From d08b875f74d297248f2d850ff9310ffd9dbd03dd Mon Sep 17 00:00:00 2001
From: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es>
Date: Fri, 29 Apr 2022 00:30:22 +0200
Subject: [PATCH] feat: use safe `securityContext` as default (#2938)

---
 CHANGELOG.md                          |  1 +
 config/manager/manager.yaml           | 11 +++++++++++
 config/metrics-server/deployment.yaml | 12 ++++++++++++
 3 files changed, 24 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 29087efa312..c4c00355c7c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -46,6 +46,7 @@ To learn more about our roadmap, we recommend reading [this document](ROADMAP.md
 ### Improvements
 
 - **General:** Properly handle `restoreToOriginalReplicaCount` if `ScaleTarget` is missing ([#2872](https://github.com/kedacore/keda/issues/2872))
+- **General:** Support for running in non-root ([#2933](https://github.com/kedacore/keda/issues/2933))
 - **General:** Synchronize HPA annotations from ScaledObject ([#2659](https://github.com/kedacore/keda/pull/2659))
 - **General:** Updated HTTPClient to be proxy-aware, if available, from environment variables. ([#2577](https://github.com/kedacore/keda/issues/2577))
 - **ActiveMQ Scaler:** Add CorsHeader information to ActiveMQ Scaler ([#2884](https://github.com/kedacore/keda/issues/2884))
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
index d3b847ee21f..b588157155a 100644
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -22,6 +22,11 @@ spec:
         name: keda-operator
       name: keda-operator
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        runAsNonRoot: true
       serviceAccountName: keda-operator
       containers:
         - name: keda-operator
@@ -59,6 +64,12 @@ spec:
               value: ""
             - name: KEDA_HTTP_DEFAULT_TIMEOUT
               value: ""
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
       terminationGracePeriodSeconds: 10
       nodeSelector:
         kubernetes.io/os: linux
diff --git a/config/metrics-server/deployment.yaml b/config/metrics-server/deployment.yaml
index 26075f3305c..986f676c62f 100644
--- a/config/metrics-server/deployment.yaml
+++ b/config/metrics-server/deployment.yaml
@@ -19,6 +19,11 @@ spec:
         app: keda-metrics-apiserver
       name: keda-metrics-apiserver
     spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        runAsNonRoot: true
       serviceAccountName: keda-operator
       containers:
         - name: keda-metrics-apiserver
@@ -61,6 +66,13 @@ spec:
           volumeMounts:
           - mountPath: /tmp
             name: temp-vol
+          securityContext:
+            capabilities:
+              drop:
+              - ALL
+            allowPrivilegeEscalation: false
+            ## Metrics server needs to write the self-signed cert so it's not possible set this
+            # readOnlyRootFilesystem: true
       nodeSelector:
         kubernetes.io/os: linux
       volumes: