Mariadb: Add security context for mysql exporter pod/container

This adds a security context to the mysql prometheus exporter pod,
which changes the user from root to the nobody user (uid 99 here)
instead

This also adds the container security context to explicitly set
allowPrivilegeEscalation to false

Change-Id: I5ddebb059e3c31c231fdc4c24190a65f23e37785
This commit is contained in:
Steve Wilkerson 2019-01-03 15:26:44 -06:00
parent 3819986398
commit 530e765815
2 changed files with 6 additions and 0 deletions

View File

@ -38,6 +38,7 @@ spec:
{{ tuple $envAll "prometheus_mysql_exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
namespace: {{ .Values.endpoints.prometheus_mysql_exporter.namespace }}
spec:
{{ dict "envAll" $envAll "application" "mysql_exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
shareProcessNamespace: true
serviceAccountName: {{ $serviceAccountName }}
nodeSelector:
@ -49,6 +50,8 @@ spec:
- name: mysql-exporter
{{ tuple $envAll "prometheus_mysql_exporter" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.prometheus_mysql_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
securityContext:
allowPrivilegeEscalation: false
command:
- /tmp/mysqld-exporter.sh
- start

View File

@ -51,6 +51,9 @@ labels:
node_selector_value: enabled
pod:
user:
mysql_exporter:
uid: 99
affinity:
anti:
type: