Set strong securityContext by default

helm/oauth2-proxy/Chart.yaml

@@ -1,5 +1,5 @@
 name: oauth2-proxy
-version: 6.13.2
+version: 6.14.0
 apiVersion: v2
 appVersion: 7.4.0
 home: https://oauth2-proxy.github.io/oauth2-proxy/

helm/oauth2-proxy/README.md

@@ -174,8 +174,7 @@ Parameter | Description | Default
 `serviceAccount.name` | the service account name | ``
 `serviceAccount.annotations` | (optional) annotations for the service account | `{}`
 `tolerations` | list of node taints to tolerate | `[]`
-`securityContext.enabled` | enable Kubernetes security context on container | `false`
-`securityContext.runAsNonRoot` | make sure that the container runs as a non-root user | `true`
+`securityContext.enabled` | enable Kubernetes security context on container | `true`
 `proxyVarsAsSecrets` | choose between environment values or secrets for setting up OAUTH2_PROXY variables. When set to false, remember to add the variables OAUTH2_PROXY_CLIENT_ID, OAUTH2_PROXY_CLIENT_SECRET, OAUTH2_PROXY_COOKIE_SECRET in extraEnv | `true`
 `sessionStorage.type` | Session storage type which can be one of the following: cookie or redis | `cookie`
 `sessionStorage.redis.existingSecret` | Name of the Kubernetes secret containing the redis & redis sentinel password values (see also `sessionStorage.redis.passwordKey`) | `""`

helm/oauth2-proxy/values.yaml

@@ -235,10 +235,17 @@ readinessProbe:
 # Configure Kubernetes security context for container
 # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
 securityContext:
-  enabled: false
+  enabled: true
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: true
   runAsNonRoot: true
-  # allowPrivilegeEscalation: false
-  # runAsUser: 2000
+  runAsUser: 2000
+  runAsGroup: 2000
+  seccompProfile:
+    type: RuntimeDefault
 
 deploymentAnnotations: {}
 podAnnotations: {}