From 1b8111495a73724633df4df7bcd9711d4591fa5b Mon Sep 17 00:00:00 2001
From: Derek Su <derek.su@suse.com>
Date: Wed, 9 Mar 2022 13:37:42 +0800
Subject: [PATCH] webhook: set securityContext

To follow the least privilege principle, the conversion and admission webhooks
are run with a non-root user (uid = 2000).

Longhorn 3701

Signed-off-by: Derek Su <derek.su@suse.com>
---
 chart/templates/deployment-webhook.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/chart/templates/deployment-webhook.yaml b/chart/templates/deployment-webhook.yaml
index f5239f5..59ec311 100644
--- a/chart/templates/deployment-webhook.yaml
+++ b/chart/templates/deployment-webhook.yaml
@@ -31,6 +31,8 @@ spec:
       - name: longhorn-conversion-webhook
         image: {{ template "registry_url" . }}{{ .Values.image.longhorn.manager.repository }}:{{ .Values.image.longhorn.manager.tag }}
         imagePullPolicy: IfNotPresent
+        securityContext:
+          runAsUser: 2000
         command:
         - longhorn-manager
         - conversion-webhook
@@ -97,10 +99,15 @@ spec:
       - name: wait-longhorn-conversion-webhook
         image: {{ template "registry_url" . }}{{ .Values.image.longhorn.manager.repository }}:{{ .Values.image.longhorn.manager.tag }}
         command: ['sh', '-c', 'while [ $(curl -m 1 -s -o /dev/null -w "%{http_code}" -k https://longhorn-conversion-webhook:9443/v1/healthz) != "200" ]; do echo waiting; sleep 2; done']
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          runAsUser: 2000
       containers:
       - name: longhorn-admission-webhook
         image: {{ template "registry_url" . }}{{ .Values.image.longhorn.manager.repository }}:{{ .Values.image.longhorn.manager.tag }}
         imagePullPolicy: IfNotPresent
+        securityContext:
+          runAsUser: 2000
         command:
         - longhorn-manager
         - admission-webhook