From 93090adf7c5e1932599437265a0d31edf14f239d Mon Sep 17 00:00:00 2001
From: majinghe <42570491+majinghe@users.noreply.github.com>
Date: Thu, 13 Nov 2025 18:18:19 +0800
Subject: [PATCH] enhance security context part for k8s deployment (#850)

---
 helm/rustfs/templates/statefulset.yaml |  4 +++-
 helm/rustfs/values.yaml                | 13 ++++++-------
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/helm/rustfs/templates/statefulset.yaml b/helm/rustfs/templates/statefulset.yaml
index 0b8cc4cb..78121615 100644
--- a/helm/rustfs/templates/statefulset.yaml
+++ b/helm/rustfs/templates/statefulset.yaml
@@ -52,8 +52,10 @@ spec:
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           command: ["/usr/bin/rustfs"]
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.securityContext }}
           securityContext:
-            runAsUser: 1000
+          {{- toYaml .Values.securityContext | nindent 12 }}
+          {{- end }}
           ports:
             - containerPort: {{ .Values.service.ep_port }}
               name: endpoint
diff --git a/helm/rustfs/values.yaml b/helm/rustfs/values.yaml
index 7b222021..68b18fd0 100644
--- a/helm/rustfs/values.yaml
+++ b/helm/rustfs/values.yaml
@@ -59,13 +59,12 @@ podSecurityContext:
   # fsGroup: 2000
 
 securityContext:
-  {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 1000
 
 service:
   type: NodePort