From 15fcd712c527ea17b30160d62ec49647740ef0fa Mon Sep 17 00:00:00 2001
From: Son Nguyen <son.nguyen@softwareag.com>
Date: Mon, 25 Mar 2019 14:38:04 -0400
Subject: [PATCH] Running Che and Che workspaces as a non-root in a Kubernetes
 cluster.

Signed-off-by: Son Nguyen <son.nguyen@softwareag.com>
---
 deploy/kubernetes/helm/che/templates/configmap.yaml  | 4 ++--
 deploy/kubernetes/helm/che/templates/deployment.yaml | 3 +++
 deploy/kubernetes/helm/che/values.yaml               | 4 ++++
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/deploy/kubernetes/helm/che/templates/configmap.yaml b/deploy/kubernetes/helm/che/templates/configmap.yaml
index cfa4ec1a5d..a86c46beb3 100644
--- a/deploy/kubernetes/helm/che/templates/configmap.yaml
+++ b/deploy/kubernetes/helm/che/templates/configmap.yaml
@@ -55,8 +55,8 @@ data:
   CHE_INFRA_KUBERNETES_PVC_STRATEGY: "common"
   CHE_INFRA_KUBERNETES_PVC_QUANTITY: {{ .Values.global.pvcClaim }}
   CHE_INFRA_KUBERNETES_PVC_PRECREATE__SUBPATHS: "true"
-  CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_RUN__AS__USER: "0"
-  CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_FS__GROUP: "0"
+  CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_RUN__AS__USER: "{{ .Values.global.securityContext.runAsUser }}"
+  CHE_INFRA_KUBERNETES_POD_SECURITY__CONTEXT_FS__GROUP: "{{ .Values.global.securityContext.fsGroup }}"
   CHE_LOCAL_CONF_DIR: /etc/conf
   CHE_LOGS_DIR: /data/logs
   CHE_LOG_LEVEL: "INFO"
diff --git a/deploy/kubernetes/helm/che/templates/deployment.yaml b/deploy/kubernetes/helm/che/templates/deployment.yaml
index efc0208fd9..860fb9c5e6 100644
--- a/deploy/kubernetes/helm/che/templates/deployment.yaml
+++ b/deploy/kubernetes/helm/che/templates/deployment.yaml
@@ -76,6 +76,9 @@ spec:
         {{- end }}
         image: {{ .Values.cheImage }}
         imagePullPolicy: {{ .Values.cheImagePullPolicy }}
+        securityContext:
+          runAsUser: {{ .Values.global.securityContext.runAsUser }}
+          fsGroup: {{ .Values.global.securityContext.fsGroup }}
         livenessProbe:
           httpGet:
             path: /api/system/state
diff --git a/deploy/kubernetes/helm/che/values.yaml b/deploy/kubernetes/helm/che/values.yaml
index 48eb8270e6..79ce5e2179 100644
--- a/deploy/kubernetes/helm/che/values.yaml
+++ b/deploy/kubernetes/helm/che/values.yaml
@@ -58,6 +58,10 @@ global:
     appenderName: "plaintext"
   tracingEnabled: false
   metricsEnabled: false
+  # Run Che and Che workspaces as the same non-root user
+  securityContext:
+    runAsUser: 1724
+    fsGroup: 1724
 
 prometheus:
   alertmanager: