From 7f07bf2c9e1951b0b3fd52969fe03b3df5b3ea48 Mon Sep 17 00:00:00 2001
From: friedrich goerz <friedrich.goerz@netgo.de>
Date: Tue, 7 Jun 2022 21:58:30 +0200
Subject: [PATCH] MOB-148: rollback to enforcing resticted level + fixing
 PodSec problems

---
 config/kustomize/base/resources/deployment.yaml | 8 ++++----
 config/kustomize/base/resources/namespace.yaml  | 4 +---
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/config/kustomize/base/resources/deployment.yaml b/config/kustomize/base/resources/deployment.yaml
index 6a26076..397b376 100644
--- a/config/kustomize/base/resources/deployment.yaml
+++ b/config/kustomize/base/resources/deployment.yaml
@@ -14,10 +14,8 @@ spec:
         app: keycloak
     spec:
       securityContext:
-        allowPrivilegeEscalation: false
+        runAsUser: 2000
         runAsNonRoot: true
-        capabilities:
-          drop: ["ALL"]
         seccompProfile:
           type: RuntimeDefault
       containers:
@@ -25,7 +23,9 @@ spec:
         image: staged-harbor-01.smardigo.digital/smardigo/keycloak:14.0.0.1
         imagePullPolicy: IfNotPresent
         securityContext:
-          runAsUser: 2000
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
         ports:
         - name: app-port
           containerPort: 8080
diff --git a/config/kustomize/base/resources/namespace.yaml b/config/kustomize/base/resources/namespace.yaml
index 66b1233..7495a80 100644
--- a/config/kustomize/base/resources/namespace.yaml
+++ b/config/kustomize/base/resources/namespace.yaml
@@ -3,9 +3,7 @@ kind: Namespace
 metadata:
   labels:
     kubernetes.io/metadata.name: sma-ums
-    pod-security.kubernetes.io/enforce: baseline
-    pod-security.kubernetes.io/audit: restricted
-    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/enforce: restricted
   name: sma-ums
 spec:
   finalizers: