From c7f9f4ac9de401137752f81b6d0a6e94fb01f126 Mon Sep 17 00:00:00 2001
From: nimalank7 <nimalan.kirubakaran@digital.cabinet-office.gov.uk>
Date: Fri, 15 Nov 2024 14:40:33 +0000
Subject: [PATCH] Enforce Argo workflow server to be compliant with PSS
 restricted

Description:
- Enforce the Argo workflow server to be compliant when PSS is said to [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/)
- Helm values for this chart are found [here](https://github.com/argoproj/argo-helm/blob/main/charts/argo-workflows/values.yaml)
- `SecurityContext` in the Helm chart has sensible defaults but it is better to define it explicitly here
- As part of https://github.com/alphagov/govuk-helm-charts/issues/1883
---
 terraform/deployments/cluster-services/argo.tf | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/terraform/deployments/cluster-services/argo.tf b/terraform/deployments/cluster-services/argo.tf
index c7d58f442..33b54df55 100644
--- a/terraform/deployments/cluster-services/argo.tf
+++ b/terraform/deployments/cluster-services/argo.tf
@@ -308,6 +308,19 @@ resource "helm_release" "argo_workflows" {
           memory = "512Mi"
         }
       }
+      podSecurityContext = {
+        runAsNonRoot = true
+        seccompProfile = {
+          type = "RuntimeDefault"
+        }
+      }
+      securityContext = {
+        readOnlyRootFilesystem   = true
+        allowPrivilegeEscalation = false
+        capabilities = {
+          drop = ["ALL"]
+        }
+      }
       replicas = var.desired_ha_replicas
     }
   })]