From afd9b4cbecfbf908fadc429181a09cd5aec0f738 Mon Sep 17 00:00:00 2001
From: Alan Christie <alan.christie@matildapeak.com>
Date: Thu, 20 Feb 2025 15:08:08 +0000
Subject: [PATCH] fix: Security context experiment

---
 roles/graph/templates/statefulset.yaml.j2 | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/roles/graph/templates/statefulset.yaml.j2 b/roles/graph/templates/statefulset.yaml.j2
index 2e797e3..42c9e16 100644
--- a/roles/graph/templates/statefulset.yaml.j2
+++ b/roles/graph/templates/statefulset.yaml.j2
@@ -17,8 +17,6 @@ spec:
         name: graph
     spec:
       serviceAccountName: {{ graph_sa }}
-      securityContext:
-        fsGroup: 2000
 
 {% if graph_node_affinity_value %}
       # We must have a 'core' node
@@ -94,6 +92,11 @@ spec:
           requests:
             cpu: 1000m
             memory: 1Gi
+        securityContext:
+          runAsUser: 7474
+          runAsGroup: 7474
+          fsGroup: 7474
+          allowPrivilegeEscalation: false
         volumeMounts:
         - mountPath: /data
           name: graph-volume
@@ -170,6 +173,11 @@ spec:
           requests:
             cpu: "{{ graph_core_request }}"
             memory: "{{ graph_mem_request_g }}Gi"
+        securityContext:
+          runAsUser: 7474
+          runAsGroup: 7474
+          fsGroup: 7474
+          allowPrivilegeEscalation: false
         volumeMounts:
         - mountPath: /data
           name: graph-volume