security context added to registry viewer container spec.

Signed-off-by: Michael Valdron <[email protected]>

Author: michael-valdron

.ci/deploy/devfile-registry.yaml

@@ -103,6 +103,13 @@ objects:
           name: devfile-registry-viewer
           ports:
           - containerPort: 3000
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            capabilities:
+              drop: ["ALL"]
+            seccompProfile:
+              type: "RuntimeDefault"
           livenessProbe:
             httpGet:
               path: /viewer
@@ -138,6 +145,7 @@ objects:
             - name: viewer-env-file
               mountPath: /app/apps/registry-viewer/.env.local
               subPath: .env.local
+              readOnly: true
         - image: ${OCI_REGISTRY_IMAGE}:${OCI_REGISTRY_IMAGE_TAG}
           imagePullPolicy: "${OCI_REGISTRY_PULL_POLICY}"
           name: oci-registry