From 9f2f68c35215d233ec79041da3da14d98c8122f3 Mon Sep 17 00:00:00 2001
From: Anson <anson.liu@live.com>
Date: Mon, 18 May 2026 08:01:57 +0000
Subject: [PATCH] add operator pod security hardening and health probes

Signed-off-by: Anson <anson.liu@live.com>
---
 .../templates/fluent-operator-deployment.yaml |  8 ++++
 charts/fluent-operator/values.yaml            | 39 ++++++++++++++++++-
 2 files changed, 45 insertions(+), 2 deletions(-)

diff --git a/charts/fluent-operator/templates/fluent-operator-deployment.yaml b/charts/fluent-operator/templates/fluent-operator-deployment.yaml
index 7b7965beb..6089a2fd1 100644
--- a/charts/fluent-operator/templates/fluent-operator-deployment.yaml
+++ b/charts/fluent-operator/templates/fluent-operator-deployment.yaml
@@ -55,6 +55,14 @@ spec:
           {{- with .Values.operator.disableComponentControllers }}
           - --disable-component-controllers={{ . }}
           {{- end }}
+        {{- with .Values.operator.livenessProbe }}
+        livenessProbe:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.operator.readinessProbe }}
+        readinessProbe:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         volumeMounts:
         - name: env
           mountPath: /fluent-operator
diff --git a/charts/fluent-operator/values.yaml b/charts/fluent-operator/values.yaml
index 89bec449c..6606077ab 100644
--- a/charts/fluent-operator/values.yaml
+++ b/charts/fluent-operator/values.yaml
@@ -34,7 +34,13 @@ operator:
   priorityClassName: ""
   # -- Pod security context for Fluent Operator
   # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-  podSecurityContext: {}
+  podSecurityContext:
+    runAsNonRoot: true
+    runAsUser: 65532
+    runAsGroup: 65532
+    fsGroup: 65532
+    seccompProfile:
+      type: RuntimeDefault
   rbac:
     # -- Specifies whether to create the ClusterRole and ClusterRoleBinding
     create: true
@@ -48,7 +54,36 @@ operator:
     additionalRules: []
   # -- Container security context for Fluent Operator container
   # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-  securityContext: {}
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 65532
+    runAsGroup: 65532
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
+  # -- Liveness probe for Fluent Operator
+  # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
+  livenessProbe:
+    httpGet:
+      path: /healthz
+      port: 8081
+    initialDelaySeconds: 15
+    periodSeconds: 20
+    timeoutSeconds: 5
+    failureThreshold: 3
+  # -- Readiness probe for Fluent Operator
+  readinessProbe:
+    httpGet:
+      path: /readyz
+      port: 8081
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 3
   # -- Fluent Operator resource requests and limits
   resources:
     limits: