From 1ba8f856b45ebc7cb41cd3627ff8243ba5d2492d Mon Sep 17 00:00:00 2001
From: vikingowl <christian@nachtigall.dev>
Date: Sat, 18 Apr 2026 08:26:40 +0200
Subject: [PATCH] fix(helm): add restricted PodSecurity settings to discovery
 CronJob

Previous deploys emitted 4 warnings on the discovery-tick Pod template
against the restricted:latest policy. Today they are warnings; if the
namespace enforcement tightens, admission will silently drop the Pod.

Pod-level: runAsNonRoot, runAsUser/runAsGroup 100 (curlimages/curl's
built-in non-root UID), seccompProfile RuntimeDefault.
Container-level: allowPrivilegeEscalation false, capabilities drop ALL.
---
 backend/deploy/helm/templates/discovery-cron.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/backend/deploy/helm/templates/discovery-cron.yaml b/backend/deploy/helm/templates/discovery-cron.yaml
index 531a978..1b0ff5e 100644
--- a/backend/deploy/helm/templates/discovery-cron.yaml
+++ b/backend/deploy/helm/templates/discovery-cron.yaml
@@ -17,9 +17,19 @@ spec:
       template:
         spec:
           restartPolicy: OnFailure
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 100
+            runAsGroup: 100
+            seccompProfile:
+              type: RuntimeDefault
           containers:
             - name: tick
               image: curlimages/curl:8.9.1
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop: ["ALL"]
               command:
                 - sh
                 - -c