improve pod security per snyk scan

Signed-off-by: Scott Trent <[email protected]>
sustainable-computing-io · Sep 10, 2024 · 4c660b3 · 4c660b3
1 parent e079d6c
commit 4c660b3
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/deployment/susql-controller/templates/deployment.yam b/deployment/susql-controller/templates/deployment.yam
diff --git a/deployment/susql-controller/templates/deployment.yaml b/deployment/susql-controller/templates/deployment.yaml
@@ -8,6 +8,9 @@ spec:
     selector:
         matchLabels:
             sustainable-computing.io/app: {{ .Values.name }}
+    securityContext:
+        runAsUser: 10001
+        runAsGroup: 10001
     template:
         metadata:
             name: {{ .Values.name }}
@@ -23,6 +26,12 @@ spec:
                 - name: {{ .Values.name }}
                   image: {{ required "Please specify a 'containerImage' in the user file" .Values.containerImage }}
                   imagePullPolicy: {{ .Values.imagePullPolicy | default "Always" }}
+                  securityContext:
+                      allowPrivilegeEscalation: false
+                      runAsNonRoot: true
+                      capabilities:
+                          drop:
+                              - "ALL"
                   args:
                       - "--kepler-prometheus-url={{ .Values.keplerPrometheusUrl }}"
                       - "--kepler-metric-name={{ .Values.keplerMetricName }}"