From 45a214b327d517e92016420c035c58a865d9d01b Mon Sep 17 00:00:00 2001
From: Danny Zaken <dannyzaken@gmail.com>
Date: Tue, 7 May 2024 17:47:48 +0300
Subject: [PATCH] Security context changes

* Added fsGroup 0 to the agent pod
* moved allowPrivilegeEscalation in the DB sts to the container security
  context

Signed-off-by: Danny Zaken <dannyzaken@gmail.com>
---
 deploy/internal/pod-agent.yaml               |  5 +++++
 deploy/internal/statefulset-postgres-db.yaml |  4 +++-
 pkg/bundle/deploy.go                         | 13 ++++++++++---
 3 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/deploy/internal/pod-agent.yaml b/deploy/internal/pod-agent.yaml
index 8052e777e..0c2fd077e 100644
--- a/deploy/internal/pod-agent.yaml
+++ b/deploy/internal/pod-agent.yaml
@@ -35,6 +35,11 @@ spec:
       securityContext:
         runAsNonRoot: true
         allowPrivilegeEscalation: false
+  securityContext:
+    runAsUser: 10001
+    runAsGroup: 0
+    fsGroup: 0
+    fsGroupChangePolicy: "OnRootMismatch"
   volumes:
     - name: tmp-logs-vol
       emptyDir: {}
diff --git a/deploy/internal/statefulset-postgres-db.yaml b/deploy/internal/statefulset-postgres-db.yaml
index 764eb560b..c2c2db69a 100644
--- a/deploy/internal/statefulset-postgres-db.yaml
+++ b/deploy/internal/statefulset-postgres-db.yaml
@@ -41,6 +41,9 @@ spec:
                   key: password
                   name: noobaa-db
           imagePullPolicy: "IfNotPresent"
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
           ports:
             - containerPort: 5432
           resources:
@@ -64,7 +67,6 @@ spec:
         runAsGroup: 0
         fsGroup: 0
         fsGroupChangePolicy: "OnRootMismatch"
-        allowPrivilegeEscalation: false
   volumeClaimTemplates:
     - metadata:
         name: db
diff --git a/pkg/bundle/deploy.go b/pkg/bundle/deploy.go
index 769909e5a..d9ddc28b6 100644
--- a/pkg/bundle/deploy.go
+++ b/pkg/bundle/deploy.go
@@ -4286,7 +4286,7 @@ metadata:
 data: {}
 `
 
-const Sha256_deploy_internal_pod_agent_yaml = "471be013b7cb20d0e00d6715edea3bf439e7a348f07661716326ca3356e648ee"
+const Sha256_deploy_internal_pod_agent_yaml = "a02ebca336c7db9e4b84a13459e30664fd8fd2a8ea238e188685caea52a281fd"
 
 const File_deploy_internal_pod_agent_yaml = `apiVersion: v1
 kind: Pod
@@ -4325,6 +4325,11 @@ spec:
       securityContext:
         runAsNonRoot: true
         allowPrivilegeEscalation: false
+  securityContext:
+    runAsUser: 10001
+    runAsGroup: 0
+    fsGroup: 0
+    fsGroupChangePolicy: "OnRootMismatch"
   volumes:
     - name: tmp-logs-vol
       emptyDir: {}
@@ -5036,7 +5041,7 @@ spec:
                   resource: limits.memory
 `
 
-const Sha256_deploy_internal_statefulset_postgres_db_yaml = "efd4562dd6ce535624a56426dc921c584c5a761c8c2540d4823f9e410fcd0347"
+const Sha256_deploy_internal_statefulset_postgres_db_yaml = "37a6c36928ba426ca04fd89e1eb2685e10d1a5f65c63ebb40c68a4f5c37645de"
 
 const File_deploy_internal_statefulset_postgres_db_yaml = `apiVersion: apps/v1
 kind: StatefulSet
@@ -5081,6 +5086,9 @@ spec:
                   key: password
                   name: noobaa-db
           imagePullPolicy: "IfNotPresent"
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
           ports:
             - containerPort: 5432
           resources:
@@ -5104,7 +5112,6 @@ spec:
         runAsGroup: 0
         fsGroup: 0
         fsGroupChangePolicy: "OnRootMismatch"
-        allowPrivilegeEscalation: false
   volumeClaimTemplates:
     - metadata:
         name: db