From 6c073dad3a645a97246bbdbc8a0236b24ca9a67b Mon Sep 17 00:00:00 2001
From: Attila <attila.erdei@dnb.no>
Date: Mon, 21 Aug 2023 11:23:34 +0200
Subject: [PATCH] No default UID and GID for injected containers

---
 cmd/azure-keyvault-secrets-webhook/main.go | 2 --
 cmd/azure-keyvault-secrets-webhook/pod.go  | 8 ++++++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/cmd/azure-keyvault-secrets-webhook/main.go b/cmd/azure-keyvault-secrets-webhook/main.go
index 51154c90..0034e0d2 100644
--- a/cmd/azure-keyvault-secrets-webhook/main.go
+++ b/cmd/azure-keyvault-secrets-webhook/main.go
@@ -209,8 +209,6 @@ func initConfig() {
 	viper.SetDefault("webhook_container_image_pull_policy", corev1.PullIfNotPresent)
 	viper.SetDefault("webhook_container_security_context_read_only", false)
 	viper.SetDefault("webhook_container_security_context_non_root", false)
-	viper.SetDefault("webhook_container_security_context_user_uid", 1000)
-	viper.SetDefault("webhook_container_security_context_group_gid", 3000)
 	viper.SetDefault("webhook_container_security_context_privileged", true)
 	viper.SetDefault("webhook_pod_spec_security_context_non_root", false)
 
diff --git a/cmd/azure-keyvault-secrets-webhook/pod.go b/cmd/azure-keyvault-secrets-webhook/pod.go
index f94ef5bb..d4ad403a 100644
--- a/cmd/azure-keyvault-secrets-webhook/pod.go
+++ b/cmd/azure-keyvault-secrets-webhook/pod.go
@@ -73,8 +73,6 @@ func (p podWebHook) getInitContainers() []corev1.Container {
 			},
 			ReadOnlyRootFilesystem: &[]bool{viper.GetBool("webhook_container_security_context_read_only")}[0],
 			RunAsNonRoot:           &[]bool{viper.GetBool("webhook_container_security_context_non_root")}[0],
-			RunAsUser:              &[]int64{viper.GetInt64("webhook_container_security_context_user_uid")}[0],
-			RunAsGroup:             &[]int64{viper.GetInt64("webhook_container_security_context_group_gid")}[0],
 			Privileged:             &[]bool{viper.GetBool("webhook_container_security_context_privileged")}[0],
 		},
 		VolumeMounts: []corev1.VolumeMount{
@@ -84,6 +82,12 @@ func (p podWebHook) getInitContainers() []corev1.Container {
 			},
 		},
 	}
+	if viper.IsSet("webhook_container_security_context_user_uid") {
+		container.SecurityContext.RunAsUser = &[]int64{viper.GetInt64("webhook_container_security_context_user_uid")}[0]
+	}
+	if viper.IsSet("webhook_container_security_context_group_gid") {
+		container.SecurityContext.RunAsGroup = &[]int64{viper.GetInt64("webhook_container_security_context_group_gid")}[0]
+	}
 
 	return []corev1.Container{container}
 }