From cc20c0b3c11ee70d201634f935c6e930c89e1463 Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Mon, 14 Dec 2020 14:14:29 -0500
Subject: [PATCH] Add allowPrivilegeEscalation=false to pods (#429)

* Add allowPrivilegeEscalation=false to pods

* Add openshift check

* Add injector openshift check
---
 templates/injector-deployment.yaml | 4 ++++
 templates/server-statefulset.yaml  | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/templates/injector-deployment.yaml b/templates/injector-deployment.yaml
index 2f67dad..9240b09 100644
--- a/templates/injector-deployment.yaml
+++ b/templates/injector-deployment.yaml
@@ -46,6 +46,10 @@ spec:
           {{ template "injector.resources" . }}
           image: "{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}"
           imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}"
+          {{- if not .Values.global.openshift }}
+          securityContext:
+            allowPrivilegeEscalation: false
+          {{- end }}
           env:
             - name: AGENT_INJECT_LISTEN
               value: ":8080"
diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml
index be8ed93..62296af 100644
--- a/templates/server-statefulset.yaml
+++ b/templates/server-statefulset.yaml
@@ -70,6 +70,10 @@ spec:
           - "/bin/sh"
           - "-ec"
           args: {{ template "vault.args" . }}
+          {{- if not .Values.global.openshift }}
+          securityContext:
+            allowPrivilegeEscalation: false
+          {{- end }}
           env:
             - name: HOST_IP
               valueFrom: