From 669cf57ac24253b9776b138deaf21e430c9d3de4 Mon Sep 17 00:00:00 2001
From: nimalank7 <nimalan.kirubakaran@digital.cabinet-office.gov.uk>
Date: Fri, 4 Oct 2024 15:33:41 +0100
Subject: [PATCH] Update static-error-page-upload-job container to be PSS
 compliant

Description:
- Enforces this container to be compliant when PSS is set to [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/)
- As part of https://github.com/alphagov/govuk-helm-charts/issues/1883
---
 .../templates/static-error-page-upload-job.yaml          | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/charts/generic-govuk-app/templates/static-error-page-upload-job.yaml b/charts/generic-govuk-app/templates/static-error-page-upload-job.yaml
index 45d8fb03a70..dae8721833a 100644
--- a/charts/generic-govuk-app/templates/static-error-page-upload-job.yaml
+++ b/charts/generic-govuk-app/templates/static-error-page-upload-job.yaml
@@ -32,8 +32,13 @@ spec:
         - name: upload-static-error-pages
           image: 172025368201.dkr.ecr.eu-west-1.amazonaws.com/github/alphagov/govuk/toolbox:latest
           securityContext:
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation | default "false" }}
+            runAsNonRoot: {{ .Values.securityContext.runAsNonRoot | default "true" }}
+            readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem | default "true" }}
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop: ["ALL"]
           env:
             - name: GOVUK_ENVIRONMENT
               value: {{ .Values.govukEnvironment }}