WIP [v7.x] Make BRO compliant with security best practices

charts/rancher-backup/templates/deployment.yaml

@@ -24,6 +24,10 @@ spec:
         prometheus.io/scrape: "true"
         {{ end }}
     spec:
+      {{- if .Values.securityContext.runAsNonRoot }}
+      securityContext:
+        fsGroup: 1000
+      {{- end }}
       serviceAccountName: {{ include "backupRestore.serviceAccountName" . }}
       {{- if .Values.imagePullSecrets }}
       imagePullSecrets:
@@ -36,6 +40,13 @@ spec:
       - name: {{ .Chart.Name }}
         image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
         imagePullPolicy: {{ default "Always" .Values.imagePullPolicy }}
+        securityContext:
+          allowPrivilegeEscalation: false
+        {{- if .Values.securityContext.runAsNonRoot }}
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 1000
+        {{- end }}
         ports:
         - containerPort: 8080
         args:

charts/rancher-backup/values.yaml

@@ -90,3 +90,9 @@ monitoring:
     additionalLabels: {}
     metricRelabelings: []
     relabelings: []
+
+securityContext:
+  ## When persisting backup files to a PVC of type HostPath, set securityContext.runAsNonRoot to false.
+  ## Only processes running as 'root' can write to HostPath PVCs so Backups will fail in that scenario if not running as 'root'.
+  ## However, this goes against Kubernetes security best practices and should be avoided whenever possible.
+  runAsNonRoot: true