From 4250c23825f869f6b41731ef8ac83f069f52ad55 Mon Sep 17 00:00:00 2001
From: Eric Paulsen <ericpaulsen@coder.com>
Date: Tue, 30 Sep 2025 12:55:07 +0000
Subject: [PATCH 1/2] run image as non-root user & add securitycontext values

---
 helm/templates/service.yaml |  4 ++++
 helm/values.yaml            | 14 +++++++++++++-
 scripts/Dockerfile          |  3 ++-
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/helm/templates/service.yaml b/helm/templates/service.yaml
index c89a98a..9aee16c 100644
--- a/helm/templates/service.yaml
+++ b/helm/templates/service.yaml
@@ -98,6 +98,10 @@ spec:
       nodeSelector:
       {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.podSecurityContext }}
+      podSecurityContext:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
         - name: coder-logstream-kube
           image: "{{ .Values.image.repo }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
diff --git a/helm/values.yaml b/helm/values.yaml
index 5a6d1b6..c2790d6 100644
--- a/helm/values.yaml
+++ b/helm/values.yaml
@@ -92,7 +92,14 @@ labels: {}
 
 # securityContext -- Container-level security context
 # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-securityContext: {}
+securityContext:
+  runAsNonRoot: true
+  runAsUser: 65532
+  runAsGroup: 65532
+  allowPrivilegeEscalation: false
+  # Optional; enable after validation if the app never writes to disk:
+  # readOnlyRootFilesystem: true
+  #
   # allowPrivilegeEscalation: false
   # capabilities:
   #   drop:
@@ -101,3 +108,8 @@ securityContext: {}
   # runAsNonRoot: true
   # seccompProfile:
   #   type: RuntimeDefault
+
+podSecurityContext: {}
+# Optional, only if your cluster requires group ownership for mounted volumes:
+# podSecurityContext:
+#   fsGroup: 65532
\ No newline at end of file
diff --git a/scripts/Dockerfile b/scripts/Dockerfile
index fe869e7..8f380e9 100644
--- a/scripts/Dockerfile
+++ b/scripts/Dockerfile
@@ -1,4 +1,5 @@
 FROM --platform=$BUILDPLATFORM scratch AS base
 ARG TARGETARCH
-COPY ./coder-logstream-kube-${TARGETARCH} /coder-logstream-kube
+COPY --chmod=0555 ./coder-logstream-kube-${TARGETARCH} /coder-logstream-kube
+USER 65532:65532
 ENTRYPOINT ["/coder-logstream-kube"]
\ No newline at end of file

From 0959875f3801f3c64be99a85519b3953298908e3 Mon Sep 17 00:00:00 2001
From: Eric Paulsen <ericpaulsen@coder.com>
Date: Fri, 3 Oct 2025 12:58:37 +0000
Subject: [PATCH 2/2] rm redundant comments

---
 helm/values.yaml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/helm/values.yaml b/helm/values.yaml
index c2790d6..daa847f 100644
--- a/helm/values.yaml
+++ b/helm/values.yaml
@@ -97,10 +97,6 @@ securityContext:
   runAsUser: 65532
   runAsGroup: 65532
   allowPrivilegeEscalation: false
-  # Optional; enable after validation if the app never writes to disk:
-  # readOnlyRootFilesystem: true
-  #
-  # allowPrivilegeEscalation: false
   # capabilities:
   #   drop:
   #   - ALL