From 37f3690de07e1d199fdec055d3ef00ae3abe6f6e Mon Sep 17 00:00:00 2001
From: Sebastian Nallar <sebastiansaidnallar@gmail.com>
Date: Mon, 29 Sep 2025 14:46:07 -0300
Subject: [PATCH] fix(base): configure finalizer to run as non-root user

Add security context to finalizer job to enforce running as UID 1000
with read-only root filesystem and dropped capabilities
---
 charts/base/templates/finalizer.yaml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/charts/base/templates/finalizer.yaml b/charts/base/templates/finalizer.yaml
index 4e074e3..f237aa3 100644
--- a/charts/base/templates/finalizer.yaml
+++ b/charts/base/templates/finalizer.yaml
@@ -11,9 +11,22 @@ spec:
       name: {{ .Release.Name }}-finalizer
     spec:
       restartPolicy: Never
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
       containers:
         - name: blocker
           image: alpine:latest
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+            capabilities:
+              drop:
+                - ALL
           command:
             - /bin/sh
             - -c