From c7cafa1c0eddbb27b5134027beaff6428883926e Mon Sep 17 00:00:00 2001
From: Sebastian Gaiser <sebastiangaiser@users.noreply.github.com>
Date: Thu, 16 Jan 2025 21:10:42 +0100
Subject: [PATCH] feat(chart): add default security context

---
 chart/templates/deployment.yaml | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml
index b235aeb..15e6647 100644
--- a/chart/templates/deployment.yaml
+++ b/chart/templates/deployment.yaml
@@ -15,10 +15,10 @@ spec:
       labels:
         {{- include "ca-controller-for-strimzi.selectorLabels" . | nindent 8 }}
     spec:
-    {{- with .Values.imagePullSecrets }}
+      {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
-      {{- toYaml . | nindent 8 }}
-    {{- end }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       serviceAccountName: {{ include "ca-controller-for-strimzi.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
@@ -43,8 +43,20 @@ spec:
               port: 8081
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          {{- if .Values.securityContext }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
+          {{- else }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+          {{- end }}
           volumeMounts:
             {{- range $name, $spec := $.Values.volumes }}
             - name: {{ $name }}