From e7232313eaef246a9ec6d05adb783f48a995cbcd Mon Sep 17 00:00:00 2001 From: Steve Wilkerson Date: Thu, 3 Jan 2019 14:19:39 -0600 Subject: [PATCH] Fluentd: Add security context for pods/containers This adds the security context snippet to the fluentd and fluentd exporter templates. This changes the users for these two pods from root to the nobody user instead This also adds the container security context to explicitly set allowPrivilegeEscalation to false Change-Id: Ibf1da152f4aa78d425bbd00f514c2787d8ad9c5f --- fluent-logging/templates/deployment-fluentd.yaml | 3 +++ .../templates/monitoring/prometheus/exporter-deployment.yaml | 3 +++ fluent-logging/values.yaml | 5 +++++ 3 files changed, 11 insertions(+) diff --git a/fluent-logging/templates/deployment-fluentd.yaml b/fluent-logging/templates/deployment-fluentd.yaml index d622fca971..c713af0891 100644 --- a/fluent-logging/templates/deployment-fluentd.yaml +++ b/fluent-logging/templates/deployment-fluentd.yaml @@ -94,6 +94,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} spec: +{{ dict "envAll" $envAll "application" "fluentd" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "fluentd" "internal" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} @@ -106,6 +107,8 @@ spec: - name: fluentd {{ tuple $envAll "fluentd" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.fluentd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + allowPrivilegeEscalation: false command: - /tmp/fluentd.sh - start diff --git a/fluent-logging/templates/monitoring/prometheus/exporter-deployment.yaml b/fluent-logging/templates/monitoring/prometheus/exporter-deployment.yaml index f7be69f5a7..57e4563571 100644 --- a/fluent-logging/templates/monitoring/prometheus/exporter-deployment.yaml +++ b/fluent-logging/templates/monitoring/prometheus/exporter-deployment.yaml @@ -41,6 +41,7 @@ spec: labels: {{ tuple $envAll "prometheus_fluentd_exporter" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: +{{ dict "envAll" $envAll "application" "fluentd_exporter" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.prometheus_fluentd_exporter.node_selector_key }}: {{ .Values.labels.prometheus_fluentd_exporter.node_selector_value | quote }} @@ -51,6 +52,8 @@ spec: - name: fluentd-exporter {{ tuple $envAll "prometheus_fluentd_exporter" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.prometheus_fluentd_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + securityContext: + allowPrivilegeEscalation: false command: - /tmp/fluentd-exporter.sh - start diff --git a/fluent-logging/values.yaml b/fluent-logging/values.yaml index bd26187333..421f634c98 100644 --- a/fluent-logging/values.yaml +++ b/fluent-logging/values.yaml @@ -527,6 +527,11 @@ network: port: 32329 pod: + user: + fluentd: + uid: 65534 + fluentd_exporter: + uid: 65534 affinity: anti: type: