From 4bee540d9acd39c7805a5a22620c60f2ac902195 Mon Sep 17 00:00:00 2001
From: Andrew Moore <andrew.moore@digital.justice.gov.uk>
Date: Mon, 18 Nov 2024 16:14:44 +0000
Subject: [PATCH] feat: tidy up opensearch-backup job and script

---
 jobs/opensearch-backup/templates/job.yaml | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/jobs/opensearch-backup/templates/job.yaml b/jobs/opensearch-backup/templates/job.yaml
index 64013bd..bcb7bad 100644
--- a/jobs/opensearch-backup/templates/job.yaml
+++ b/jobs/opensearch-backup/templates/job.yaml
@@ -7,12 +7,6 @@ spec:
   template:
     spec:
       serviceAccountName: "{{ $.Values.opensearch.serviceAccountPrefix }}-{{ $.Values.opensearch.environment }}"
-      securityContext:
-        allowPrivilegeEscalation: false
-        privileged: false
-        readOnlyRootFilesystem: false
-        runAsNonRoot: true
-        runAsUser: 999
       containers:
         - name: opensearch-backup
           image: ghcr.io/ministryofjustice/hmpps-delius-alfresco-utils:latest
@@ -48,9 +42,20 @@ spec:
           volumeMounts:
             - name: script
               mountPath: /scripts
+          securityContext:
+            allowPrivilegeEscalation: false
+            privileged: false
+            readOnlyRootFilesystem: false
+            runAsNonRoot: true
+            runAsUser: 999
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
       volumes:
         - name: script
           configMap:
             name: opensearch-backup-script
             defaultMode: 0755
-      restartPolicy: Never
\ No newline at end of file
+      restartPolicy: Never