From 085610523fb1422a46b0f3c79d53694b5380bd14 Mon Sep 17 00:00:00 2001
From: Rahul Khiyani <rk0850@att.com>
Date: Fri, 26 Oct 2018 20:23:53 -0500
Subject: [PATCH] Keystone podSecurityContext

securitycontext with non-root user is implemented at pod level
and leveraged the helm-toolkit snippet

Fix for adding allowPrivilegeEscalation flag as a blanket
policy on the pod in the keyston chart

Depends-On: I95264c933b51e2a8e38f63faa1e239bb3c1ebfda
Change-Id: I15333df4707948e50deb935ffc1ee599588e4788
---
 keystone/templates/deployment-api.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/keystone/templates/deployment-api.yaml b/keystone/templates/deployment-api.yaml
index c985cad132..23bdc72c1a 100644
--- a/keystone/templates/deployment-api.yaml
+++ b/keystone/templates/deployment-api.yaml
@@ -45,6 +45,7 @@ spec:
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
+{{ dict "envAll" $envAll "application" "keystone" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       affinity:
 {{ tuple $envAll "keystone" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
@@ -58,7 +59,7 @@ spec:
 {{ tuple $envAll "keystone_api" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
           securityContext:
-            runAsUser: {{ .Values.pod.user.keystone.uid }}
+            allowPrivilegeEscalation: false
           command:
             - /tmp/keystone-api.sh
             - start