From ba8b94051c3620422d0d9131ebd20a01ba746681 Mon Sep 17 00:00:00 2001
From: Pat Riehecky <riehecky@fnal.gov>
Date: Tue, 18 Jul 2023 12:50:07 -0500
Subject: [PATCH] Apply trivy recommended hardening

Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
---
 .../chart/local-path-provisioner/templates/deployment.yaml   | 3 +++
 deploy/chart/local-path-provisioner/values.yaml              | 5 +++++
 deploy/local-path-storage.yaml                               | 3 +++
 deploy/provisioner.yaml                                      | 3 +++
 4 files changed, 14 insertions(+)

diff --git a/deploy/chart/local-path-provisioner/templates/deployment.yaml b/deploy/chart/local-path-provisioner/templates/deployment.yaml
index e07b1647..6ec2491d 100644
--- a/deploy/chart/local-path-provisioner/templates/deployment.yaml
+++ b/deploy/chart/local-path-provisioner/templates/deployment.yaml
@@ -74,6 +74,9 @@ spec:
           env:
             - name: POD_NAMESPACE
               value: {{ .Release.Namespace }}
+          {{- with .Values.containerSecurityContext }}
+          securityContext: {{ toYaml .| nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       volumes:
diff --git a/deploy/chart/local-path-provisioner/values.yaml b/deploy/chart/local-path-provisioner/values.yaml
index 30aa158d..12504c2b 100644
--- a/deploy/chart/local-path-provisioner/values.yaml
+++ b/deploy/chart/local-path-provisioner/values.yaml
@@ -23,6 +23,11 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 
+podSecurityContext: {}
+containerSecurityContext:
+  seccompProfile:
+    type: RuntimeDefault
+
 ## For creating the StorageClass automatically:
 storageClass:
   create: true
diff --git a/deploy/local-path-storage.yaml b/deploy/local-path-storage.yaml
index 2130dfea..5d64bea9 100644
--- a/deploy/local-path-storage.yaml
+++ b/deploy/local-path-storage.yaml
@@ -78,6 +78,9 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
       volumes:
         - name: config-volume
           configMap:
diff --git a/deploy/provisioner.yaml b/deploy/provisioner.yaml
index 104b8660..ec91fec0 100644
--- a/deploy/provisioner.yaml
+++ b/deploy/provisioner.yaml
@@ -32,6 +32,9 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
       volumes:
         - name: config-volume
           configMap: