diff options
| -rw-r--r-- | script/helm/garage/templates/workload.yaml | 2 | ||||
| -rw-r--r-- | script/helm/garage/values.yaml | 11 |
2 files changed, 8 insertions, 5 deletions
diff --git a/script/helm/garage/templates/workload.yaml b/script/helm/garage/templates/workload.yaml index da5d386f..718f7bea 100644 --- a/script/helm/garage/templates/workload.yaml +++ b/script/helm/garage/templates/workload.yaml @@ -41,6 +41,8 @@ spec: secretKeyRef: name: {{ include "garage.rpcSecretName" . }} key: rpcSecret + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} volumeMounts: - name: configmap mountPath: /mnt/garage.toml diff --git a/script/helm/garage/values.yaml b/script/helm/garage/values.yaml index d7e7ddbf..701a5680 100644 --- a/script/helm/garage/values.yaml +++ b/script/helm/garage/values.yaml @@ -92,18 +92,19 @@ serviceAccount: podAnnotations: {} -podSecurityContext: {} - # fsGroup: 2000 +podSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + runAsNonRoot: true securityContext: # The default security context is heavily restricted # feel free to tune it to your requirements capabilities: drop: - - ALL + - ALL readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 service: # You can rely on any service to expose your cluster |