From 88268a90ed30bc3bfa0857db326228d604968ec1 Mon Sep 17 00:00:00 2001
From: Wolfgang Schnerring <wolfgang.schnerring@zeit.de>
Date: Fri, 15 May 2026 13:32:08 +0200
Subject: [PATCH] WCM-1546: Declare seccomp profile

---
 k8s/base/deployment.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/k8s/base/deployment.yaml b/k8s/base/deployment.yaml
index ce0712e4..a65ab83a 100644
--- a/k8s/base/deployment.yaml
+++ b/k8s/base/deployment.yaml
@@ -34,9 +34,12 @@ spec:
 
           securityContext:
             readOnlyRootFilesystem: true
+            allowPrivilegeEscalation: false
             capabilities:
               drop:
                 - "ALL"
+            seccompProfile:
+              type: RuntimeDefault
 
           volumeMounts:
             - mountPath: /tmp # to support readOnlyRootFilesystem