From 32df1657d29a2d73495d52b62bb77521cb8b8e86 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thorsten=20Ro=C3=9Fner?= <thorsten.rossner.extern@zendis.de>
Date: Fri, 7 Feb 2025 08:24:30 +0100
Subject: [PATCH] fix(oxconnector): Update to strict `securityContext` from
 upstream defaults

---
 .../values-oxconnector.yaml.gotmpl            | 24 +++++++------------
 1 file changed, 8 insertions(+), 16 deletions(-)

diff --git a/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl b/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
index 74b7b66f..b88b49c3 100644
--- a/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
@@ -73,29 +73,21 @@ podAnnotations: {}
 
 replicaCount: {{ .Values.replicas.oxConnector }}
 
+podSecurityContext:
+  fsGroup: 1000
+
 securityContext:
+  privileged: false
   allowPrivilegeEscalation: false
   capabilities:
     drop:
       - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "SYS_CHROOT"
-  privileged: false
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 1000
+  runAsGroup: 1000
   seccompProfile:
     type: "RuntimeDefault"
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  readOnlyRootFilesystem: false
   seLinuxOptions:
     {{ .Values.seLinuxOptions.oxConnector | toYaml | nindent 4 }}