From 227caca78c61b5d4bafb257dff92ff0a27a83dbe Mon Sep 17 00:00:00 2001
From: Masaki Yatsu <yatsu@yatsu.info>
Date: Wed, 3 Dec 2025 20:32:16 +0900
Subject: [PATCH] chore(ollama): set pod security standards

---
 ollama/justfile             |  6 ++++++
 ollama/values.gomplate.yaml | 15 +++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/ollama/justfile b/ollama/justfile
index 534924c..3fb55ab 100644
--- a/ollama/justfile
+++ b/ollama/justfile
@@ -29,6 +29,12 @@ create-namespace:
     if ! kubectl get namespace ${OLLAMA_NAMESPACE} &>/dev/null; then
         kubectl create namespace ${OLLAMA_NAMESPACE}
     fi
+    kubectl label namespace ${OLLAMA_NAMESPACE} \
+        pod-security.kubernetes.io/enforce=restricted \
+        pod-security.kubernetes.io/enforce-version=latest \
+        pod-security.kubernetes.io/warn=restricted \
+        pod-security.kubernetes.io/warn-version=latest \
+        --overwrite
 
 # Delete Ollama namespace
 delete-namespace:
diff --git a/ollama/values.gomplate.yaml b/ollama/values.gomplate.yaml
index 22462c4..e7c6f18 100644
--- a/ollama/values.gomplate.yaml
+++ b/ollama/values.gomplate.yaml
@@ -19,6 +19,21 @@ ollama:
 {{- end }}
 {{- end }}
 
+podSecurityContext:
+  fsGroup: 1000
+  seccompProfile:
+    type: RuntimeDefault
+
+securityContext:
+  runAsUser: 1000
+  runAsNonRoot: true
+  allowPrivilegeEscalation: false
+  seccompProfile:
+    type: RuntimeDefault
+  capabilities:
+    drop:
+      - ALL
+
 persistentVolume:
   enabled: true
   size: {{ .Env.OLLAMA_STORAGE_SIZE }}