From 36b5c1b3254f7c62a79e2032a83ad63e6225b9f7 Mon Sep 17 00:00:00 2001
From: Jorge Turrado <jorge_turrado@hotmail.es>
Date: Tue, 26 Apr 2022 22:55:12 +0200
Subject: [PATCH 1/5] use safe values for securityContext as default

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
---
 keda/values.yaml | 44 +++++++++++++++++++++++---------------------
 1 file changed, 23 insertions(+), 21 deletions(-)

diff --git a/keda/values.yaml b/keda/values.yaml
index 7652af7c..31f363c2 100644
--- a/keda/values.yaml
+++ b/keda/values.yaml
@@ -106,29 +106,31 @@ logging:
     level: 0
 
 podSecurityContext:
-  {}
-  # operator:
-  #   fsGroup: 2000
-  # metricServer:
-  #   fsGroup: 2000
+  operator:
+    capabilities:
+      drop:
+      - ALL
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+  metricServer:
+    capabilities:
+      drop:
+      - ALL
+    allowPrivilegeEscalation: false
+    ## Metrics server needs to write the self-signed cert so it's not possible set this
+    # readOnlyRootFilesystem: true
 
 securityContext:
-  {}
-  # operator:
-  #   capabilities:
-  #     drop:
-  #     - ALL
-  #   allowPrivilegeEscalation: false
-  #   readOnlyRootFilesystem: true
-  #   runAsNonRoot: true
-  #   runAsUser: 1000
-  # metricServer:
-  #   capabilities:
-  #     drop:
-  #     - ALL
-  #   allowPrivilegeEscalation: false
-  #   runAsNonRoot: true
-  #   runAsUser: 1000
+  operator:
+    runAsNonRoot: true
+    runAsUser: 1000
+    runAsGroup: 1000
+    fsGroup: 1000
+  metricServer:
+    runAsNonRoot: true
+    runAsUser: 1000
+    runAsGroup: 1000
+    fsGroup: 1000
 
 service:
   type: ClusterIP

From 5e97b36386f3318645401408a065331134f24e1e Mon Sep 17 00:00:00 2001
From: Jorge Turrado <jorge_turrado@hotmail.es>
Date: Tue, 26 Apr 2022 23:02:37 +0200
Subject: [PATCH 2/5] partial doc update

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
---
 keda/README.md | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/keda/README.md b/keda/README.md
index 188266bd..8bbbf73a 100644
--- a/keda/README.md
+++ b/keda/README.md
@@ -89,12 +89,12 @@ their default values.
 | `logging.operator.format`                                  | Logging format for KEDA Operator. Allowed values are 'console' & 'json'. | `console`                                        |
 | `logging.operator.timeFormat`                              | Logging time format for KEDA Operator. Allowed values are 'epoch', 'millis', 'nano', or 'iso8601'. | `epoch` |
 | `logging.metricServer.level`                               | Logging level for Metrics Server.Policy to use to pull Docker images. Allowed values are '0' for info, '4' for debug, or an integer value greater than 0, specified as string | `0` |
-| `securityContext`                                          | Security context for all containers ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)) | `{}` |
-| `securityContext.operator`                                 | Security context of the operator container ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)) | `` |
-| `securityContext.metricServer`                             | Security context of the metricServer container ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)) | `` |
-| `podSecurityContext`                                       | Pod security context for all pods ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | `{}` |
-| `podSecurityContext.operator`                              | Pod security context of the KEDA operator pod ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | `` |
-| `podSecurityContext.metricServer`                          | Pod security context of the KEDA metrics apiserver pod ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | `` |
+| `securityContext`                                          | Security context for all containers ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)) | [See below](#securityContext-default-configuration) |
+| `securityContext.operator`                                 | Security context of the operator container ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)) | [See below](#securityContext-default-configuration) |
+| `securityContext.metricServer`                             | Security context of the metricServer container ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)) | [See below](#securityContext-default-configuration) |
+| `podSecurityContext`                                       | Pod security context for all pods ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | [See below](#securityContext-default-configuration) |
+| `podSecurityContext.operator`                              | Pod security context of the KEDA operator pod ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | [See below](#securityContext-default-configuration) |
+| `podSecurityContext.metricServer`                          | Pod security context of the KEDA metrics apiserver pod ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | [See below](#securityContext-default-configuration) |
 | `resources`                                                | Manage resource request & limits of all KEDA workloads ([docs](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)) | `{}` |
 | `resources.operator`                                       | Manage resource request & limits of KEDA operator pod ([docs](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)) | `` |
 | `resources.metricServer`                                   | Manage resource request & limits of KEDA metrics apiserver pod ([docs](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)) | `` |
@@ -152,3 +152,10 @@ be provided while installing the chart. For example,
 ```console
 helm install keda kedacore/keda --namespace keda -f values.yaml
 ```
+
+## securityContext default configuration
+
+KEDA's default configuration tries to be safest as possible, that's why the configuration is safe as default using these values:
+```yaml
+
+```
\ No newline at end of file

From 53e886f13a4e44b24d6a7a1b96711a79bc95d394 Mon Sep 17 00:00:00 2001
From: Jorge Turrado <jorge_turrado@hotmail.es>
Date: Tue, 26 Apr 2022 23:07:25 +0200
Subject: [PATCH 3/5] fix typo in securityContexts

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
---
 keda/templates/12-keda-deployment.yaml    | 12 ++++++------
 keda/templates/22-metrics-deployment.yaml | 12 ++++++------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/keda/templates/12-keda-deployment.yaml b/keda/templates/12-keda-deployment.yaml
index d7f90a24..aa4dd15c 100644
--- a/keda/templates/12-keda-deployment.yaml
+++ b/keda/templates/12-keda-deployment.yaml
@@ -40,18 +40,18 @@ spec:
       {{- end }}
       serviceAccountName: {{ .Values.serviceAccount.name }}
       securityContext:
-        {{- if .Values.podSecurityContext.operator }}
-        {{- toYaml .Values.podSecurityContext.operator | nindent 8 }}
+        {{- if .Values.securityContext.operator }}
+        {{- toYaml .Values.securityContext.operator | nindent 8 }}
         {{- else }}
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- toYaml .Values.securityContext | nindent 8 }}
         {{- end }}
       containers:
         - name: {{ .Values.operator.name }}
           securityContext:
-            {{- if .Values.securityContext.operator }}
-            {{- toYaml .Values.securityContext.operator | nindent 12 }}
+            {{- if .Values.podSecurityContext.operator }}
+            {{- toYaml .Values.podSecurityContext.operator | nindent 12 }}
             {{- else }}
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            {{- toYaml .Values.podSecurityContext | nindent 12 }}
             {{- end }}
           image: "{{ .Values.image.keda.repository }}:{{ .Values.image.keda.tag | default .Chart.AppVersion }}"
           command:
diff --git a/keda/templates/22-metrics-deployment.yaml b/keda/templates/22-metrics-deployment.yaml
index 966c97b5..0b39e9e2 100644
--- a/keda/templates/22-metrics-deployment.yaml
+++ b/keda/templates/22-metrics-deployment.yaml
@@ -43,18 +43,18 @@ spec:
       {{- end }}
       serviceAccountName: {{ .Values.serviceAccount.name }}
       securityContext:
-        {{- if .Values.podSecurityContext.metricServer }}
-        {{- toYaml .Values.podSecurityContext.metricServer | nindent 8 }}
+        {{- if .Values.securityContext.metricServer }}
+        {{- toYaml .Values.securityContext.metricServer | nindent 8 }}
         {{- else }}
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- toYaml .Values.securityContext | nindent 8 }}
         {{- end }}
       containers:
         - name: {{ .Values.operator.name }}-metrics-apiserver
           securityContext:
-            {{- if .Values.securityContext.metricServer }}
-            {{- toYaml .Values.securityContext.metricServer | nindent 12 }}
+            {{- if .Values.podSecurityContext.metricServer }}
+            {{- toYaml .Values.podSecurityContext.metricServer | nindent 12 }}
             {{- else }}
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            {{- toYaml .Values.podSecurityContext | nindent 12 }}
             {{- end }}
           image: "{{ .Values.image.metricsApiServer.repository }}:{{ .Values.image.metricsApiServer.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}

From 63a812c8e548ec9f58b2a5dd5e273bc29af8c6ed Mon Sep 17 00:00:00 2001
From: Jorge Turrado <jorge_turrado@hotmail.es>
Date: Tue, 26 Apr 2022 23:09:07 +0200
Subject: [PATCH 4/5] update docs

Signed-off-by: Jorge Turrado <jorge_turrado@hotmail.es>
---
 keda/README.md | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/keda/README.md b/keda/README.md
index 8bbbf73a..da1482ba 100644
--- a/keda/README.md
+++ b/keda/README.md
@@ -157,5 +157,30 @@ helm install keda kedacore/keda --namespace keda -f values.yaml
 
