fix(vaulwarden): run as non root

charts/vaultwarden/charts/vaultwarden/templates/statefulset.yaml

@@ -47,6 +47,10 @@ spec:
       tolerations:
         {{- toYaml .Values.tolerations | nindent 8 }}
       {{- end }}
+      securityContext:
+        runAsUser: {{ .Values.runAsUser }}
+        runAsGroup: {{ .Values.runAsUser }}
+        fsGroup: {{ .Values.runAsUser }}
       {{- if .Values.initContainers }}
       initContainers:
         {{- toYaml .Values.initContainers | nindent 8 }}
@@ -58,6 +62,8 @@ spec:
           envFrom:
             - configMapRef:
                 name: {{ include "vaultwarden.fullname" . }}
+          securityContext:
+            allowPrivilegeEscalation: false
           env:
             {{- if or (.Values.smtp.username.value) (.Values.smtp.username.existingSecretKey )}}
             - name: SMTP_USERNAME

charts/vaultwarden/charts/vaultwarden/values.yaml

@@ -118,6 +118,15 @@ serviceAccount:
   name: "vaultwarden-svc"
 
 
+## @param runAsUser user ID for VaultWarden and backup run with
+##
+runAsUser: 1100
+
+## @param runAsGroup group ID for VaultWarden and backup run with
+## Same as default user for vaultwarden-backup
+runAsGroup: 1100
+
+
 ## @section Exposure Parameters
 ##