From b95b21231acc26ebde26da6b562f92c6f3aae5c8 Mon Sep 17 00:00:00 2001
From: Erkan Erol <erkan@giantswarm.io>
Date: Thu, 24 Aug 2023 15:49:47 +0100
Subject: [PATCH] Fix issues reported by kyverno policies (#35)

---
 CHANGELOG.md                                 | 1 +
 helm/cluster-api-cleaner-vsphere/values.yaml | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 23d1fa4..0b94823 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changed
 
 - Ignore CVE-2023-3978 & CVE-2023-29401.
+- Fix security issues reported by kyverno policies.
 
 ## [0.1.0] - 2023-05-09
 
diff --git a/helm/cluster-api-cleaner-vsphere/values.yaml b/helm/cluster-api-cleaner-vsphere/values.yaml
index 89c1209..3c88fe2 100644
--- a/helm/cluster-api-cleaner-vsphere/values.yaml
+++ b/helm/cluster-api-cleaner-vsphere/values.yaml
@@ -17,10 +17,15 @@ pod:
 
 # Add seccomp to pod security context
 podSecurityContext:
+  runAsNonRoot: true
   seccompProfile:
     type: RuntimeDefault
 
 # Add seccomp to container security context
 securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - ALL
   seccompProfile:
     type: RuntimeDefault