From cf8cc4ba543fb32bbce6cd82d6a2b541de115f28 Mon Sep 17 00:00:00 2001
From: Andrew Stoltz <1578013+astoltz@users.noreply.github.com>
Date: Wed, 17 Jun 2026 07:46:28 -0500
Subject: [PATCH] deploy(chat): roll non-root GX10 image

---
 apps-gx10/fc-chat/deployment-chat-web.json | 78 +++++++++++++++-------
 1 file changed, 53 insertions(+), 25 deletions(-)

diff --git a/apps-gx10/fc-chat/deployment-chat-web.json b/apps-gx10/fc-chat/deployment-chat-web.json
index dd23cc5..a431bae 100644
--- a/apps-gx10/fc-chat/deployment-chat-web.json
+++ b/apps-gx10/fc-chat/deployment-chat-web.json
@@ -83,7 +83,7 @@
                 }
               }
             ],
-            "image": "localhost/fc-chat-web:v20260616-chat-md-a812a81",
+            "image": "localhost/fc-chat-web:v20260617-sec5-chat-358f7ca",
             "imagePullPolicy": "Never",
             "livenessProbe": {
               "failureThreshold": 3,
@@ -98,13 +98,22 @@
               "timeoutSeconds": 5
             },
             "name": "chat-web",
-            "ports": [
-              {
-                "containerPort": 8080,
-                "name": "http",
-                "protocol": "TCP"
-              }
-            ],
+            "ports": [
+              {
+                "containerPort": 8080,
+                "name": "http",
+                "protocol": "TCP"
+              }
+            ],
+            "securityContext": {
+              "allowPrivilegeEscalation": false,
+              "capabilities": {
+                "drop": [
+                  "ALL"
+                ]
+              },
+              "readOnlyRootFilesystem": true
+            },
             "readinessProbe": {
               "failureThreshold": 6,
               "httpGet": {
@@ -129,30 +138,49 @@
             },
             "terminationMessagePath": "/dev/termination-log",
             "terminationMessagePolicy": "File",
-            "volumeMounts": [
-              {
-                "mountPath": "/data",
-                "name": "data"
-              }
-            ]
+            "volumeMounts": [
+              {
+                "mountPath": "/data",
+                "name": "data"
+              },
+              {
+                "mountPath": "/tmp",
+                "name": "temp"
+              },
+              {
+                "mountPath": "/app/logs",
+                "name": "logs"
+              }
+            ]
           }
         ],
         "dnsPolicy": "ClusterFirst",
         "restartPolicy": "Always",
         "schedulerName": "default-scheduler",
-        "securityContext": {
-          "fsGroup": 1654,
-          "fsGroupChangePolicy": "OnRootMismatch"
-        },
+        "securityContext": {
+          "fsGroup": 1654,
+          "fsGroupChangePolicy": "OnRootMismatch",
+          "runAsGroup": 1654,
+          "runAsNonRoot": true,
+          "runAsUser": 1654
+        },
         "terminationGracePeriodSeconds": 30,
         "volumes": [
-          {
-            "name": "data",
-            "persistentVolumeClaim": {
-              "claimName": "chat-web-data"
-            }
-          }
-        ]
+          {
+            "name": "data",
+            "persistentVolumeClaim": {
+              "claimName": "chat-web-data"
+            }
+          },
+          {
+            "emptyDir": {},
+            "name": "temp"
+          },
+          {
+            "emptyDir": {},
+            "name": "logs"
+          }
+        ]
       }
     }
   }