add securityContext example for Restricted pod-security policies

Blockdaemon · Feb 13, 2024 · e6e9bfb · e6e9bfb
1 parent 19978b6
commit e6e9bfb
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 1 deletion.
diff --git a/charts/tsm-node/values.yaml b/charts/tsm-node/values.yaml
@@ -47,7 +47,10 @@ securityContext:
   #   - ALL
   # readOnlyRootFilesystem: true
   # runAsNonRoot: true
-  # runAsUser: 1000
+  # runAsUser: 2000
+  # allowPrivilegeEscalation: false
+  # seccompProfile:
+  #   type: "RuntimeDefault"
 
 # -- The primary service definition for the TSM node
 sdkService:

diff --git a/examples/tsm-node-multiinstance/tsm0.yaml b/examples/tsm-node-multiinstance/tsm0.yaml
@@ -132,3 +132,14 @@ affinity:
 resources:
   requests:
     cpu: 14
+
+securityContext:
+  capabilities:
+   drop:
+   - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 2000
+  allowPrivilegeEscalation: false
+  seccompProfile:
+    type: "RuntimeDefault"
diff --git a/examples/tsm-node-multiinstance/tsm1.yaml b/examples/tsm-node-multiinstance/tsm1.yaml
@@ -132,3 +132,14 @@ affinity:
 resources:
   requests:
     cpu: 14
+
+securityContext:
+  capabilities:
+   drop:
+   - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 2000
+  allowPrivilegeEscalation: false
+  seccompProfile:
+    type: "RuntimeDefault"
diff --git a/examples/tsm-node-multiinstance/tsm2.yaml b/examples/tsm-node-multiinstance/tsm2.yaml
@@ -133,3 +133,14 @@ affinity:
 resources:
   requests:
     cpu: 14
+
+securityContext:
+  capabilities:
+   drop:
+   - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 2000
+  allowPrivilegeEscalation: false
+  seccompProfile:
+    type: "RuntimeDefault"