fix(helm): add restricted PodSecurity settings to discovery CronJob

Previous deploys emitted 4 warnings on the discovery-tick Pod template against the restricted:latest policy. Today they are warnings; if the namespace enforcement tightens, admission will silently drop the Pod. Pod-level: runAsNonRoot, runAsUser/runAsGroup 100 (curlimages/curl's built-in non-root UID), seccompProfile RuntimeDefault. Container-level: allowPrivilegeEscalation false, capabilities drop ALL.
2026-04-18 08:26:40 +02:00
parent 0a408a40ba
commit 1ba8f856b4
1 changed files with 10 additions and 0 deletions
--- a/backend/deploy/helm/templates/discovery-cron.yaml
+++ b/backend/deploy/helm/templates/discovery-cron.yaml
@@ -17,9 +17,19 @@ spec:
      template:
        spec:
          restartPolicy: OnFailure
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 100
+            runAsGroup: 100
+            seccompProfile:
+              type: RuntimeDefault
          containers:
            - name: tick
              image: curlimages/curl:8.9.1
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop: ["ALL"]
              command:
                - sh
                - -c