From cc2e4f5c2ce2d0b7c775d6fc7277c88982ddafc5 Mon Sep 17 00:00:00 2001
From: OZGCloud <ozgcloud@mgm-tp.com>
Date: Mon, 8 May 2023 10:10:31 +0200
Subject: [PATCH] OZG-3363 add helm securityContext

---
 .../helm/templates/xta_adapter_cronjob.yaml    |  5 +++++
 .../helm/xta_adapter_cronjob_basic_test.yaml   | 18 +++++++++++++++++-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/xta-adapter/src/main/helm/templates/xta_adapter_cronjob.yaml b/xta-adapter/src/main/helm/templates/xta_adapter_cronjob.yaml
index d72900a95..7b781db23 100644
--- a/xta-adapter/src/main/helm/templates/xta_adapter_cronjob.yaml
+++ b/xta-adapter/src/main/helm/templates/xta_adapter_cronjob.yaml
@@ -94,6 +94,11 @@ spec:
                   mountPath: "/workspace/keystore/xta-keystore.p12"
                   subPath: file
                   readOnly: true
+              securityContext:
+                allowPrivilegeEscalation: false
+                privileged: false
+                readOnlyRootFilesystem: false
+                runAsNonRoot: false
           volumes:
             - name: bindings
               configMap:
diff --git a/xta-adapter/src/test/helm/xta_adapter_cronjob_basic_test.yaml b/xta-adapter/src/test/helm/xta_adapter_cronjob_basic_test.yaml
index 0d9342a41..3e0ec759c 100644
--- a/xta-adapter/src/test/helm/xta_adapter_cronjob_basic_test.yaml
+++ b/xta-adapter/src/test/helm/xta_adapter_cronjob_basic_test.yaml
@@ -83,4 +83,20 @@ tests:
     asserts:
     - equal:
         path: spec.jobTemplate.spec.template.spec.containers[0].image
-        value: "docker.ozg-sh.de/xta-adapter:9.9.99"
\ No newline at end of file
+        value: "docker.ozg-sh.de/xta-adapter:9.9.99"
+
+  - it: check securityContext
+    template: xta_adapter_cronjob.yaml
+    asserts:
+    - equal:
+        path: spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation
+        value: false
+    - equal:
+        path: spec.jobTemplate.spec.template.spec.containers[0].securityContext.privileged
+        value: false
+    - equal:
+        path: spec.jobTemplate.spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem
+        value: false
+    - equal:
+        path: spec.jobTemplate.spec.template.spec.containers[0].securityContext.runAsNonRoot
+        value: false
\ No newline at end of file
-- 
GitLab