From 1beff94fceb056ebd6e2a10df2f65ce06c1389df Mon Sep 17 00:00:00 2001
From: gitlawr <lawrleegle@gmail.com>
Date: Tue, 22 Oct 2019 14:52:02 +0800
Subject: [PATCH] Update securityContext for monitoring containers

To make monitoring work when hardening rules are applied.
---
 .../charts/operator-init/templates/job-install-crds.yaml     | 4 ++++
 charts/rancher-monitoring/v0.0.5/values.yaml                 | 5 ++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/charts/rancher-monitoring/v0.0.5/charts/operator-init/templates/job-install-crds.yaml b/charts/rancher-monitoring/v0.0.5/charts/operator-init/templates/job-install-crds.yaml
index 8805c45..6875ee1 100644
--- a/charts/rancher-monitoring/v0.0.5/charts/operator-init/templates/job-install-crds.yaml
+++ b/charts/rancher-monitoring/v0.0.5/charts/operator-init/templates/job-install-crds.yaml
@@ -16,6 +16,10 @@ spec:
       tolerations:
 {{- include "linux-node-tolerations" . | nindent 8}}
       serviceAccountName: {{ template "app.fullname" . }}
+      securityContext:
+        runAsUser: 65534
+        runAsNonRoot: true
+        fsGroup: 65534
       containers:
       - name: operator-init-crds
         image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
diff --git a/charts/rancher-monitoring/v0.0.5/values.yaml b/charts/rancher-monitoring/v0.0.5/values.yaml
index e349673..b3a4ad7 100644
--- a/charts/rancher-monitoring/v0.0.5/values.yaml
+++ b/charts/rancher-monitoring/v0.0.5/values.yaml
@@ -198,7 +198,10 @@ exporter-kube-state:
   ## Already exist ServiceAccount
   ##
   serviceAccountName: ""
-  securityContext: {}
+  securityContext:
+    runAsUser: 65534
+    runAsNonRoot: true
+    fsGroup: 65534
 
 alertmanager:
   enabled: false
-- 
GitLab