From 58a7ebca9462ba13be6b8c3fa164daedd2e6d40d Mon Sep 17 00:00:00 2001
From: Clay Kauzlaric <ckauzlaric@vmware.com>
Date: Wed, 13 Sep 2023 12:57:30 -0400
Subject: [PATCH] run as non root by default

---
 pkg/apis/serving/v1/revision_defaults.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkg/apis/serving/v1/revision_defaults.go b/pkg/apis/serving/v1/revision_defaults.go
index 8acbf3446fd1..4805f5b1fe35 100644
--- a/pkg/apis/serving/v1/revision_defaults.go
+++ b/pkg/apis/serving/v1/revision_defaults.go
@@ -208,6 +208,10 @@ func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, c
 		}
 	}
 
+	if psc.RunAsNonRoot == nil {
+		updatedSC.RunAsNonRoot = ptr.Bool(true)
+	}
+
 	if *updatedSC != (corev1.SecurityContext{}) {
 		container.SecurityContext = updatedSC
 	}