From dfc76906d47f4f3050530ad85b28aa1042a128cd Mon Sep 17 00:00:00 2001
From: Sean Malloy <sean.malloy@kohls.com>
Date: Tue, 9 Feb 2021 23:09:59 -0600
Subject: [PATCH] Update Job and CronJob YAML to run as non-root

---
 kubernetes/cronjob/cronjob.yaml | 8 ++++++++
 kubernetes/job/job.yaml         | 8 ++++++++
 2 files changed, 16 insertions(+)

diff --git a/kubernetes/cronjob/cronjob.yaml b/kubernetes/cronjob/cronjob.yaml
index aa3c475c9..18b950674 100644
--- a/kubernetes/cronjob/cronjob.yaml
+++ b/kubernetes/cronjob/cronjob.yaml
@@ -31,6 +31,14 @@ spec:
               requests:
                 cpu: "500m"
                 memory: "256Mi"
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                  - ALL
+              privileged: false
+              readOnlyRootFilesystem: true
+              runAsNonRoot: true
           restartPolicy: "Never"
           serviceAccountName: descheduler-sa
           volumes:
diff --git a/kubernetes/job/job.yaml b/kubernetes/job/job.yaml
index a478f4e5b..b58d30eec 100644
--- a/kubernetes/job/job.yaml
+++ b/kubernetes/job/job.yaml
@@ -29,6 +29,14 @@ spec:
             requests:
               cpu: "500m"
               memory: "256Mi"
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
       restartPolicy: "Never"
       serviceAccountName: descheduler-sa
       volumes: