From a5e8953bd4d070149ff807c056dd6b697b57b7bb Mon Sep 17 00:00:00 2001
From: RAHUL KHIYANI <rk0850@att.com>
Date: Tue, 23 Apr 2019 01:01:50 -0500
Subject: [PATCH] ceph-mon: Fix security context

This PS fixes the use of the security context macros for the
ceph-mon chart.

Change-Id: Ibde448481c44f2753ddfe57e590ea7d05671793a
---
 ceph-mon/templates/daemonset-mon.yaml         |  6 ++--
 ceph-mon/templates/deployment-moncheck.yaml   |  2 ++
 ceph-mon/templates/job-bootstrap.yaml         |  2 ++
 .../templates/job-storage-admin-keys.yaml     |  2 ++
 ceph-mon/values.yaml                          | 29 +++++++++++++++++++
 5 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/ceph-mon/templates/daemonset-mon.yaml b/ceph-mon/templates/daemonset-mon.yaml
index 9fda877ec..a53117ad7 100644
--- a/ceph-mon/templates/daemonset-mon.yaml
+++ b/ceph-mon/templates/daemonset-mon.yaml
@@ -68,6 +68,7 @@ spec:
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
+{{ dict "envAll" $envAll "application" "mon" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       nodeSelector:
         {{ .Values.labels.mon.node_selector_key }}: {{ .Values.labels.mon.node_selector_value }}
@@ -77,6 +78,7 @@ spec:
 {{ tuple $envAll "mon" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
         - name: ceph-init-dirs
 {{ tuple $envAll "ceph_mon" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "mon" "container" "ceph_init_dirs" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - /tmp/init-dirs.sh
           env:
@@ -98,8 +100,7 @@ spec:
               readOnly: false
         - name: ceph-log-ownership
 {{ tuple $envAll "ceph_mon" | include "helm-toolkit.snippets.image" | indent 10 }}
-          securityContext:
-            runAsUser: 0
+{{ dict "envAll" $envAll "application" "mon" "container" "ceph_log_ownership" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - chown
             - -R
@@ -119,6 +120,7 @@ spec:
         - name: ceph-mon
 {{ tuple $envAll "ceph_mon" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.mon | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "mon" "container" "ceph_mon" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
             - name: CLUSTER
               value: "ceph"
diff --git a/ceph-mon/templates/deployment-moncheck.yaml b/ceph-mon/templates/deployment-moncheck.yaml
index f5619efef..ff488b669 100644
--- a/ceph-mon/templates/deployment-moncheck.yaml
+++ b/ceph-mon/templates/deployment-moncheck.yaml
@@ -40,6 +40,7 @@ spec:
       annotations:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
     spec:
+{{ dict "envAll" $envAll "application" "moncheck" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       affinity:
 {{ tuple $envAll "ceph" "moncheck" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
@@ -51,6 +52,7 @@ spec:
         - name: ceph-mon
 {{ tuple $envAll "ceph_mon_check" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.moncheck | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "moncheck" "container" "ceph_mon" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
             - name: CLUSTER
               value: "ceph"
diff --git a/ceph-mon/templates/job-bootstrap.yaml b/ceph-mon/templates/job-bootstrap.yaml
index 670190d79..e25ec4b69 100644
--- a/ceph-mon/templates/job-bootstrap.yaml
+++ b/ceph-mon/templates/job-bootstrap.yaml
@@ -32,6 +32,7 @@ spec:
       labels:
 {{ tuple $envAll "ceph" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
     spec:
+{{ dict "envAll" $envAll "application" "bootstrap" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       restartPolicy: OnFailure
       nodeSelector:
@@ -42,6 +43,7 @@ spec:
         - name: ceph-bootstrap
 {{ tuple $envAll "ceph_bootstrap" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "bootstrap" "container" "ceph_bootstrap" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
             - /tmp/bootstrap.sh
           volumeMounts:
diff --git a/ceph-mon/templates/job-storage-admin-keys.yaml b/ceph-mon/templates/job-storage-admin-keys.yaml
index b1c9a1e25..be5dd2781 100644
--- a/ceph-mon/templates/job-storage-admin-keys.yaml
+++ b/ceph-mon/templates/job-storage-admin-keys.yaml
@@ -59,6 +59,7 @@ spec:
       labels:
 {{ tuple $envAll "ceph" "storage-keys-generator" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
     spec:
+{{ dict "envAll" $envAll "application" "storage_keys_generator" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       restartPolicy: OnFailure
       nodeSelector:
@@ -69,6 +70,7 @@ spec:
         - name:  ceph-storage-keys-generator
 {{ tuple $envAll "ceph_config_helper" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.jobs.secret_provisioning | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "storage_keys_generator" "container" "ceph_storage_keys_generator" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
             - name: DEPLOYMENT_NAMESPACE
               valueFrom:
diff --git a/ceph-mon/values.yaml b/ceph-mon/values.yaml
index 846ef1e20..4b9dffa6a 100644
--- a/ceph-mon/values.yaml
+++ b/ceph-mon/values.yaml
@@ -45,6 +45,35 @@ labels:
     node_selector_value: enabled
 
 pod:
+  security_context:
+    mon:
+      pod:
+        runAsUser: 0
+      container:
+        ceph_init_dirs:
+          readOnlyRootFilesystem: true
+        ceph_log_ownership:
+          readOnlyRootFilesystem: true
+        ceph_mon:
+          readOnlyRootFilesystem: true
+    moncheck:
+      pod:
+        runAsUser: 0
+      container:
+        ceph_mon:
+          readOnlyRootFilesystem: true
+    bootstrap:
+      pod:
+        runAsUser: 0
+      container:
+        ceph_bootstrap:
+          readOnlyRootFilesystem: true
+    storage_keys_generator:
+      pod:
+        runAsUser: 0
+      container:
+        ceph_storage_keys_generator:
+          readOnlyRootFilesystem: true
   dns_policy: "ClusterFirstWithHostNet"
   replicas:
     mon_check: 1