From e6e9bfb100f8aa040f871ed78c383d1af7669de8 Mon Sep 17 00:00:00 2001
From: Greg May <gmay@blockdaemon.com>
Date: Tue, 13 Feb 2024 12:42:15 -0800
Subject: [PATCH] add securityContext example for Restricted pod-security
 policies

---
 charts/tsm-node/values.yaml               |  5 ++++-
 examples/tsm-node-multiinstance/tsm0.yaml | 11 +++++++++++
 examples/tsm-node-multiinstance/tsm1.yaml | 11 +++++++++++
 examples/tsm-node-multiinstance/tsm2.yaml | 11 +++++++++++
 4 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/charts/tsm-node/values.yaml b/charts/tsm-node/values.yaml
index 138f071..69c887a 100644
--- a/charts/tsm-node/values.yaml
+++ b/charts/tsm-node/values.yaml
@@ -47,7 +47,10 @@ securityContext:
   #   - ALL
   # readOnlyRootFilesystem: true
   # runAsNonRoot: true
-  # runAsUser: 1000
+  # runAsUser: 2000
+  # allowPrivilegeEscalation: false
+  # seccompProfile:
+  #   type: "RuntimeDefault"
 
 # -- The primary service definition for the TSM node
 sdkService:
diff --git a/examples/tsm-node-multiinstance/tsm0.yaml b/examples/tsm-node-multiinstance/tsm0.yaml
index 93425c7..059bf45 100644
--- a/examples/tsm-node-multiinstance/tsm0.yaml
+++ b/examples/tsm-node-multiinstance/tsm0.yaml
@@ -132,3 +132,14 @@ affinity:
 resources:
   requests:
     cpu: 14
+
+securityContext:
+  capabilities:
+   drop:
+   - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 2000
+  allowPrivilegeEscalation: false
+  seccompProfile:
+    type: "RuntimeDefault"
\ No newline at end of file
diff --git a/examples/tsm-node-multiinstance/tsm1.yaml b/examples/tsm-node-multiinstance/tsm1.yaml
index ffcc10d..f65d86f 100644
--- a/examples/tsm-node-multiinstance/tsm1.yaml
+++ b/examples/tsm-node-multiinstance/tsm1.yaml
@@ -132,3 +132,14 @@ affinity:
 resources:
   requests:
     cpu: 14
+
+securityContext:
+  capabilities:
+   drop:
+   - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 2000
+  allowPrivilegeEscalation: false
+  seccompProfile:
+    type: "RuntimeDefault"
\ No newline at end of file
diff --git a/examples/tsm-node-multiinstance/tsm2.yaml b/examples/tsm-node-multiinstance/tsm2.yaml
index a7b18e1..da7c9c5 100644
--- a/examples/tsm-node-multiinstance/tsm2.yaml
+++ b/examples/tsm-node-multiinstance/tsm2.yaml
@@ -133,3 +133,14 @@ affinity:
 resources:
   requests:
     cpu: 14
+
+securityContext:
+  capabilities:
+   drop:
+   - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 2000
+  allowPrivilegeEscalation: false
+  seccompProfile:
+    type: "RuntimeDefault"
\ No newline at end of file