From 03c417b74b0024a74330d17033fab61cad6e023c Mon Sep 17 00:00:00 2001
From: Bartosz Fenski <fenio@debian.org>
Date: Wed, 1 Jan 2025 12:54:54 +0100
Subject: [PATCH] Talos compatibility fixes

---
 pkg/plugin/mount.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/pkg/plugin/mount.go b/pkg/plugin/mount.go
index bbdfada..d3c7882 100644
--- a/pkg/plugin/mount.go
+++ b/pkg/plugin/mount.go
@@ -34,6 +34,8 @@ const (
 	EphemeralStorageLimit   = "2Mi"
 )
 
+var DefaultID int64 = 2137
+
 func Mount(ctx context.Context, namespace, pvcName, localMountPoint string, needsRoot, debug bool) error {
 
 	checkSSHFS()
@@ -450,6 +452,12 @@ func getEphemeralContainerSettings(needsRoot bool) (string, *corev1.SecurityCont
 	allowPrivilegeEscalationTrue := true
 	allowPrivilegeEscalationFalse := false
 	readOnlyRootFilesystemTrue := true
+	runAsNonRootTrue := true
+
+	// Define seccomp profile type
+	seccompProfileRuntimeDefault := corev1.SeccompProfile{
+		Type: corev1.SeccompProfileTypeRuntimeDefault,
+	}
 
 	if needsRoot {
 		image = PrivilegedImage
@@ -459,6 +467,7 @@ func getEphemeralContainerSettings(needsRoot bool) (string, *corev1.SecurityCont
 			Capabilities: &corev1.Capabilities{
 				Add: []corev1.Capability{"SYS_ADMIN", "SYS_CHROOT"},
 			},
+			SeccompProfile: &seccompProfileRuntimeDefault,
 		}
 	} else {
 		securityContext = &corev1.SecurityContext{
@@ -467,6 +476,10 @@ func getEphemeralContainerSettings(needsRoot bool) (string, *corev1.SecurityCont
 			Capabilities: &corev1.Capabilities{
 				Drop: []corev1.Capability{"ALL"},
 			},
+			SeccompProfile: &seccompProfileRuntimeDefault,
+			RunAsUser:      &DefaultID,
+			RunAsGroup:     &DefaultID,
+			RunAsNonRoot:   &runAsNonRootTrue,
 		}
 	}
 	return image, securityContext