From 4444811f26693763953106d29ffac444b84751fe Mon Sep 17 00:00:00 2001
From: Sean Malloy <sean.malloy@kohls.com>
Date: Wed, 10 Feb 2021 21:49:01 -0600
Subject: [PATCH] Update Helm Chart to run as non-root

---
 charts/descheduler/templates/cronjob.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/charts/descheduler/templates/cronjob.yaml b/charts/descheduler/templates/cronjob.yaml
index 9ae80a004..21a2829f3 100644
--- a/charts/descheduler/templates/cronjob.yaml
+++ b/charts/descheduler/templates/cronjob.yaml
@@ -59,6 +59,14 @@ spec:
                 {{- end }}
               resources:
                 {{- toYaml .Values.resources | nindent 16 }}
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                    - ALL
+                privileged: false
+                readOnlyRootFilesystem: true
+                runAsNonRoot: true
               volumeMounts:
                 - mountPath: /policy-dir
                   name: policy-volume