From b23f04078c992d344a4b34729f687af6eb49caaa Mon Sep 17 00:00:00 2001
From: Pat Riehecky <riehecky@fnal.gov>
Date: Wed, 5 Apr 2023 15:53:05 -0500
Subject: [PATCH] Add parameters for PodSecurity restricted

Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
---
 examples/autosharding/statefulset.yaml                  | 3 +++
 examples/daemonsetsharding/daemonset.yaml               | 3 +++
 examples/daemonsetsharding/deployment.yaml              | 3 +++
 examples/standard/deployment.yaml                       | 3 +++
 jsonnet/kube-state-metrics/kube-state-metrics.libsonnet | 2 ++
 5 files changed, 14 insertions(+)

diff --git a/examples/autosharding/statefulset.yaml b/examples/autosharding/statefulset.yaml
index 29cf1b3196..34709b4803 100644
--- a/examples/autosharding/statefulset.yaml
+++ b/examples/autosharding/statefulset.yaml
@@ -59,7 +59,10 @@ spec:
             drop:
             - ALL
           readOnlyRootFilesystem: true
+          runAsNonRoot: true
           runAsUser: 65534
+          seccompProfile:
+            type: RuntimeDefault
       nodeSelector:
         kubernetes.io/os: linux
       serviceAccountName: kube-state-metrics
diff --git a/examples/daemonsetsharding/daemonset.yaml b/examples/daemonsetsharding/daemonset.yaml
index 54106a6e80..67a9c7fa1c 100644
--- a/examples/daemonsetsharding/daemonset.yaml
+++ b/examples/daemonsetsharding/daemonset.yaml
@@ -54,7 +54,10 @@ spec:
             drop:
             - ALL
           readOnlyRootFilesystem: true
+          runAsNonRoot: true
           runAsUser: 65534
+          seccompProfile:
+            type: RuntimeDefault
       nodeSelector:
         kubernetes.io/os: linux
       serviceAccountName: kube-state-metrics
diff --git a/examples/daemonsetsharding/deployment.yaml b/examples/daemonsetsharding/deployment.yaml
index a60e20a572..400efce0c0 100644
--- a/examples/daemonsetsharding/deployment.yaml
+++ b/examples/daemonsetsharding/deployment.yaml
@@ -48,7 +48,10 @@ spec:
             drop:
             - ALL
           readOnlyRootFilesystem: true
+          runAsNonRoot: true
           runAsUser: 65534
+          seccompProfile:
+            type: RuntimeDefault
       nodeSelector:
         kubernetes.io/os: linux
       serviceAccountName: kube-state-metrics
diff --git a/examples/standard/deployment.yaml b/examples/standard/deployment.yaml
index c34e9c811d..a6d60505ee 100644
--- a/examples/standard/deployment.yaml
+++ b/examples/standard/deployment.yaml
@@ -46,7 +46,10 @@ spec:
             drop:
             - ALL
           readOnlyRootFilesystem: true
+          runAsNonRoot: true
           runAsUser: 65534
+          seccompProfile:
+            type: RuntimeDefault
       nodeSelector:
         kubernetes.io/os: linux
       serviceAccountName: kube-state-metrics
diff --git a/jsonnet/kube-state-metrics/kube-state-metrics.libsonnet b/jsonnet/kube-state-metrics/kube-state-metrics.libsonnet
index 94cf3972bc..4ac16fbbc3 100644
--- a/jsonnet/kube-state-metrics/kube-state-metrics.libsonnet
+++ b/jsonnet/kube-state-metrics/kube-state-metrics.libsonnet
@@ -185,9 +185,11 @@
       ],
       securityContext: {
         runAsUser: 65534,
+        runAsNonRoot: true,
         allowPrivilegeEscalation: false,
         readOnlyRootFilesystem: true,
         capabilities: { drop: ['ALL'] },
+        seccompProfile: { type: 'RuntimeDefault' },
       },
       livenessProbe: { timeoutSeconds: 5, initialDelaySeconds: 5, httpGet: {
         port: 8080,