From 199b197ff45ec946c11ddbc72204bc3a532b2314 Mon Sep 17 00:00:00 2001
From: Ryan Taylor <1686627+rptaylor@users.noreply.github.com>
Date: Wed, 30 Oct 2024 10:16:07 -0700
Subject: [PATCH] kube-vip-cloud-provider: specify unprivileged securityContext

Signed-off-by: Ryan Taylor <1686627+rptaylor@users.noreply.github.com>
---
 charts/kube-vip-cloud-provider/Chart.yaml                | 2 +-
 charts/kube-vip-cloud-provider/templates/deployment.yaml | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/charts/kube-vip-cloud-provider/Chart.yaml b/charts/kube-vip-cloud-provider/Chart.yaml
index f552eaa..65e8a9a 100644
--- a/charts/kube-vip-cloud-provider/Chart.yaml
+++ b/charts/kube-vip-cloud-provider/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.4
+version: 0.2.5
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/charts/kube-vip-cloud-provider/templates/deployment.yaml b/charts/kube-vip-cloud-provider/templates/deployment.yaml
index c7fcf45..2bf12dc 100644
--- a/charts/kube-vip-cloud-provider/templates/deployment.yaml
+++ b/charts/kube-vip-cloud-provider/templates/deployment.yaml
@@ -29,6 +29,12 @@ spec:
             {{- toYaml .Values.resources | nindent 12 }}
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            runAsNonRoot: true
+            runAsUser: 65532
+            runAsGroup: 65532
             seccompProfile:
               type: RuntimeDefault
       serviceAccountName: {{ include "kube-vip-cloud-provider.name" . }}