From db34ae67b6a0dae5c910797a4469dbe52251da80 Mon Sep 17 00:00:00 2001
From: chgl <chgl@users.noreply.github.com>
Date: Mon, 26 Apr 2021 22:12:45 +0200
Subject: [PATCH] fix: set securitycontext for server to something more secure

Signed-off-by: chgl <chgl@users.noreply.github.com>
---
 .../argo-workflows/templates/server/server-deployment.yaml | 2 ++
 charts/argo-workflows/values.yaml                          | 7 +++++++
 2 files changed, 9 insertions(+)

diff --git a/charts/argo-workflows/templates/server/server-deployment.yaml b/charts/argo-workflows/templates/server/server-deployment.yaml
index 07fa2af5..f5139a9f 100644
--- a/charts/argo-workflows/templates/server/server-deployment.yaml
+++ b/charts/argo-workflows/templates/server/server-deployment.yaml
@@ -32,6 +32,8 @@ spec:
         - name: argo-server
           image: "{{ .Values.server.image.registry }}/{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.images.pullPolicy }}
+          securityContext:
+            {{- toYaml .Values.server.securityContext | nindent 12 }}
           args:
           - server
           - --configmap={{ .Release.Name }}-{{ .Values.controller.name }}-configmap
diff --git a/charts/argo-workflows/values.yaml b/charts/argo-workflows/values.yaml
index d9bc7976..027fdf3e 100644
--- a/charts/argo-workflows/values.yaml
+++ b/charts/argo-workflows/values.yaml
@@ -172,6 +172,13 @@ server:
   podLabels: {}
   # SecurityContext to set on the server pods
   podSecurityContext: {}
+  securityContext:
+    readOnlyRootFilesystem: false
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
   name: server
   serviceType: ClusterIP
   servicePort: 2746