Merge branch 'main' into mathieu-benoit-patch-1

score-spec · Oct 14, 2024 · efe356d · efe356d
2 parents 3cd5ebb + 43302d2
commit efe356d
Showing 1 changed file with 21 additions and 1 deletion.
diff --git a/internal/provisioners/default/zz-default.provisioners.yaml b/internal/provisioners/default/zz-default.provisioners.yaml
@@ -588,6 +588,7 @@
               k8s.score.dev/resource-uid: {{ .Uid }}
               k8s.score.dev/resource-guid: {{ .Guid }}
           spec:
+            automountServiceAccountToken: false
             containers:
             - name: mongo-db
               image: mongo:latest
@@ -611,9 +612,28 @@
                 initialDelaySeconds: 30
                 timeoutSeconds: 5
                 periodSeconds: 20
+              securityContext:
+                runAsUser: 1001
+                runAsGroup: 1001
+                allowPrivilegeEscalation: false
+                privileged: false
+                readOnlyRootFilesystem: true
+                capabilities:
+                  drop:
+                    - ALL
               volumeMounts:
               - name: data
-                mountPath: /var/db
+                mountPath: /data/db
+              - name: tmp
+                mountPath: /tmp
+            securityContext:
+              runAsNonRoot: true
+              fsGroup: 1001
+              seccompProfile:
+                type: RuntimeDefault
+            volumes:
+              - name: tmp
+                emptyDir: {}
         volumeClaimTemplates:
         - metadata:
             name: data