From ed8be6e2e3f1f51ca64306e84e5da8019bb6c656 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Wed, 26 Oct 2022 03:35:30 +0200
Subject: [PATCH] feat(renovate): Set restrictive securityContext settings

Inm order to fulfill the restricted, not just baseline Pod Security
Standards, it's required to set these fields explicitly.
---
 apps/base/renovate/release.yaml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/apps/base/renovate/release.yaml b/apps/base/renovate/release.yaml
index c750b2195..6473410cc 100644
--- a/apps/base/renovate/release.yaml
+++ b/apps/base/renovate/release.yaml
@@ -41,6 +41,12 @@ metadata:
   namespace: renovate
 data:
   values.yaml: |
+    renovate:
+      securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+            - ALL
     serviceAccount:
       create: true
     extraVolumes:
@@ -51,7 +57,12 @@ data:
       - name: cache
         mountPath: /cache
     securityContext:
+      runAsNonRoot: true
+      runAsUser: 1000
+      fsGroupChangePolicy: Always
       fsGroup: 1000
+      seccompProfile:
+        type: RuntimeDefault
     resources:
       requests:
         cpu: 100m
-- 
GitLab