From 785feeb306c45d0b9289f7c180cd650917f2a2e2 Mon Sep 17 00:00:00 2001
From: Ansible-man <93239366+Ansible-man@users.noreply.github.com>
Date: Fri, 1 Nov 2024 12:30:09 -0500
Subject: [PATCH] feat: make zarf-agent pods comply with offical restricted pod
 security standard (#3036)

Signed-off-by: Cade Thomas <cadethomas23@gmail.com>
Signed-off-by: schristoff <28318173+schristoff@users.noreply.github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Cade Thomas <cade.thomas@atlas-inno.com>
Co-authored-by: schristoff <28318173+schristoff@users.noreply.github.com>
Co-authored-by: Austin Abro <37223396+AustinAbro321@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 packages/zarf-agent/manifests/deployment.yaml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/packages/zarf-agent/manifests/deployment.yaml b/packages/zarf-agent/manifests/deployment.yaml
index a8e481845f..61731ada18 100644
--- a/packages/zarf-agent/manifests/deployment.yaml
+++ b/packages/zarf-agent/manifests/deployment.yaml
@@ -21,6 +21,13 @@ spec:
         - name: private-registry
       priorityClassName: system-node-critical
       serviceAccountName: zarf
+      # Security context to comply with restricted PSS
+      securityContext:
+        runAsUser: 1000
+        fsGroup: 2000
+        runAsGroup: 2000
+        seccompProfile:
+          type: "RuntimeDefault"
       containers:
         - name: server
           image: "###ZARF_REGISTRY###/###ZARF_CONST_AGENT_IMAGE###:###ZARF_CONST_AGENT_IMAGE_TAG###"
@@ -32,6 +39,12 @@ spec:
               scheme: HTTPS
           ports:
             - containerPort: 8443
+          securityContext:
+            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            capabilities:
+              drop: ["ALL"]
           resources:
             requests:
               memory: "32Mi"