From 8067e521906fde98d296ddd31fe6c204afa720a1 Mon Sep 17 00:00:00 2001
From: Derrick DaCosta <derrick_dacosta@cable.comcast.com>
Date: Tue, 29 Oct 2024 11:07:30 -0400
Subject: [PATCH] remove Mend PR checks since we migrated to Snyk, add security
 context to helm chart deployment

---
 .github/workflows/pr-prechecks.yml          | 9 ---------
 CHANGELOG.md                                | 4 ++++
 helm/fishymetrics/Chart.yaml                | 2 +-
 helm/fishymetrics/templates/deployment.yaml | 9 +++++++++
 4 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/pr-prechecks.yml b/.github/workflows/pr-prechecks.yml
index b66f5e5..6f56956 100644
--- a/.github/workflows/pr-prechecks.yml
+++ b/.github/workflows/pr-prechecks.yml
@@ -25,15 +25,6 @@ jobs:
       - name: Run go test
         run: make test
 
-      - name: Run Whitesource/Mend scan
-        run: |
-          curl -LJO https://github.com/whitesource/unified-agent-distribution/releases/latest/download/wss-unified-agent.jar
-          export WS_CHECHKPOLICIES=true
-          export WS_FORCECHECKALLDEPENDENCIES=true
-          export WS_FORCEUPDATE=true
-          export WS_UPDATEINVENTORY=true
-          java -jar wss-unified-agent.jar -apiKey ${{ secrets.MEND_API_KEY }} -product ${{ secrets.MEND_PRODUCT_NAME }} -project WS-fishymetrics
-
   build:
     runs-on: ubuntu-latest
     steps:
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 867eff2..d5eb045 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,10 @@ log is based on the [Keep a CHANGELOG](http://keepachangelog.com/) project.
 
 ## Unreleased
 
+## Updated
+
+- increase security context for kubernetes helm chart deployment [#102](https://github.com/Comcast/fishymetrics/issues/102)
+
 ## [0.12.1]
 
 ## Fixed
diff --git a/helm/fishymetrics/Chart.yaml b/helm/fishymetrics/Chart.yaml
index d7c446e..c7a61f9 100644
--- a/helm/fishymetrics/Chart.yaml
+++ b/helm/fishymetrics/Chart.yaml
@@ -7,4 +7,4 @@ maintainers:
   - email: ibrahimkk.moideen@gmail.com
     name: Ibrahim Khalilullah Khan
 name: fishymetrics
-version: 0.10.4
+version: 0.10.5
diff --git a/helm/fishymetrics/templates/deployment.yaml b/helm/fishymetrics/templates/deployment.yaml
index dc1b280..dfa9e71 100644
--- a/helm/fishymetrics/templates/deployment.yaml
+++ b/helm/fishymetrics/templates/deployment.yaml
@@ -48,6 +48,15 @@ spec:
           ports:
             - containerPort: {{ .Values.exporter.port }}
               name: exporter
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+            capabilities:
+              drop:
+                - ALL
+              add: ["NET_BIND_SERVICE"]
           args:
           {{- if .Values.credentials }}
             - --credentials.profiles={{ toJson .Values.credentials }}