From 434a38b21eb9f9ef7d2f4cff566a62035f699d01 Mon Sep 17 00:00:00 2001
From: Tim Jespers <t.jesp3rs@gmail.com>
Date: Thu, 4 Jul 2024 15:56:52 +0200
Subject: [PATCH] feat: add securityContext defaults to deployment manifest

This commit makes the deployment manifest comply with the "restricted"
PodSecurity Standard profile. Doing so allows capacitor to be deployed
to clusters enforcing this profile on the flux-system namespace without
the need for customization of the supplied manifests in this repository.
---
 deploy/helm/onechart-helm-values.yaml | 12 ++++++++++++
 deploy/k8s/manifest.yaml              | 16 +++++++++++++---
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/deploy/helm/onechart-helm-values.yaml b/deploy/helm/onechart-helm-values.yaml
index bc4ac67..f9c2e11 100644
--- a/deploy/helm/onechart-helm-values.yaml
+++ b/deploy/helm/onechart-helm-values.yaml
@@ -8,3 +8,15 @@ probe:
 resources:
   ignoreLimits: true
 serviceAccount: capacitor
+
+securityContext:
+  runAsNonRoot: true
+  runAsUser: 100
+  runAsGroup: 101
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop:
+      - ALL
+  seccompProfile:
+    type: RuntimeDefault
diff --git a/deploy/k8s/manifest.yaml b/deploy/k8s/manifest.yaml
index 59a5f51..b1bd220 100644
--- a/deploy/k8s/manifest.yaml
+++ b/deploy/k8s/manifest.yaml
@@ -6,7 +6,7 @@ metadata:
   name: capacitor
   namespace: flux-system
   labels:
-    helm.sh/chart: onechart-0.63.0
+    helm.sh/chart: onechart-0.69.0
     app.kubernetes.io/name: onechart
     app.kubernetes.io/instance: capacitor
     app.kubernetes.io/managed-by: Helm
@@ -28,7 +28,7 @@ metadata:
   name: capacitor
   namespace: flux-system
   labels:
-    helm.sh/chart: onechart-0.63.0
+    helm.sh/chart: onechart-0.69.0
     app.kubernetes.io/name: onechart
     app.kubernetes.io/instance: capacitor
     app.kubernetes.io/managed-by: Helm
@@ -70,7 +70,17 @@ spec:
           requests:
             cpu: 200m
             memory: 200Mi
-        securityContext: {}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsGroup: 101
+          runAsNonRoot: true
+          runAsUser: 100
+          seccompProfile:
+            type: RuntimeDefault
       initContainers: null
       securityContext:
         fsGroup: 999