From c3c9c0c555bf372d82ce7c1234115e5a7b83fbd4 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Thu, 6 Jun 2024 11:03:42 -0500
Subject: [PATCH] kitchen: Run as non-root user

The *kitchen* server service does not need to run as root or have any
access to writable storage.
---
 kitchen/kitchen.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/kitchen/kitchen.yaml b/kitchen/kitchen.yaml
index 789b43d..d955e1e 100644
--- a/kitchen/kitchen.yaml
+++ b/kitchen/kitchen.yaml
@@ -42,11 +42,17 @@ spec:
         ports:
         - containerPort: 8000
           name: http
+        securityContext:
+          readOnlyRootFilesystem: true
         volumeMounts:
         - name: config
           mountPath: /kitchen.yaml
           subPath: config.yaml
           readOnly: true
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 17402
+        runAsGroup: 17402
       volumes:
       - name: config
         secret: