From 774d85b77ed93ef79cd9d1e90f99c27783d7f463 Mon Sep 17 00:00:00 2001
From: "KHIYANI, RAHUL (rk0850)" <rk0850@att.com>
Date: Tue, 14 Jul 2020 11:09:41 -0500
Subject: [PATCH] Add missing security-context for ceph-rgw test pod

This updates the ceph-rgw chart to include the pod
security context on the pod template.

This also adds the container security context to set
readOnlyRootFilesystem flag to true

Change-Id: Ib6be059e387f1932a5655df07ae182f75f142538
---
 ceph-rgw/templates/pod-helm-tests.yaml | 1 +
 ceph-rgw/values.yaml                   | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/ceph-rgw/templates/pod-helm-tests.yaml b/ceph-rgw/templates/pod-helm-tests.yaml
index 8eec5b295..64af98de8 100644
--- a/ceph-rgw/templates/pod-helm-tests.yaml
+++ b/ceph-rgw/templates/pod-helm-tests.yaml
@@ -78,6 +78,7 @@ spec:
     - name: ceph-rgw-s3-validation
 {{ tuple $envAll "ceph_rgw" | include "helm-toolkit.snippets.image" | indent 6 }}
 {{ tuple $envAll $envAll.Values.pod.resources.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+{{ dict "envAll" $envAll "application" "rgw_test" "container" "ceph_rgw_s3_validation" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 6 }}
       env:
 {{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw_s3.admin }}
 {{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 8 }}
diff --git a/ceph-rgw/values.yaml b/ceph-rgw/values.yaml
index 4d2c37f1c..aa3cb1cc2 100644
--- a/ceph-rgw/values.yaml
+++ b/ceph-rgw/values.yaml
@@ -99,6 +99,9 @@ pod:
         ceph_rgw_ks_validation:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
+        ceph_rgw_s3_validation:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
     bootstrap:
       pod:
         runAsUser: 65534