From dfdc79add6cacc214655e24fc043483c880c7054 Mon Sep 17 00:00:00 2001
From: Zbynek Roubalik <zroubalik@gmail.com>
Date: Wed, 28 Aug 2024 15:47:13 +0200
Subject: [PATCH] restricted scc (#41)

Signed-off-by: Zbynek Roubalik <zroubalik@gmail.com>
---
 http-add-on/templates/interceptor/deployment.yaml |  2 ++
 http-add-on/templates/operator/deployment.yaml    |  2 ++
 http-add-on/templates/scaler/deployment.yaml      |  4 +++-
 http-add-on/values.yaml                           | 10 ++++++----
 4 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/http-add-on/templates/interceptor/deployment.yaml b/http-add-on/templates/interceptor/deployment.yaml
index 8aefe4f6..b318f3e4 100644
--- a/http-add-on/templates/interceptor/deployment.yaml
+++ b/http-add-on/templates/interceptor/deployment.yaml
@@ -20,6 +20,7 @@ spec:
       imagePullSecrets: 
         {{- toYaml .Values.interceptor.imagePullSecrets | nindent 8 }}
       serviceAccountName: {{ .Chart.Name }}-interceptor
+      {{- if .Values.podSecurityContext }}
       {{- if .Values.podSecurityContext.interceptor }}
       securityContext:
       {{- toYaml .Values.podSecurityContext.interceptor | nindent 8 }}
@@ -27,6 +28,7 @@ spec:
       securityContext:
       {{- toYaml .Values.podSecurityContext | nindent 8 }}
       {{- end }}
+      {{- end }}
       containers:
       - args:
           - "--zap-log-level={{ .Values.logging.interceptor.level }}"
diff --git a/http-add-on/templates/operator/deployment.yaml b/http-add-on/templates/operator/deployment.yaml
index 51841dec..3dc512d3 100644
--- a/http-add-on/templates/operator/deployment.yaml
+++ b/http-add-on/templates/operator/deployment.yaml
@@ -22,6 +22,7 @@ spec:
       imagePullSecrets: 
         {{- toYaml .Values.operator.imagePullSecrets | nindent 8 }}
       serviceAccountName: {{ .Chart.Name }}
+      {{- if .Values.podSecurityContext }}
       {{- if .Values.podSecurityContext.operator }}
       securityContext:
       {{- toYaml .Values.podSecurityContext.operator | nindent 8 }}
@@ -29,6 +30,7 @@ spec:
       securityContext:
       {{- toYaml .Values.podSecurityContext | nindent 8 }}
       {{- end }}
+      {{- end }}
       containers:
       - args:
         - --secure-listen-address=0.0.0.0:{{ .Values.operator.port | default 8443 }}
diff --git a/http-add-on/templates/scaler/deployment.yaml b/http-add-on/templates/scaler/deployment.yaml
index aacc6d38..84c53aa1 100644
--- a/http-add-on/templates/scaler/deployment.yaml
+++ b/http-add-on/templates/scaler/deployment.yaml
@@ -21,13 +21,15 @@ spec:
       imagePullSecrets: 
         {{- toYaml .Values.scaler.imagePullSecrets | nindent 8 }}
       serviceAccountName: {{ .Chart.Name }}-external-scaler
+      {{- if .Values.podSecurityContext }}
       {{- if .Values.podSecurityContext.scaler }}
       securityContext:
       {{- toYaml .Values.podSecurityContext.scaler | nindent 8 }}
-      {{- else }}
+      {{- else if .Values.podSecurityContext }}
       securityContext:
       {{- toYaml .Values.podSecurityContext | nindent 8 }}
       {{- end }}
+      {{- end }}
       containers:
       - args:
           - "--zap-log-level={{ .Values.logging.scaler.level }}"
diff --git a/http-add-on/values.yaml b/http-add-on/values.yaml
index 3aeda4c4..4c53be5a 100644
--- a/http-add-on/values.yaml
+++ b/http-add-on/values.yaml
@@ -245,6 +245,8 @@ securityContext:
     - ALL
   privileged: false
   readOnlyRootFilesystem: true
+  seccompProfile:
+    type: RuntimeDefault
   # runAsUser: 1000
   # runAsGroup: 1000
   # operator:
@@ -282,10 +284,10 @@ securityContext:
 
 # --  [Pod security context] for all pods
 # @default -- [See below](#KEDA-is-secure-by-default)
-podSecurityContext:
-  fsGroup: 1000
-  supplementalGroups:
-  - 1000
+# podSecurityContext:
+#   fsGroup: 1000
+#   supplementalGroups:
+#   - 1000
   # operator:
     # runAsNonRoot: true
     # runAsUser: 1000