From f165de12e65ffc64b960a57249a84e04ec50d7a3 Mon Sep 17 00:00:00 2001
From: Scott Trent <trent@jp.ibm.com>
Date: Wed, 11 Sep 2024 08:57:51 +0900
Subject: [PATCH] improve pod security for snyk scan

Signed-off-by: Scott Trent <trent@jp.ibm.com>
---
 config/default/manager_auth_proxy_patch.yaml          | 3 +++
 config/manager/manager.yaml                           | 4 ++++
 deployment/susql-controller/templates/deployment.yaml | 5 ++---
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml
index 8bca255..3b1abf2 100644
--- a/config/default/manager_auth_proxy_patch.yaml
+++ b/config/default/manager_auth_proxy_patch.yaml
@@ -12,7 +12,10 @@ spec:
       - name: kube-rbac-proxy
         securityContext:
           allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
           runAsNonRoot: true
+          runAsUser: 14001
+          runAsGroup: 14001
           capabilities:
             drop:
               - "ALL"
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
index 437c672..67a81de 100644
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -57,6 +57,8 @@ spec:
       #               - linux
       securityContext:
         runAsNonRoot: true
+        runAsUser: 11001
+        runAsGroup: 11001
         # TODO(user): For common cases that do not require escalating privileges
         # it is recommended to ensure that all your Pods/Containers are restrictive.
         # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
@@ -163,6 +165,8 @@ spec:
         imagePullPolicy: Always
         name: manager
         securityContext:
+          runAsUser: 12001
+          runAsGroup: 12001
           allowPrivilegeEscalation: false
           capabilities:
             drop:
diff --git a/deployment/susql-controller/templates/deployment.yaml b/deployment/susql-controller/templates/deployment.yaml
index 62ddc1d..037dd4b 100644
--- a/deployment/susql-controller/templates/deployment.yaml
+++ b/deployment/susql-controller/templates/deployment.yaml
@@ -8,9 +8,6 @@ spec:
     selector:
         matchLabels:
             sustainable-computing.io/app: {{ .Values.name }}
-    securityContext:
-        runAsUser: 10001
-        runAsGroup: 10001
     template:
         metadata:
             name: {{ .Values.name }}
@@ -27,6 +24,8 @@ spec:
                   image: {{ required "Please specify a 'containerImage' in the user file" .Values.containerImage }}
                   imagePullPolicy: {{ .Values.imagePullPolicy | default "Always" }}
                   securityContext:
+                      runAsUser: 10001
+                      runAsGroup: 10001
                       allowPrivilegeEscalation: false
                       runAsNonRoot: true
                       capabilities: