script/helm/garage/templates/workload.yaml

@@ -41,6 +41,8 @@ spec:
                 secretKeyRef:
                   name: {{ include "garage.rpcSecretName" . }}
                   key: rpcSecret
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
           volumeMounts:
             - name: configmap
               mountPath: /mnt/garage.toml

script/helm/garage/values.yaml

@@ -92,18 +92,19 @@ serviceAccount:
 
 podAnnotations: {}
 
-podSecurityContext: {}
-  # fsGroup: 2000
+podSecurityContext:
+  runAsUser: 1000
+  runAsGroup: 1000
+  fsGroup: 1000
+  runAsNonRoot: true
 
 securityContext:
   # The default security context is heavily restricted
   # feel free to tune it to your requirements
   capabilities:
     drop:
-    - ALL
+      - ALL
   readOnlyRootFilesystem: true
-  runAsNonRoot: true
-  runAsUser: 1000
 
 service:
   # You can rely on any service to expose your cluster