From b3bb87177d285153c39ad6463cfbd5ca0636f446 Mon Sep 17 00:00:00 2001
From: Manuel Ganter <manuel.ganter@think-ahead.tech>
Date: Mon, 27 Oct 2025 15:25:43 +0100
Subject: [PATCH] added security context

---
 internal/spec/spec.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/internal/spec/spec.go b/internal/spec/spec.go
index 163355a..7d9e7bb 100644
--- a/internal/spec/spec.go
+++ b/internal/spec/spec.go
@@ -8,6 +8,7 @@ import (
 
 	"github.com/cloudbase/garm-provider-common/params"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/utils/pointer"
 )
 
 type GitHubScopeDetails struct {
@@ -181,6 +182,16 @@ func GetPodSpec(gitHubScope GitHubScopeDetails, bootstrapParams params.Bootstrap
 					"--oci-worker-no-process-sandbox",
 				},
 				ImagePullPolicy: corev1.PullIfNotPresent,
+				SecurityContext: &corev1.SecurityContext{
+					SeccompProfile: &corev1.SeccompProfile{
+						Type: "Unconfined",
+					},
+					AppArmorProfile: &corev1.AppArmorProfile{
+						Type: "Unconfined",
+					},
+					RunAsUser:  pointer.Int64(1000),
+					RunAsGroup: pointer.Int64(1000),
+				},
 				ReadinessProbe: &corev1.Probe{
 					ProbeHandler: corev1.ProbeHandler{
 						Exec: &corev1.ExecAction{