From 366357d89365091bf58539222535b159aea495f8 Mon Sep 17 00:00:00 2001
From: RAHUL KHIYANI <rk0850@att.com>
Date: Tue, 7 May 2019 13:40:24 -0500
Subject: [PATCH] Kibana: set read-only-fs

This PS permits read-only filesystems to back the containers by setting
the default to true

Additionally /run is uniformly applied across all long running pods
as a memory backed emptydir

Change-Id: Ia7344e2c8caa1f25101bf30445cdfe277f89c143
---
 kibana/templates/deployment.yaml                  | 7 ++++++-
 kibana/templates/job-register-kibana-indexes.yaml | 5 +++++
 kibana/values.yaml                                | 4 ++--
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/kibana/templates/deployment.yaml b/kibana/templates/deployment.yaml
index 6bbdd102d8..298afbdd67 100644
--- a/kibana/templates/deployment.yaml
+++ b/kibana/templates/deployment.yaml
@@ -117,12 +117,14 @@ spec:
           volumeMounts:
             - name: pod-tmp
               mountPath: /tmp
+            - name: pod-run
+              mountPath: /run
             - name: kibana-bin
               mountPath: /tmp/kibana.sh
               subPath: kibana.sh
               readOnly: true
             - name: pod-etc-kibana
-              mountPath: /usr/share/kibana/config
+              mountPath: /usr/share/kibana/optimize
             - name: kibana-etc
               mountPath: /usr/share/kibana/config/kibana.yml
               subPath: kibana.yml
@@ -130,6 +132,9 @@ spec:
       volumes:
         - name: pod-tmp
           emptyDir: {}
+        - name: pod-run
+          emptyDir:
+            medium: "Memory"
         - name: pod-etc-kibana
           emptyDir: {}
         - name: kibana-bin
diff --git a/kibana/templates/job-register-kibana-indexes.yaml b/kibana/templates/job-register-kibana-indexes.yaml
index dc4f8f42ee..d5b351c444 100644
--- a/kibana/templates/job-register-kibana-indexes.yaml
+++ b/kibana/templates/job-register-kibana-indexes.yaml
@@ -60,6 +60,8 @@ spec:
           volumeMounts:
             - name: pod-tmp
               mountPath: /tmp
+            - name: pod-run
+              mountPath: /run
             - name: kibana-bin
               mountPath: /tmp/create_kibana_index_patterns.sh
               subPath: create_kibana_index_patterns.sh
@@ -67,6 +69,9 @@ spec:
       volumes:
         - name: pod-tmp
           emptyDir: {}
+        - name: pod-run
+          emptyDir:
+            medium: "Memory"
         - name: kibana-bin
           configMap:
             name: kibana-bin
diff --git a/kibana/values.yaml b/kibana/values.yaml
index 83015027e7..9ae267efce 100644
--- a/kibana/values.yaml
+++ b/kibana/values.yaml
@@ -45,14 +45,14 @@ pod:
           readOnlyRootFilesystem: false
         kibana:
           allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: false
+          readOnlyRootFilesystem: true
     register_kibana_indexes:
       pod:
         runAsUser: 999
       container:
         register_kibana_indexes:
           allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: false
+          readOnlyRootFilesystem: true
   affinity:
     anti:
       type: