From 19beb4af21d0eec3d1b65ba5a8b8a5830839a871 Mon Sep 17 00:00:00 2001
From: vivekr-splunk <vivekr@splunk.com>
Date: Wed, 21 Feb 2024 10:52:55 -0800
Subject: [PATCH] security context for init container not set

---
 pkg/splunk/enterprise/util.go | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/pkg/splunk/enterprise/util.go b/pkg/splunk/enterprise/util.go
index 7d3bd2b59..5fc96222b 100644
--- a/pkg/splunk/enterprise/util.go
+++ b/pkg/splunk/enterprise/util.go
@@ -679,6 +679,10 @@ func setupInitContainer(podTemplateSpec *corev1.PodTemplateSpec, Image string, i
 	} else {
 		volMntName = fmt.Sprintf(splcommon.PvcNamePrefix, splcommon.EtcVolumeStorage)
 	}
+	// update security context
+	runAsUser := int64(41812)
+	runAsNonRoot := true
+	privileged := false
 	containerSpec := corev1.Container{
 		Image:           Image,
 		ImagePullPolicy: corev1.PullPolicy(imagePullPolicy),
@@ -699,6 +703,23 @@ func setupInitContainer(podTemplateSpec *corev1.PodTemplateSpec, Image string, i
 				corev1.ResourceMemory: resource.MustParse("512Mi"),
 			},
 		},
+		SecurityContext: &corev1.SecurityContext{
+			RunAsUser:                &runAsUser,
+			RunAsNonRoot:             &runAsNonRoot,
+			AllowPrivilegeEscalation: &[]bool{false}[0],
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{
+					"ALL",
+				},
+				Add: []corev1.Capability{
+					"NET_BIND_SERVICE",
+				},
+			},
+			Privileged: &privileged,
+			SeccompProfile: &corev1.SeccompProfile{
+				Type: corev1.SeccompProfileTypeRuntimeDefault,
+			},
+		},
 	}
 	podTemplateSpec.Spec.InitContainers = append(podTemplateSpec.Spec.InitContainers, containerSpec)
 }