From 67b5a64890a5073055cc81d8e1cf6c11846ca43c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=B6ran=20P=C3=B6hner?=
 <10630407+groundhog2k@users.noreply.github.com>
Date: Sun, 17 Dec 2023 13:57:52 +0100
Subject: [PATCH] Improved security configuration (#63)

---
 charts/vaultwarden/Chart.yaml             |  2 +-
 charts/vaultwarden/templates/_podSpec.tpl |  4 ++++
 charts/vaultwarden/values.yaml            | 16 ++++++++++++++++
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/charts/vaultwarden/Chart.yaml b/charts/vaultwarden/Chart.yaml
index 84f324c..2cf7161 100644
--- a/charts/vaultwarden/Chart.yaml
+++ b/charts/vaultwarden/Chart.yaml
@@ -13,5 +13,5 @@ maintainers:
   - name: guerzon
     email: guerzon@proton.me
     url: https://github.com/guerzon
-version: 0.18.1
+version: 0.18.2
 kubeVersion: ">=1.12.0-0"
diff --git a/charts/vaultwarden/templates/_podSpec.tpl b/charts/vaultwarden/templates/_podSpec.tpl
index 2b77bac..e83fd10 100644
--- a/charts/vaultwarden/templates/_podSpec.tpl
+++ b/charts/vaultwarden/templates/_podSpec.tpl
@@ -11,6 +11,10 @@ affinity:
 tolerations:
 {{- toYaml . | nindent 8 }}
 {{- end }}
+{{- with .Values.podSecurityContext }}
+securityContext:
+  {{- toYaml . | nindent 8 }}
+{{- end }}
 {{- with .Values.initContainers }}
 initContainers:
 {{- toYaml . | nindent 8 }}
diff --git a/charts/vaultwarden/values.yaml b/charts/vaultwarden/values.yaml
index c24a826..35bd5bd 100644
--- a/charts/vaultwarden/values.yaml
+++ b/charts/vaultwarden/values.yaml
@@ -253,7 +253,23 @@ startupProbe:
   ##
   failureThreshold: 10
 
+## Pod security options
+podSecurityContext: {}
+  # fsGroup: 1001
+  # supplementalGroups:
+  #   - 1001
+
+## Default security options to run vault as read only container without privilege escalation
 securityContext: {}
+  # allowPrivilegeEscalation: false
+  # privileged: false
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsGroup: 1001
+  # runAsUser: 1001
+  # capabilities:
+  #   drop:
+  #     - ALL
 
 ## Service configuration
 service: