From c6b1a364c55f98402f79b3716b66c14ab9cbaf69 Mon Sep 17 00:00:00 2001
From: Michael Morello <michael.morello@elastic.co>
Date: Thu, 4 Sep 2025 09:01:53 +0200
Subject: [PATCH] Improve
 config/recipes/elastic-agent/fleet-kubernetes-integration-nonroot.yaml with
 drop capabilities

---
 .../fleet-kubernetes-integration-nonroot.yaml   | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/config/recipes/elastic-agent/fleet-kubernetes-integration-nonroot.yaml b/config/recipes/elastic-agent/fleet-kubernetes-integration-nonroot.yaml
index 081f9610439..39f3c78b2f4 100644
--- a/config/recipes/elastic-agent/fleet-kubernetes-integration-nonroot.yaml
+++ b/config/recipes/elastic-agent/fleet-kubernetes-integration-nonroot.yaml
@@ -155,6 +155,23 @@ spec:
       spec:
         serviceAccountName: fleet-server
         automountServiceAccountToken: true
+        ## Uncomment the following lines to run fleet-server with restricted privileges and drop capabilities.
+#        containers:
+#        - name: agent
+#          securityContext:
+#            allowPrivilegeEscalation: false
+#            readOnlyRootFilesystem: true
+#            capabilities:
+#              drop: ["ALL"]
+#          env:
+#            - name: STATE_PATH
+#              value: /usr/share/elastic-agent/state
+#            - name: CONFIG_PATH
+#              value: /usr/share/elastic-agent/state
+#          args:
+#            - -e
+#            - -c
+#            - /etc/agent/elastic-agent.yml
 ---
 apiVersion: agent.k8s.elastic.co/v1alpha1
 kind: Agent