From 31709d3dbf2ca3046e9ff78dd1991ffab39b8124 Mon Sep 17 00:00:00 2001
From: Franco Hielpos <48300215+fhielpos@users.noreply.github.com>
Date: Tue, 10 Oct 2023 20:52:43 +0200
Subject: [PATCH] Run preinstall job as non-root (#14)

* Run preinstall job as non-root
---
 CHANGELOG.md                                               | 4 ++++
 .../templates/crd-install/crd-job.yaml                     | 7 +++++++
 2 files changed, 11 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bb795ed..212c2fb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+
+- Run preinstall job as non-root.
+
 ## [0.0.1] - 2023-10-05
 
 - First release of the Kyverno Policy Operator App. 
diff --git a/helm/kyverno-policy-operator/templates/crd-install/crd-job.yaml b/helm/kyverno-policy-operator/templates/crd-install/crd-job.yaml
index fc68817..db7bc96 100644
--- a/helm/kyverno-policy-operator/templates/crd-install/crd-job.yaml
+++ b/helm/kyverno-policy-operator/templates/crd-install/crd-job.yaml
@@ -23,6 +23,7 @@ spec:
       securityContext:
         seccompProfile:
           type: RuntimeDefault
+        runAsNonRoot: true
         runAsUser: 65534
         runAsGroup: 65534
       tolerations:
@@ -44,8 +45,14 @@ spec:
           seccompProfile:
             type: RuntimeDefault
           readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+          privileged: false
+          runAsNonRoot: true
           runAsUser: 65534
           runAsGroup: 65534
+          capabilities:
+            drop:
+            - ALL
         volumeMounts:
 {{- range $path, $_ := .Files.Glob "crd/**" }}
         - name: {{ $path | base | trimSuffix ".yaml" }}