Mariadb: Add security context for mysql exporter pod/container

This adds a security context to the mysql prometheus exporter pod, which changes the user from root to the nobody user (uid 99 here) instead This also adds the container security context to explicitly set allowPrivilegeEscalation to false Change-Id: I5ddebb059e3c31c231fdc4c24190a65f23e37785
2019-01-03 15:26:44 -06:00 · 2019-01-03 15:26:44 -06:00 · 530e765815
parent 3819986398
commit 530e765815
2 changed files with 6 additions and 0 deletions
--- a/mariadb/templates/monitoring/prometheus/exporter-deployment.yaml
+++ b/mariadb/templates/monitoring/prometheus/exporter-deployment.yaml
@ -38,6 +38,7 @@ spec:
 {{ tuple $envAll "prometheus_mysql_exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
      namespace: {{ .Values.endpoints.prometheus_mysql_exporter.namespace }}
    spec:
+{{ dict "envAll" $envAll "application" "mysql_exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      shareProcessNamespace: true
      serviceAccountName: {{ $serviceAccountName }}
      nodeSelector:
@ -49,6 +50,8 @@ spec:
        - name: mysql-exporter
 {{ tuple $envAll "prometheus_mysql_exporter" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.prometheus_mysql_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            allowPrivilegeEscalation: false
          command:
            - /tmp/mysqld-exporter.sh
            - start
--- a/mariadb/values.yaml
+++ b/mariadb/values.yaml
@ -51,6 +51,9 @@ labels:
    node_selector_value: enabled

 pod:
+  user:
+    mysql_exporter:
+      uid: 99
  affinity:
    anti:
      type: