diff --git a/charts/common/templates/addons/vpn/tailscale/_container.tpl b/charts/common/templates/addons/vpn/tailscale/_container.tpl index c4fa4f72..409eb4ff 100644 --- a/charts/common/templates/addons/vpn/tailscale/_container.tpl +++ b/charts/common/templates/addons/vpn/tailscale/_container.tpl @@ -11,14 +11,23 @@ command: ["ash", "/tailscale/run.sh"] tty: true -# It should run rootless. But needs test securityContext: +{{- if .Values.addons.vpn.tailscale.userspace }} runAsUser: 1000 runAsGroup: 1000 + runAsNonRoot: true + readOnlyRootFilesystem: true +{{- else }} + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + readOnlyRootFilesystem: false +{{- end }} capabilities: add: - NET_ADMIN + envFrom: - secretRef: name: {{ $secretName }}