From 1cfe8a91544f923c30ca8858b6d5fa99648e5c47 Mon Sep 17 00:00:00 2001
From: vardhaman <vardhaman.surana@suse.com>
Date: Wed, 8 Feb 2023 19:52:01 +0530
Subject: [PATCH] added security context values for gatekeeper crd chart

this is needed so that these jobs can be run in the namespace with restricted psa labels applied
---
 .../templates/crd-template/templates/jobs.yaml | 18 ++++++++++++++++++
 .../templates/crd-template/values.yaml         |  8 ++++++++
 2 files changed, 26 insertions(+)

diff --git a/packages/rancher-gatekeeper/templates/crd-template/templates/jobs.yaml b/packages/rancher-gatekeeper/templates/crd-template/templates/jobs.yaml
index 671d11f8c..0e9ace26a 100644
--- a/packages/rancher-gatekeeper/templates/crd-template/templates/jobs.yaml
+++ b/packages/rancher-gatekeeper/templates/crd-template/templates/jobs.yaml
@@ -40,6 +40,12 @@ spec:
             - name: crd-manifest
               readOnly: true
               mountPath: /etc/config
+          securityContext:
+            {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+            seccompProfile:
+              type: RuntimeDefault
+            {{- end }}
+            {{- toYaml .Values.securityContext | nindent 12 }}
       restartPolicy: OnFailure
       volumes:
       - name: crd-manifest
@@ -88,6 +94,12 @@ spec:
             - name: crd-manifest
               readOnly: true
               mountPath: /etc/config
+          securityContext:
+            {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+            seccompProfile:
+              type: RuntimeDefault
+            {{- end }}
+            {{- toYaml .Values.securityContext | nindent 12 }}
       containers:
         - name: delete-crds
           image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
@@ -101,6 +113,12 @@ spec:
             - name: crd-manifest
               readOnly: true
               mountPath: /etc/config
+          securityContext:
+            {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+            seccompProfile:
+              type: RuntimeDefault
+            {{- end }}
+            {{- toYaml .Values.securityContext | nindent 12 }}
       restartPolicy: OnFailure
       volumes:
       - name: crd-manifest
diff --git a/packages/rancher-gatekeeper/templates/crd-template/values.yaml b/packages/rancher-gatekeeper/templates/crd-template/values.yaml
index adc0696d8..3304f097b 100644
--- a/packages/rancher-gatekeeper/templates/crd-template/values.yaml
+++ b/packages/rancher-gatekeeper/templates/crd-template/values.yaml
@@ -11,3 +11,11 @@ global:
 image:
   repository: rancher/kubectl
   tag: v1.20.2
+
+enableRuntimeDefaultSeccompProfile: true
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL