From 693797e8d872c1cba421fb44300758f956be0154 Mon Sep 17 00:00:00 2001
From: Mathieu Benoit <mathieu-benoit@hotmail.fr>
Date: Sun, 13 Oct 2024 23:29:14 -0400
Subject: [PATCH] Update zz-default.provisioners.yaml - securityContext for
 `mongodb`

Signed-off-by: Mathieu Benoit <mathieu-benoit@hotmail.fr>
---
 .../default/zz-default.provisioners.yaml      | 22 ++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/internal/provisioners/default/zz-default.provisioners.yaml b/internal/provisioners/default/zz-default.provisioners.yaml
index eb51570..2463ed1 100644
--- a/internal/provisioners/default/zz-default.provisioners.yaml
+++ b/internal/provisioners/default/zz-default.provisioners.yaml
@@ -573,6 +573,7 @@
               k8s.score.dev/resource-uid: {{ .Uid }}
               k8s.score.dev/resource-guid: {{ .Guid }}
           spec:
+            automountServiceAccountToken: false
             containers:
             - name: mongo-db
               image: mongo:latest
@@ -596,9 +597,28 @@
                 initialDelaySeconds: 30
                 timeoutSeconds: 5
                 periodSeconds: 20
+              securityContext:
+                runAsUser: 1001
+                runAsGroup: 1001
+                allowPrivilegeEscalation: false
+                privileged: false
+                readOnlyRootFilesystem: true
+                capabilities:
+                  drop:
+                    - ALL
               volumeMounts:
               - name: data
-                mountPath: /var/db
+                mountPath: /data/db
+              - name: tmp
+                mountPath: /tmp
+            securityContext:
+              runAsNonRoot: true
+              fsGroup: 1001
+              seccompProfile:
+                type: RuntimeDefault
+            volumes:
+              - name: tmp
+                emptyDir: {}
         volumeClaimTemplates:
         - metadata:
             name: data