 KEDA's default configuration tries to be safest as possible, that's why the configuration is safe as default using these values:
 ```yaml
-
+podSecurityContext:
+  operator:
+    capabilities:
+      drop:
+      - ALL
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+  metricServer:
+    capabilities:
+      drop:
+      - ALL
+    allowPrivilegeEscalation: false
+    ## Metrics server needs to write the self-signed cert so it's not possible set this
+    # readOnlyRootFilesystem: true
+
+securityContext:
+  operator:
+    runAsNonRoot: true
+    runAsUser: 1000
+    runAsGroup: 1000
+    fsGroup: 1000
+  metricServer:
+    runAsNonRoot: true
+    runAsUser: 1000
+    runAsGroup: 1000
+    fsGroup: 1000
 ```
\ No newline at end of file

From c6b36a755cd3de3d43e9cd76cf770e85b40b0513 Mon Sep 17 00:00:00 2001
From: Jorge Turrado <jorge.turrado@docplanner.com>
Date: Fri, 29 Apr 2022 09:17:27 +0200
Subject: [PATCH 5/5] apply feedback

Signed-off-by: Jorge Turrado <jorge.turrado@docplanner.com>
---
 keda/README.md | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/keda/README.md b/keda/README.md
index da1482ba..03ccb3fb 100644
--- a/keda/README.md
+++ b/keda/README.md
@@ -89,12 +89,12 @@ their default values.
 | `logging.operator.format`                                  | Logging format for KEDA Operator. Allowed values are 'console' & 'json'. | `console`                                        |
 | `logging.operator.timeFormat`                              | Logging time format for KEDA Operator. Allowed values are 'epoch', 'millis', 'nano', or 'iso8601'. | `epoch` |
 | `logging.metricServer.level`                               | Logging level for Metrics Server.Policy to use to pull Docker images. Allowed values are '0' for info, '4' for debug, or an integer value greater than 0, specified as string | `0` |
-| `securityContext`                                          | Security context for all containers ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)) | [See below](#securityContext-default-configuration) |
-| `securityContext.operator`                                 | Security context of the operator container ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)) | [See below](#securityContext-default-configuration) |
-| `securityContext.metricServer`                             | Security context of the metricServer container ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)) | [See below](#securityContext-default-configuration) |
-| `podSecurityContext`                                       | Pod security context for all pods ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | [See below](#securityContext-default-configuration) |
-| `podSecurityContext.operator`                              | Pod security context of the KEDA operator pod ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | [See below](#securityContext-default-configuration) |
-| `podSecurityContext.metricServer`                          | Pod security context of the KEDA metrics apiserver pod ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | [See below](#securityContext-default-configuration) |
+| `securityContext`                                          | Security context for all containers ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)) | [See below](#KEDA-is-secure-by-default) |
+| `securityContext.operator`                                 | Security context of the operator container ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)) | [See below](#KEDA-is-secure-by-default) |
+| `securityContext.metricServer`                             | Security context of the metricServer container ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)) | [See below](#KEDA-is-secure-by-default) |
+| `podSecurityContext`                                       | Pod security context for all pods ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | [See below](#KEDA-is-secure-by-default) |
+| `podSecurityContext.operator`                              | Pod security context of the KEDA operator pod ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | [See below](#KEDA-is-secure-by-default) |
+| `podSecurityContext.metricServer`                          | Pod security context of the KEDA metrics apiserver pod ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)) | [See below](#KEDA-is-secure-by-default) |
 | `resources`                                                | Manage resource request & limits of all KEDA workloads ([docs](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)) | `{}` |
 | `resources.operator`                                       | Manage resource request & limits of KEDA operator pod ([docs](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)) | `` |
 | `resources.metricServer`                                   | Manage resource request & limits of KEDA metrics apiserver pod ([docs](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)) | `` |
@@ -153,9 +153,9 @@ be provided while installing the chart. For example,
 helm install keda kedacore/keda --namespace keda -f values.yaml
 ```
 
-## securityContext default configuration
+## KEDA is secure by default
 
-KEDA's default configuration tries to be safest as possible, that's why the configuration is safe as default using these values:
+Our default configuration strives to be as secure as possible. Because of that, KEDA will run as non-root and be secure-by-default:
 ```yaml
 podSecurityContext:
   operator: