primary-site: restrict security context more (#152)

bennetthardwick · web-flow · commit 9d8e9c7c05b1 · 2025-11-17T14:04:23.000+11:00
### Changelog
&lt;!-- Write a one-sentence summary of the user-impacting change (API,
UI/UX, performance, etc) that could appear in a changelog. Write "None"
if there is no user-facing change --&gt;

- Restrict security context more with readonly root fs, dropped
capabilities and seccomp profile

### Docs

&lt;!-- Link to a Docs PR, tracking ticket in Linear, OR write "None" if no
documentation changes are needed. --&gt;

None

### Description

Ensures the following is set for all pods:

```yaml
securityContext:
  readOnlyRootFilesystem: true
  capabilities:
    drop:
      - ALL
  seccompProfile:
    type: RuntimeDefault
```
diff --git a/charts/primary-site/templates/cronjobs/garbage-collector.yaml b/charts/primary-site/templates/cronjobs/garbage-collector.yaml
@@ -34,10 +34,16 @@ spec:
             - name: garbage-collector
               image: {{ .Values.garbageCollector.deployment.image }}:{{ .Chart.AppVersion }}
               securityContext:
+                readOnlyRootFilesystem: true
+                capabilities:
+                  drop:
+                    - ALL
                 allowPrivilegeEscalation: false
                 runAsNonRoot: true
                 runAsUser: 65534
                 runAsGroup: 65534
+                seccompProfile:
+                  type: RuntimeDefault
               volumeMounts:
                 - mountPath: /secrets
                   name: cloud-credentials
diff --git a/charts/primary-site/templates/deployments/_inbox-container.tpl b/charts/primary-site/templates/deployments/_inbox-container.tpl
@@ -42,9 +42,15 @@ template:
         image: {{ .Values.inboxListener.deployment.image }}:{{ .Chart.AppVersion }}
         securityContext:
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 65534
           runAsGroup: 65534
+          seccompProfile:
+            type: RuntimeDefault
         resources:
           requests:
             cpu: {{ .Values.inboxListener.deployment.resources.requests.cpu }}
diff --git a/charts/primary-site/templates/deployments/query-server.yaml b/charts/primary-site/templates/deployments/query-server.yaml
@@ -45,9 +45,15 @@ spec:
           image: {{ $values.deployment.image }}:{{ .Chart.AppVersion }}
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
             runAsNonRoot: true
             runAsUser: 65534
             runAsGroup: 65534
+            seccompProfile:
+              type: RuntimeDefault
           resources:
             requests:
               cpu: {{ $values.deployment.resources.requests.cpu }}
diff --git a/charts/primary-site/templates/deployments/site-controller.yaml b/charts/primary-site/templates/deployments/site-controller.yaml
@@ -37,9 +37,15 @@ spec:
           image: {{ .Values.siteController.deployment.image }}:{{ .Chart.AppVersion }}
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
             runAsNonRoot: true
             runAsUser: 65534
             runAsGroup: 65534
+            seccompProfile:
+              type: RuntimeDefault
           resources:
             requests:
               cpu: {{ .Values.siteController.deployment.resources.requests.cpu }}
