From 4ae41961d453255a8cda713d88bc59af525b7f2c Mon Sep 17 00:00:00 2001
From: Aviram Hassan <aviram@metalbear.co>
Date: Tue, 10 Dec 2024 13:40:00 +0200
Subject: [PATCH] Add runAsNonRoot and RO file system to operator deployment

---
 changelog.d/+operator-deployment-strict.added.md | 1 +
 mirrord/operator/src/setup.rs                    | 3 +++
 2 files changed, 4 insertions(+)
 create mode 100644 changelog.d/+operator-deployment-strict.added.md

diff --git a/changelog.d/+operator-deployment-strict.added.md b/changelog.d/+operator-deployment-strict.added.md
new file mode 100644
index 00000000000..a72b1ccd58a
--- /dev/null
+++ b/changelog.d/+operator-deployment-strict.added.md
@@ -0,0 +1 @@
+Add runAsNonRoot and RO file system to operator deployment
diff --git a/mirrord/operator/src/setup.rs b/mirrord/operator/src/setup.rs
index cb4e457df55..d3e49a8853d 100644
--- a/mirrord/operator/src/setup.rs
+++ b/mirrord/operator/src/setup.rs
@@ -410,6 +410,9 @@ impl OperatorDeployment {
             security_context: Some(SecurityContext {
                 allow_privilege_escalation: Some(false),
                 privileged: Some(false),
+                run_as_user: Some(1000),
+                run_as_non_root: Some(true),
+                read_only_root_filesystem: Some(true),
                 ..Default::default()
             }),
             resources: Some(ResourceRequirements {