add default podSecurityContext in helm/values.yaml

piyush-tiwari · piyush-tiwari · commit a7e705e78485 · 2024-11-26T09:56:01.000+05:30
diff --git a/deploy/manifests/oci-native-ingress-controller/templates/deployment.yaml b/deploy/manifests/oci-native-ingress-controller/templates/deployment.yaml
@@ -43,14 +43,18 @@ spec:
           defaultMode: 420
           secretName: oci-native-ingress-controller-tls
       securityContext:
-        {}
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: oci-native-ingress-controller
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
             readOnlyRootFilesystem: true
-            runAsNonRoot: true
-            runAsUser: 1000
           image: "ghcr.io/oracle/oci-native-ingress-controller:v1.3.9"
           imagePullPolicy: Always
           args: 
diff --git a/deploy/manifests/oci-native-ingress-controller/templates/rbac.yaml b/deploy/manifests/oci-native-ingress-controller/templates/rbac.yaml
@@ -41,6 +41,9 @@ rules:
 - apiGroups: [""]
   resources: [pods/status]
   verbs: [patch]
+- apiGroups: [""]
+  resources: [serviceaccounts]
+  verbs: [list, watch]
 ---
 # Source: oci-native-ingress-controller/templates/rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/helm/oci-native-ingress-controller/values.yaml b/helm/oci-native-ingress-controller/values.yaml
@@ -45,14 +45,18 @@ serviceAccount:
 
 podAnnotations: {}
 
-podSecurityContext: {}
-  # fsGroup: 2000
+podSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+  seccompProfile:
+    type: RuntimeDefault
 
-securityContext: 
+securityContext:
   readOnlyRootFilesystem: true
-  runAsNonRoot: true
   allowPrivilegeEscalation: false
-  runAsUser: 1000
+  capabilities:
+    drop:
+      - ALL
 
 rbac:
   create: true
