From e7232313eaef246a9ec6d05adb783f48a995cbcd Mon Sep 17 00:00:00 2001
From: Steve Wilkerson <wilkers.steve@gmail.com>
Date: Thu, 3 Jan 2019 14:19:39 -0600
Subject: [PATCH] Fluentd: Add security context for pods/containers

This adds the security context snippet to the fluentd and
fluentd exporter templates. This changes the users for these two
pods from root to the nobody user instead

This also adds the container security context to explicitly set
allowPrivilegeEscalation to false

Change-Id: Ibf1da152f4aa78d425bbd00f514c2787d8ad9c5f
---
 fluent-logging/templates/deployment-fluentd.yaml             | 3 +++
 .../templates/monitoring/prometheus/exporter-deployment.yaml | 3 +++
 fluent-logging/values.yaml                                   | 5 +++++
 3 files changed, 11 insertions(+)

diff --git a/fluent-logging/templates/deployment-fluentd.yaml b/fluent-logging/templates/deployment-fluentd.yaml
index d622fca97..c713af089 100644
--- a/fluent-logging/templates/deployment-fluentd.yaml
+++ b/fluent-logging/templates/deployment-fluentd.yaml
@@ -94,6 +94,7 @@ spec:
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
+{{ dict "envAll" $envAll "application" "fluentd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       affinity:
 {{ tuple $envAll "fluentd" "internal" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
@@ -106,6 +107,8 @@ spec:
         - name: fluentd
 {{ tuple $envAll "fluentd" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.fluentd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            allowPrivilegeEscalation: false
           command:
             - /tmp/fluentd.sh
             - start
diff --git a/fluent-logging/templates/monitoring/prometheus/exporter-deployment.yaml b/fluent-logging/templates/monitoring/prometheus/exporter-deployment.yaml
index f7be69f5a..57e456357 100644
--- a/fluent-logging/templates/monitoring/prometheus/exporter-deployment.yaml
+++ b/fluent-logging/templates/monitoring/prometheus/exporter-deployment.yaml
@@ -41,6 +41,7 @@ spec:
       labels:
 {{ tuple $envAll "prometheus_fluentd_exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
     spec:
+{{ dict "envAll" $envAll "application" "fluentd_exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       nodeSelector:
         {{ .Values.labels.prometheus_fluentd_exporter.node_selector_key }}: {{ .Values.labels.prometheus_fluentd_exporter.node_selector_value | quote }}
@@ -51,6 +52,8 @@ spec:
         - name: fluentd-exporter
 {{ tuple $envAll "prometheus_fluentd_exporter" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.prometheus_fluentd_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          securityContext:
+            allowPrivilegeEscalation: false
           command:
             - /tmp/fluentd-exporter.sh
             - start
diff --git a/fluent-logging/values.yaml b/fluent-logging/values.yaml
index bd2618733..421f634c9 100644
--- a/fluent-logging/values.yaml
+++ b/fluent-logging/values.yaml
@@ -527,6 +527,11 @@ network:
       port: 32329
 
 pod:
+  user:
+    fluentd:
+      uid: 65534
+    fluentd_exporter:
+      uid: 65534
   affinity:
     anti:
       type: