From e6731016a10e8e470bea3bab193dd06a97ff71f9 Mon Sep 17 00:00:00 2001
From: Tim Jespers <t.jesp3rs@gmail.com>
Date: Thu, 4 Jul 2024 15:56:52 +0200
Subject: [PATCH] feat: add securityContext defaults to deployment manifest

This commit makes the deployment manifest comply with the "restricted"
PodSecurity Standard profile. Doing so allows capacitor to be deployed
to clusters enforcing this profile on the flux-system namespace without
the need for customization of the supplied manifests in this repository.
---
 deploy/helm/onechart-helm-values.yaml | 12 ++++++++++++
 deploy/k8s/manifest.yaml              | 16 +++++++++++++---
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/deploy/helm/onechart-helm-values.yaml b/deploy/helm/onechart-helm-values.yaml
index bc4ac67..980f777 100644
--- a/deploy/helm/onechart-helm-values.yaml
+++ b/deploy/helm/onechart-helm-values.yaml
@@ -8,3 +8,15 @@ probe:
 resources:
   ignoreLimits: true
 serviceAccount: capacitor
+
+securityContext:
+  runAsNonRoot: true
+  runAsUser: 100
+  runAsGroup: 101
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop:
+      - ALL
+  seccompProfile:
+    type: RuntimeDefault
\ No newline at end of file
diff --git a/deploy/k8s/manifest.yaml b/deploy/k8s/manifest.yaml
index 59a5f51..b1bd220 100644
--- a/deploy/k8s/manifest.yaml
+++ b/deploy/k8s/manifest.yaml
@@ -6,7 +6,7 @@ metadata:
   name: capacitor
   namespace: flux-system
   labels:
-    helm.sh/chart: onechart-0.63.0
+    helm.sh/chart: onechart-0.69.0
     app.kubernetes.io/name: onechart
     app.kubernetes.io/instance: capacitor
     app.kubernetes.io/managed-by: Helm
@@ -28,7 +28,7 @@ metadata:
   name: capacitor
   namespace: flux-system
   labels:
-    helm.sh/chart: onechart-0.63.0
+    helm.sh/chart: onechart-0.69.0
     app.kubernetes.io/name: onechart
     app.kubernetes.io/instance: capacitor
     app.kubernetes.io/managed-by: Helm
@@ -70,7 +70,17 @@ spec:
           requests:
             cpu: 200m
             memory: 200Mi
-        securityContext: {}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsGroup: 101
+          runAsNonRoot: true
+          runAsUser: 100
+          seccompProfile:
+            type: RuntimeDefault
       initContainers: null
       securityContext:
         fsGroup: 999