remove Mend PR checks since we migrated to Snyk, add security context…

… to helm chart deployment

.github/workflows/pr-prechecks.yml

@@ -25,15 +25,6 @@ jobs:
       - name: Run go test
         run: make test
 
-      - name: Run Whitesource/Mend scan
-        run: |
-          curl -LJO https://github.com/whitesource/unified-agent-distribution/releases/latest/download/wss-unified-agent.jar
-          export WS_CHECHKPOLICIES=true
-          export WS_FORCECHECKALLDEPENDENCIES=true
-          export WS_FORCEUPDATE=true
-          export WS_UPDATEINVENTORY=true
-          java -jar wss-unified-agent.jar -apiKey ${{ secrets.MEND_API_KEY }} -product ${{ secrets.MEND_PRODUCT_NAME }} -project WS-fishymetrics
-
   build:
     runs-on: ubuntu-latest
     steps:

CHANGELOG.md

@@ -6,6 +6,10 @@ log is based on the [Keep a CHANGELOG](http://keepachangelog.com/) project.
 
 ## Unreleased
 
+## Updated
+
+- increase security context for kubernetes helm chart deployment [#102](https://github.com/Comcast/fishymetrics/issues/102)
+
 ## [0.12.1]
 
 ## Fixed

helm/fishymetrics/Chart.yaml

@@ -7,4 +7,4 @@ maintainers:
   - email: [email protected]
     name: Ibrahim Khalilullah Khan
 name: fishymetrics
-version: 0.10.4
+version: 0.10.5

helm/fishymetrics/templates/deployment.yaml

@@ -48,6 +48,15 @@ spec:
           ports:
             - containerPort: {{ .Values.exporter.port }}
               name: exporter
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+            capabilities:
+              drop:
+                - ALL
+              add: ["NET_BIND_SERVICE"]
           args:
           {{- if .Values.credentials }}
             - --credentials.profiles={{ toJson .Values.credentials }}