From 4168f32eb06b4ae9131462bde27eddfa3a844da1 Mon Sep 17 00:00:00 2001
From: Sally O'Malley <somalley@redhat.com>
Date: Tue, 14 Dec 2021 21:59:10 -0500
Subject: [PATCH] service-ca pod run as non-root

Signed-off-by: Sally O'Malley <somalley@redhat.com>
---
 assets/apps/0000_60_service-ca_05_deploy.yaml | 7 ++++---
 pkg/assets/apps/bindata.go                    | 7 ++++---
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/assets/apps/0000_60_service-ca_05_deploy.yaml b/assets/apps/0000_60_service-ca_05_deploy.yaml
index 547c3bdd52..ecf3f206e8 100644
--- a/assets/apps/0000_60_service-ca_05_deploy.yaml
+++ b/assets/apps/0000_60_service-ca_05_deploy.yaml
@@ -23,7 +23,10 @@ spec:
         app: service-ca
         service-ca: "true"
     spec:
-      securityContext: {}
+      securityContext:
+        runAsGroup: 1001
+        runAsNonRoot: true
+        runAsUser: 1001
       serviceAccount: service-ca
       serviceAccountName: service-ca
       containers:
@@ -33,8 +36,6 @@ spec:
         command: ["service-ca-operator", "controller"]
         ports:
         - containerPort: 8443
-        # securityContext:
-        #   runAsNonRoot: true
         resources:
           requests:
             memory: 120Mi
diff --git a/pkg/assets/apps/bindata.go b/pkg/assets/apps/bindata.go
index 444e6bd06a..61fa2c0e6f 100644
--- a/pkg/assets/apps/bindata.go
+++ b/pkg/assets/apps/bindata.go
@@ -204,7 +204,10 @@ spec:
         app: service-ca
         service-ca: "true"
     spec:
-      securityContext: {}
+      securityContext:
+        runAsGroup: 1001
+        runAsNonRoot: true
+        runAsUser: 1001
       serviceAccount: service-ca
       serviceAccountName: service-ca
       containers:
@@ -214,8 +217,6 @@ spec:
         command: ["service-ca-operator", "controller"]
         ports:
         - containerPort: 8443
-        # securityContext:
-        #   runAsNonRoot: true
         resources:
           requests:
             memory: 120Mi