From ed32a65873b63380ebf60c6dabb4b3aac0158775 Mon Sep 17 00:00:00 2001
From: Andrew Stoltz <1578013+astoltz@users.noreply.github.com>
Date: Wed, 17 Jun 2026 08:47:40 -0500
Subject: [PATCH] Deploy Media SEC-5 non-root image to GX10

---
 .../fc-media/deployment-fc-media-web.json     | 77 +++++++++++++------
 1 file changed, 54 insertions(+), 23 deletions(-)

diff --git a/apps-gx10/fc-media/deployment-fc-media-web.json b/apps-gx10/fc-media/deployment-fc-media-web.json
index 0ebd98f..f24d618 100644
--- a/apps-gx10/fc-media/deployment-fc-media-web.json
+++ b/apps-gx10/fc-media/deployment-fc-media-web.json
@@ -92,7 +92,7 @@
                 }
               }
             ],
-            "image": "localhost/fc-media-web:gx10-v1",
+            "image": "localhost/fc-media-web:v20260617-sec5-media-f9228d2",
             "imagePullPolicy": "Never",
             "livenessProbe": {
               "failureThreshold": 3,
@@ -138,17 +138,26 @@
               "successThreshold": 1,
               "timeoutSeconds": 1
             },
-            "resources": {
-              "limits": {
-                "cpu": "4",
+            "resources": {
+              "limits": {
+                "cpu": "4",
                 "memory": "4Gi"
               },
               "requests": {
                 "cpu": "500m",
-                "memory": "1Gi"
-              }
-            },
-            "startupProbe": {
+                "memory": "1Gi"
+              }
+            },
+            "securityContext": {
+              "allowPrivilegeEscalation": false,
+              "capabilities": {
+                "drop": [
+                  "ALL"
+                ]
+              },
+              "readOnlyRootFilesystem": true
+            },
+            "startupProbe": {
               "failureThreshold": 18,
               "httpGet": {
                 "httpHeaders": [
@@ -187,17 +196,31 @@
                 "name": "media-library",
                 "readOnly": true
               },
-              {
-                "mountPath": "/media/inbox",
-                "name": "media-inbox"
-              }
-            ]
+              {
+                "mountPath": "/media/inbox",
+                "name": "media-inbox"
+              },
+              {
+                "mountPath": "/tmp",
+                "name": "temp"
+              },
+              {
+                "mountPath": "/app/logs",
+                "name": "logs"
+              }
+            ]
           }
         ],
         "dnsPolicy": "ClusterFirst",
         "restartPolicy": "Always",
         "schedulerName": "default-scheduler",
-        "securityContext": {},
+        "securityContext": {
+          "fsGroup": 1654,
+          "fsGroupChangePolicy": "OnRootMismatch",
+          "runAsGroup": 1654,
+          "runAsNonRoot": true,
+          "runAsUser": 1654
+        },
         "terminationGracePeriodSeconds": 30,
         "volumes": [
           {
@@ -227,15 +250,23 @@
               "server": "10.0.58.3"
             }
           },
-          {
-            "name": "media-library",
-            "nfs": {
-              "path": "/volume1/video",
-              "readOnly": true,
-              "server": "10.0.58.3"
-            }
-          }
-        ]
+          {
+            "name": "media-library",
+            "nfs": {
+              "path": "/volume1/video",
+              "readOnly": true,
+              "server": "10.0.58.3"
+            }
+          },
+          {
+            "emptyDir": {},
+            "name": "temp"
+          },
+          {
+            "emptyDir": {},
+            "name": "logs"
+          }
+        ]
       }
     }
   }