From dd2d2862be9f7f87f068df1e84bdd3f2248bccdc Mon Sep 17 00:00:00 2001
From: Pierre Ozoux <pierre@ozoux.net>
Date: Thu, 8 Jan 2026 15:53:16 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92(helm)=20set=20default=20security?=
 =?UTF-8?q?=20context?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In order to be able to deploy this in a restricted k8s cluster, we set
this default security context.

We set it as default because it doesn't change the way the app runs.

So it is better to be more secured by default.

Signed-off-by: Pierre Ozoux Krebber <pierre@ozoux.net>
---
 CHANGELOG.md                 |  1 +
 src/helm/impress/values.yaml | 27 ++++++++++++++++++++++++---
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b31dad64..f19af445 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,7 @@ and this project adheres to
 - ✨(backend) add documents/all endpoint with descendants #1553
 - ✅(export) add PDF regression tests #1762
 - 📝(docs) Add language configuration documentation #1757
+- 🔒(helm) Set default security context #1750
 
 ### Fixed 
 
diff --git a/src/helm/impress/values.yaml b/src/helm/impress/values.yaml
index 9595f4b8..8a5401fe 100644
--- a/src/helm/impress/values.yaml
+++ b/src/helm/impress/values.yaml
@@ -227,7 +227,14 @@ backend:
     backoffLimit: 2
 
   ## @param backend.securityContext Configure backend Pod security context
-  securityContext: null
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - "ALL"
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
 
   ## @param backend.envVars Configure backend container environment variables
   ## @extra backend.envVars.BY_VALUE Example environment variable by setting value directly
@@ -431,7 +438,14 @@ frontend:
   sidecars: []
 
   ## @param frontend.securityContext Configure frontend Pod security context
-  securityContext: null
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - "ALL"
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
 
   ## @param frontend.envVars Configure frontend container environment variables
   ## @extra frontend.envVars.BY_VALUE Example environment variable by setting value directly
@@ -603,7 +617,14 @@ yProvider:
   sidecars: []
 
   ## @param yProvider.securityContext Configure yProvider Pod security context
-  securityContext: null
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - "ALL"
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
 
   ## @param yProvider.envVars Configure yProvider container environment variables
   ## @extra yProvider.envVars.BY_VALUE Example environment variable by setting value directly