From e1c4dc9453fc8ab29327ebae5bab79883cd890ce Mon Sep 17 00:00:00 2001
From: Manuel Soulier <manuel.soulier@insee.fr>
Date: Thu, 6 Jun 2024 14:47:12 +0200
Subject: [PATCH] fix: executor database privileges

---
 .../ExecutorDatabaseStatefulTemplate.java             | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/arc-core/src/main/java/fr/insee/arc/core/service/kubernetes/configuration/ExecutorDatabaseStatefulTemplate.java b/arc-core/src/main/java/fr/insee/arc/core/service/kubernetes/configuration/ExecutorDatabaseStatefulTemplate.java
index f6ef04cf..ef463eda 100644
--- a/arc-core/src/main/java/fr/insee/arc/core/service/kubernetes/configuration/ExecutorDatabaseStatefulTemplate.java
+++ b/arc-core/src/main/java/fr/insee/arc/core/service/kubernetes/configuration/ExecutorDatabaseStatefulTemplate.java
@@ -150,7 +150,16 @@ private ExecutorDatabaseStatefulTemplate() {
               }
             },
             "securityContext": {
-              "runAsUser": 0
+              "runAsNonRoot": true,
+              "allowPrivilegeEscalation": false,
+              "capabilities": {
+                "drop": [
+                  "ALL"
+                ]
+              },
+              "seccompProfile": {
+                "type": "RuntimeDefault"
+              }
             },
             "terminationMessagePath": "/dev/termination-log",
             "terminationMessagePolicy": "File",