From 725dc5518d80969b014700e528171dc859fa2075 Mon Sep 17 00:00:00 2001
From: Vasyl Saienko <vsaienko@mirantis.com>
Date: Wed, 1 Jan 2025 11:33:22 +0000
Subject: [PATCH] [memcached] Allign with security best practices

* Add runAsNonRoot directive
* Drop all capabilities
* Mount bianries with 550 and 65534 fsgroup

Change-Id: I0636088b40ce8ebaef84dad017ddbcaaecfc8221
---
 memcached/templates/statefulset.yaml | 2 +-
 memcached/values.yaml                | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/memcached/templates/statefulset.yaml b/memcached/templates/statefulset.yaml
index 6d4c4f44da..77692d1bb4 100644
--- a/memcached/templates/statefulset.yaml
+++ b/memcached/templates/statefulset.yaml
@@ -132,6 +132,6 @@ spec:
         - name: memcached-bin
           configMap:
             name: {{ $configMapBinName | quote }}
-            defaultMode: 0555
+            defaultMode: 360
 {{ dict "envAll" $envAll "component" "memcached" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" | indent 8 }}
 {{- end }}
diff --git a/memcached/values.yaml b/memcached/values.yaml
index 895a6b69ac..41fcb50865 100644
--- a/memcached/values.yaml
+++ b/memcached/values.yaml
@@ -150,13 +150,21 @@ pod:
     server:
       pod:
         runAsUser: 65534
+        runAsNonRoot: true
+        fsGroup: 65534
       container:
         memcached:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+              - ALL
         memcached_exporter:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+              - ALL
   probes:
     memcached:
       memcached: