UPSTREAM: <carry>: (aws) Make workload pod explicity unprivileged

chiragkyal · chiragkyal · commit 3e6bc69c0d17 · 2025-07-28T18:37:57.000+05:30
Signed-off-by: chiragkyal &lt;ckyal@redhat.com&gt;
diff --git a/test/bats/tests/aws/BasicTestMount.yaml b/test/bats/tests/aws/BasicTestMount.yaml
@@ -4,13 +4,29 @@ metadata:
   name: basic-test-mount
 spec:
   serviceAccountName: basic-test-mount-sa
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 1000
+    runAsGroup: 3000
+    fsGroup: 2000
+    seccompProfile:
+      type: RuntimeDefault
   containers:
   - image: registry.k8s.io/e2e-test-images/busybox:1.29-4
     name: busybox
     imagePullPolicy: IfNotPresent
     command:
     - "/bin/sleep"
     - "10000"
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - ALL
+      runAsNonRoot: true
+      runAsUser: 1000
+      seccompProfile:
+        type: RuntimeDefault
     volumeMounts:
     - name: secrets-store-inline
       mountPath: "/mnt/secrets-store"
