
         - name: POD_IP
           valueFrom:
diff --git a/charts/apiserver/values.yaml b/charts/apiserver/values.yaml
index 7366a32c..77114000 100644
--- a/charts/apiserver/values.yaml
+++ b/charts/apiserver/values.yaml
@@ -287,6 +287,13 @@ pod:
         apiserver_key_rotate:
           runAsUser: 0
           readOnlyRootFilesystem: false
+    apiserver:
+      pod:
+        runAsUser: 65534
+      container:
+        apiserver:
+          runAsUser: 0
+          readOnlyRootFilesystem: false
   mounts:
     kubernetes_apiserver:
       init_container: null
diff --git a/charts/controller_manager/templates/etc/_kubernetes-controller-manager.yaml.tpl b/charts/controller_manager/templates/etc/_kubernetes-controller-manager.yaml.tpl
index 886bc5ff..4f41afd5 100644
--- a/charts/controller_manager/templates/etc/_kubernetes-controller-manager.yaml.tpl
+++ b/charts/controller_manager/templates/etc/_kubernetes-controller-manager.yaml.tpl
@@ -26,11 +26,13 @@ metadata:
     {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
 {{ dict "envAll" $envAll "podName" "controller-manager" "containerNames" (list "controller-manager") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
 spec:
+{{ dict "envAll" $envAll "application" "controller_manager" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
   hostNetwork: true
   containers:
     - name: controller-manager
       image: {{ .Values.images.tags.controller_manager }}
 {{ tuple $envAll $envAll.Values.pod.resources.controller_manager | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+{{ dict "envAll" $envAll "application" "controller_manager" "container" "controller_manager" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
       env:
         - name: POD_IP
           valueFrom:
diff --git a/charts/controller_manager/values.yaml b/charts/controller_manager/values.yaml
index f285f5e9..7e217302 100644
--- a/charts/controller_manager/values.yaml
+++ b/charts/controller_manager/values.yaml
@@ -98,6 +98,12 @@ pod:
       container:
         anchor:
           readOnlyRootFilesystem: true
+    controller_manager:
+      pod:
+        runAsUser: 0
+      container:
+        controller_manager:
+          readOnlyRootFilesystem: true
   mounts:
     controller_manager:
       init_container: null
diff --git a/charts/haproxy/templates/etc/_haproxy.yaml.tpl b/charts/haproxy/templates/etc/_haproxy.yaml.tpl
index 402feb7d..c67a9166 100644
--- a/charts/haproxy/templates/etc/_haproxy.yaml.tpl
+++ b/charts/haproxy/templates/etc/_haproxy.yaml.tpl
@@ -27,12 +27,14 @@ metadata:
     {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
 {{ dict "envAll" $envAll "podName" "haproxy" "containerNames" (list "haproxy") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
 spec:
+{{ dict "envAll" $envAll "application" "server" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
   hostNetwork: true
   containers:
     - name: haproxy
       image: {{ .Values.images.tags.haproxy }}
       imagePullPolicy: {{ .Values.images.pull_policy }}
 {{ tuple . .Values.pod.resources.haproxy_pod | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+{{ dict "envAll" $envAll "application" "server" "container" "haproxy" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
       hostNetwork: true
       env:
         - name: HAPROXY_CONF
diff --git a/charts/haproxy/values.yaml b/charts/haproxy/values.yaml
index 64ac72d6..7cdf02f6 100644
--- a/charts/haproxy/values.yaml
+++ b/charts/haproxy/values.yaml
@@ -108,6 +108,13 @@ pod:
         haproxy_haproxy_test:
           runAsUser: 0
           readOnlyRootFilesystem: true
+    server:
+      pod:
+        runAsUser: 65534
+      container:
+        haproxy:
+          runAsUser: 0
+          readOnlyRootFilesystem: false
   lifecycle:
     upgrades:
       daemonsets:
diff --git a/charts/scheduler/templates/etc/_kubernetes-scheduler.yaml.tpl b/charts/scheduler/templates/etc/_kubernetes-scheduler.yaml.tpl
index 79309bfc..8fc9da69 100644
--- a/charts/scheduler/templates/etc/_kubernetes-scheduler.yaml.tpl
+++ b/charts/scheduler/templates/etc/_kubernetes-scheduler.yaml.tpl
@@ -28,11 +28,13 @@ metadata:
     {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
 {{ dict "envAll" $envAll "podName" "scheduler" "containerNames" (list "scheduler") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 4 }}
 spec:
+{{ dict "envAll" $envAll "application" "scheduler" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 2 }}
   hostNetwork: true
   containers:
     - name: scheduler
       image: {{ .Values.images.tags.scheduler }}
 {{ tuple $envAll $envAll.Values.pod.resources.scheduler_pod | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+{{ dict "envAll" $envAll "application" "scheduler" "container" "scheduler" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
       env:
         - name: POD_IP
           valueFrom:
diff --git a/charts/scheduler/values.yaml b/charts/scheduler/values.yaml
index 6961704b..cc7d3390 100644
--- a/charts/scheduler/values.yaml
+++ b/charts/scheduler/values.yaml
@@ -38,6 +38,9 @@ pod:
         anchor:
           runAsUser: 0
           readOnlyRootFilesystem: true
+        scheduler:
+          runAsUser: 0
+          readOnlyRootFilesystem: false
   lifecycle:
     upgrades:
       daemonsets: