From 6635a71e211cd397c5170bed7a01f90f76bd6d84 Mon Sep 17 00:00:00 2001
From: Simon Dreher <simon.dreher@inovex.de>
Date: Mon, 26 Oct 2020 11:43:45 +0100
Subject: [PATCH] Add securityContext

Related to https://github.com/kontena/kubelet-rubber-stamp/pull/33, but
setting user also works without moficiations of Dockerfile
---
 deploy/operator.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/deploy/operator.yaml b/deploy/operator.yaml
index 9b223be..fb35c26 100644
--- a/deploy/operator.yaml
+++ b/deploy/operator.yaml
@@ -33,6 +33,14 @@ spec:
             limits:
               cpu: 100m
               memory: 64Mi
+          securityContext:
+            runAsUser: 1001
+            runAsNonRoot: true
+            privileged: false
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop: ["all"]
           env:
             - name: WATCH_NAMESPACE
               value: ""