From 96c293b6f4db8cfda68531d7a5179fa8ff1948c1 Mon Sep 17 00:00:00 2001
From: Pat Riehecky <riehecky@fnal.gov>
Date: Fri, 2 May 2025 12:06:15 -0500
Subject: [PATCH] Set values to match pss-restricted by default

Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
---
 charts/kafka-ui/Chart.yaml  |  2 +-
 charts/kafka-ui/values.yaml | 20 +++++++++++---------
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/charts/kafka-ui/Chart.yaml b/charts/kafka-ui/Chart.yaml
index ec00581..f10d084 100644
--- a/charts/kafka-ui/Chart.yaml
+++ b/charts/kafka-ui/Chart.yaml
@@ -2,6 +2,6 @@ apiVersion: v2
 name: kafka-ui
 description: A Helm chart for kafka-UI
 type: application
-version: 1.5.0
+version: 1.6.0
 appVersion: v1.2.0
 icon: https://raw.githubusercontent.com/kafbat/kafka-ui/main/documentation/images/logo_new.png
diff --git a/charts/kafka-ui/values.yaml b/charts/kafka-ui/values.yaml
index 077f6fd..d6be607 100644
--- a/charts/kafka-ui/values.yaml
+++ b/charts/kafka-ui/values.yaml
@@ -170,17 +170,19 @@ probes:
 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
 ## @param podSecurityContext [object] The security settings that you specify for a Pod apply to all Containers in the Pod
 podSecurityContext:
-  {}
-  # fsGroup: 2000
+   fsGroup: 2000
 ## @param securityContext [object] The security settings that you specify for a Kafka-UI container
 securityContext:
-  {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: false # https://github.com/kafbat/kafka-ui/issues/78
+  runAsGroup: 2000
+  runAsNonRoot: true
+  runAsUser: 1000
+  seccompProfile:
+    type: RuntimeDefault
 
 ## @section Traffic Exposure Parameters
 ## Kafka-UI service parameters