From c64b94742e0561df5ce8f14755ccbf753a4e4692 Mon Sep 17 00:00:00 2001
From: Mathieu Benoit <mathieu-benoit@hotmail.fr>
Date: Wed, 9 Oct 2024 20:22:48 -0400
Subject: [PATCH] postgres - securityContext

---
 humanitec-resource-defs/postgres/basic/main.tf | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/humanitec-resource-defs/postgres/basic/main.tf b/humanitec-resource-defs/postgres/basic/main.tf
index 645cc49..67d75b9 100644
--- a/humanitec-resource-defs/postgres/basic/main.tf
+++ b/humanitec-resource-defs/postgres/basic/main.tf
@@ -46,9 +46,10 @@ statefulset.yaml:
           labels:
             app: {{ .init.name }}
         spec:
+          automountServiceAccountToken: false
           containers:
             - name: {{ .init.name }}
-              image: postgres:15
+              image: postgres:17-alpine
               env:
                 - name: POSTGRES_USER
                   value: {{ .init.user | quote }}
@@ -69,6 +70,19 @@ statefulset.yaml:
               volumeMounts:
                 - name: {{ .init.name }}
                   mountPath: /var/lib/postgresql/data
+              securityContext:
+                runAsUser: 1000
+                runAsGroup: 1000
+                allowPrivilegeEscalation: false
+                privileged: false
+                capabilities:
+                  drop:
+                    - ALL
+          securityContext:
+            runAsNonRoot: true
+            fsGroup: 1000
+            seccompProfile:
+              type: RuntimeDefault
       volumeClaimTemplates:
         - metadata:
             name: {{ .init.name }}
@@ -77,7 +91,7 @@ statefulset.yaml:
               - ReadWriteOnce
             resources:
               requests:
-                storage: 10Gi
+                storage: 1Gi
 service.yaml:
   location: namespace
   data: