feat(node-config): Explicit run as (#1268)

stevehipwell · web-flow · commit b9b80de10109 · 2025-10-07T10:22:02.000+01:00
Signed-off-by: Steve Hipwell &lt;steve.hipwell@gmail.com&gt;
diff --git a/charts/node-config/CHANGELOG.md b/charts/node-config/CHANGELOG.md
@@ -14,11 +14,14 @@
 
 ## [UNRELEASED]
 
+## [v0.7.0] - 2025-10-07
+
 ### Changed
 
 - Update the _registry.k8s.io/pause_ OCI image version to `3.10.1`. ([#1226](https://github.com/stevehipwell/helm-charts/pull/1226)) _@stevehipwell_
+- Explicitly set non-root run as user and group for pause container. ([#1268](https://github.com/stevehipwell/helm-charts/pull/1268)) _@stevehipwell_
 
-## [v0.6.0] - 2023-06-24
+## [v0.6.0] - 2024-06-24
 
 ### Added
 
@@ -74,6 +77,7 @@
 RELEASE LINKS
 -->
 [UNRELEASED]: https://github.com/stevehipwell/helm-charts/tree/main/charts/node-config
+[v0.7.0]: https://github.com/stevehipwell/helm-charts/releases/tag/node-config-0.7.0
 [v0.6.0]: https://github.com/stevehipwell/helm-charts/releases/tag/node-config-0.6.0
 [v0.5.0]: https://github.com/stevehipwell/helm-charts/releases/tag/node-config-0.5.0
 [v0.4.1]: https://github.com/stevehipwell/helm-charts/releases/tag/node-config-0.4.1
diff --git a/charts/node-config/Chart.yaml b/charts/node-config/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: node-config
 description: Helm chart for configuring Kubernetes nodes via a DaemonSet init container.
 type: application
-version: 0.6.0
+version: 0.7.0
 appVersion: 0.1.0
 home: https://github.com/stevehipwell/helm-charts/
 icon: https://raw.githubusercontent.com/stevehipwell/helm-charts/main/charts/node-config/icon.png
diff --git a/charts/node-config/README.md b/charts/node-config/README.md
@@ -1,6 +1,6 @@
 # node-config
 
-![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square)
+![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square)
 
 Helm chart for configuring Kubernetes nodes via a DaemonSet init container.
 
@@ -23,15 +23,15 @@ Helm chart for configuring Kubernetes nodes via a DaemonSet init container.
 To install the chart using the recommended OCI method you can use the following command.
 
 ```shell
-helm upgrade --install node-config oci://ghcr.io/stevehipwell/helm-charts/node-config --version 0.6.0
+helm upgrade --install node-config oci://ghcr.io/stevehipwell/helm-charts/node-config --version 0.7.0
 ```
 
 #### Verification
 
 As the OCI chart release is signed by [Cosign](https://github.com/sigstore/cosign) you can verify the chart before installing it by running the following command.
 
 ```shell
-cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp 'https://github\.com/action-stars/helm-workflows/\.github/workflows/release\.yaml@.+' --certificate-github-workflow-repository stevehipwell/helm-charts --certificate-github-workflow-name Release ghcr.io/stevehipwell/helm-charts/node-config:0.6.0
+cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp 'https://github\.com/action-stars/helm-workflows/\.github/workflows/release\.yaml@.+' --certificate-github-workflow-repository stevehipwell/helm-charts --certificate-github-workflow-name Release ghcr.io/stevehipwell/helm-charts/node-config:0.7.0
 ```
 
 ### Non-OCI Repository
@@ -40,7 +40,7 @@ Alternatively you can use the legacy non-OCI method via the following commands.
 
 ```shell
 helm repo add stevehipwell https://stevehipwell.github.io/helm-charts/
-helm upgrade --install node-config stevehipwell/node-config --version 0.6.0
+helm upgrade --install node-config stevehipwell/node-config --version 0.7.0
 ```
 
 ## Values
diff --git a/charts/node-config/templates/daemonset.yaml b/charts/node-config/templates/daemonset.yaml
@@ -77,9 +77,11 @@ spec:
       containers:
         - name: pause
           securityContext:
-            runAsNonRoot: true
-            readOnlyRootFilesystem: true
             privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 65532
+            runAsGroup: 65532
             allowPrivilegeEscalation: false
             capabilities:
               drop:
