From dfaae3cbce1af1835235ea57d2a877861d180e20 Mon Sep 17 00:00:00 2001
From: Andrew Stoltz <1578013+astoltz@users.noreply.github.com>
Date: Wed, 17 Jun 2026 10:52:19 -0500
Subject: [PATCH] deploy(segmentdisplay): roll non-root GX10 image

---
 .../deployment-segmentdisplay-web.json        | 80 +++++++++++++------
 1 file changed, 57 insertions(+), 23 deletions(-)

diff --git a/apps-gx10/fc-segmentdisplay/deployment-segmentdisplay-web.json b/apps-gx10/fc-segmentdisplay/deployment-segmentdisplay-web.json
index 3c91745..5a843da 100644
--- a/apps-gx10/fc-segmentdisplay/deployment-segmentdisplay-web.json
+++ b/apps-gx10/fc-segmentdisplay/deployment-segmentdisplay-web.json
@@ -49,8 +49,8 @@
                 }
               }
             ],
-            "image": "localhost/fc-segmentdisplay-web:gx10-v1",
-            "imagePullPolicy": "Never",
+            "image": "localhost/fc-segmentdisplay-web:v20260617-sec5-segmentdisplay-7730fb2",
+            "imagePullPolicy": "Never",
             "livenessProbe": {
               "failureThreshold": 3,
               "httpGet": {
@@ -63,8 +63,8 @@
               "successThreshold": 1,
               "timeoutSeconds": 5
             },
-            "name": "segmentdisplay-web",
-            "ports": [
+            "name": "segmentdisplay-web",
+            "ports": [
               {
                 "containerPort": 8080,
                 "name": "http",
@@ -83,31 +83,65 @@
               "successThreshold": 1,
               "timeoutSeconds": 5
             },
-            "resources": {},
-            "terminationMessagePath": "/dev/termination-log",
-            "terminationMessagePolicy": "File",
-            "volumeMounts": [
-              {
-                "mountPath": "/data",
-                "name": "data"
-              }
-            ]
-          }
+            "resources": {},
+            "securityContext": {
+              "allowPrivilegeEscalation": false,
+              "capabilities": {
+                "drop": [
+                  "ALL"
+                ]
+              },
+              "readOnlyRootFilesystem": true,
+              "runAsGroup": 1654,
+              "runAsNonRoot": true,
+              "runAsUser": 1654
+            },
+            "terminationMessagePath": "/dev/termination-log",
+            "terminationMessagePolicy": "File",
+            "volumeMounts": [
+              {
+                "mountPath": "/data",
+                "name": "data"
+              },
+              {
+                "mountPath": "/tmp",
+                "name": "tmp"
+              },
+              {
+                "mountPath": "/app/logs",
+                "name": "logs"
+              }
+            ]
+          }
         ],
         "dnsPolicy": "ClusterFirst",
         "restartPolicy": "Always",
         "schedulerName": "default-scheduler",
-        "securityContext": {},
+        "securityContext": {
+          "fsGroup": 1654,
+          "fsGroupChangePolicy": "OnRootMismatch",
+          "runAsGroup": 1654,
+          "runAsNonRoot": true,
+          "runAsUser": 1654
+        },
         "terminationGracePeriodSeconds": 30,
         "volumes": [
-          {
-            "name": "data",
-            "persistentVolumeClaim": {
-              "claimName": "segmentdisplay-web-data"
-            }
-          }
-        ]
-      }
+          {
+            "name": "data",
+            "persistentVolumeClaim": {
+              "claimName": "segmentdisplay-web-data"
+            }
+          },
+          {
+            "emptyDir": {},
+            "name": "tmp"
+          },
+          {
+            "emptyDir": {},
+            "name": "logs"
+          }
+        ]
+      }
     }
   }
 }