From 3cd5ebbeff2ec1005f0c8ac8854d719e9cea92fb Mon Sep 17 00:00:00 2001
From: Mathieu Benoit <mathieu-benoit@hotmail.fr>
Date: Sun, 13 Oct 2024 23:20:06 -0400
Subject: [PATCH] Update zz-default.provisioners.yaml - securityContext for
 redis

Signed-off-by: Mathieu Benoit <mathieu-benoit@hotmail.fr>
---
 .../default/zz-default.provisioners.yaml          | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/internal/provisioners/default/zz-default.provisioners.yaml b/internal/provisioners/default/zz-default.provisioners.yaml
index eb51570..562b51f 100644
--- a/internal/provisioners/default/zz-default.provisioners.yaml
+++ b/internal/provisioners/default/zz-default.provisioners.yaml
@@ -320,9 +320,17 @@
               k8s.score.dev/resource-uid: {{ .Uid }}
               k8s.score.dev/resource-guid: {{ .Guid }}
           spec:
+            automountServiceAccountToken: false
             containers:
             - name: redis
               image: redis:7-alpine
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                    - ALL
+                privileged: false
+                readOnlyRootFilesystem: true
               ports:
               - name: redis
                 containerPort: 6379
@@ -337,6 +345,13 @@
                   - redis-cli
                   - ping
                 periodSeconds: 3
+            securityContext:
+              fsGroup: 1000
+              runAsGroup: 1000
+              runAsNonRoot: true
+              runAsUser: 1000
+              seccompProfile:
+                type: RuntimeDefault
             volumes:
             - name: config
               secret: