From 425b74fc30603522bd2efca222a069d8011a2fb9 Mon Sep 17 00:00:00 2001
From: Julien Mailleret <8582351+jmlrt@users.noreply.github.com>
Date: Wed, 6 Jan 2021 09:32:58 +0100
Subject: [PATCH] [apm-server] run as non root user (#996)

---
 apm-server/templates/deployment.yaml |  8 ++++++--
 apm-server/tests/apmserver_test.py   | 16 +++++++++++++---
 apm-server/values.yaml               |  9 ++++++++-
 3 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/apm-server/templates/deployment.yaml b/apm-server/templates/deployment.yaml
index ca3248cd2..fa87cfa5a 100644
--- a/apm-server/templates/deployment.yaml
+++ b/apm-server/templates/deployment.yaml
@@ -30,6 +30,10 @@ spec:
         configChecksum: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum | trunc 63 }}
         {{- end }}
     spec:
+{{- if .Values.podSecurityContext }}
+      securityContext:
+{{ toYaml .Values.podSecurityContext | indent 10 }}
+{{- end }}
 {{- if .Values.priorityClassName }}
       priorityClassName: {{ .Values.priorityClassName }}
 {{- end }}
@@ -84,9 +88,9 @@ spec:
         envFrom:
 {{ toYaml .Values.envFrom | indent 10 }}
         {{- end }}
-{{- if .Values.podSecurityContext }}
+{{- if .Values.securityContext }}
         securityContext:
-{{ toYaml .Values.podSecurityContext | indent 10 }}
+{{ toYaml .Values.securityContext | indent 10 }}
 {{- end }}
         livenessProbe:
 {{ toYaml .Values.livenessProbe | indent 10 }}
diff --git a/apm-server/tests/apmserver_test.py b/apm-server/tests/apmserver_test.py
index b6b8218af..c86a5348d 100644
--- a/apm-server/tests/apmserver_test.py
+++ b/apm-server/tests/apmserver_test.py
@@ -146,16 +146,26 @@ def test_self_managing_rbac_resources():
     assert "clusterrolebinding" not in r
 
 
+def test_setting_container_security_context():
+    config = """
+securityContext:
+  runAsUser: 1001
+  privileged: true
+"""
+    r = helm_template(config)
+    c = r["deployment"][name]["spec"]["template"]["spec"]["containers"][0]
+    assert c["securityContext"]["runAsUser"] == 1001
+    assert c["securityContext"]["privileged"] is True
+
+
 def test_setting_pod_security_context():
     config = """
 podSecurityContext:
   runAsUser: 1001
-  privileged: false
 """
     r = helm_template(config)
-    c = r["deployment"][name]["spec"]["template"]["spec"]["containers"][0]
+    c = r["deployment"][name]["spec"]["template"]["spec"]
     assert c["securityContext"]["runAsUser"] == 1001
-    assert c["securityContext"]["privileged"] is False
 
 
 def test_adding_in_apm_config():
diff --git a/apm-server/values.yaml b/apm-server/values.yaml
index 3c0a49875..4f802c9ed 100755
--- a/apm-server/values.yaml
+++ b/apm-server/values.yaml
@@ -82,8 +82,15 @@ podAnnotations: {}
 labels: {}
 
 podSecurityContext:
-  runAsUser: 0
+  fsGroup: 1000
+  runAsUser: 1000
+  runAsGroup: 0
+
+securityContext:
   privileged: false
+  runAsNonRoot: true
+  runAsUser: 1000
+  runAsGroup: 0
 
 livenessProbe:
   httpGet: