From 88f617f936e2fc41cce8a094b4421067ee7fab8b Mon Sep 17 00:00:00 2001
From: Pat Riehecky <riehecky@fnal.gov>
Date: Tue, 6 May 2025 10:56:19 -0500
Subject: [PATCH] [grafana] Add DAC_READ_SEARCH to initChownData and
 readOnlyRootFilesystem

Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
---
 charts/grafana/Chart.yaml  | 2 +-
 charts/grafana/README.md   | 2 +-
 charts/grafana/values.yaml | 3 ++-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/charts/grafana/Chart.yaml b/charts/grafana/Chart.yaml
index 716842120e..233c1e34a7 100644
--- a/charts/grafana/Chart.yaml
+++ b/charts/grafana/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: grafana
-version: 8.15.0
+version: 8.15.1
 appVersion: 11.6.1
 kubeVersion: "^1.8.0-0"
 description: The leading tool for querying and visualizing time series and metrics.
diff --git a/charts/grafana/README.md b/charts/grafana/README.md
index 444b87a74c..a51df74d4c 100644
--- a/charts/grafana/README.md
+++ b/charts/grafana/README.md
@@ -130,7 +130,7 @@ need to instead set `global.imageRegistry`.
 | `initChownData.image.sha`                 | init-chown-data container image sha (optional)| `""`                                                    |
 | `initChownData.image.pullPolicy`          | init-chown-data container image pull policy   | `IfNotPresent`                                          |
 | `initChownData.resources`                 | init-chown-data pod resource requests & limits | `{}`                                                   |
-| `initChownData.securityContext`           | init-chown-data pod securityContext           | `{"readOnlyRootFilesystem": false, "runAsNonRoot": false}`, "runAsUser": 0, "seccompProfile": {"type": "RuntimeDefault"}, "capabilities": {"add": ["CHOWN"], "drop": ["ALL"]}}` |
+| `initChownData.securityContext`           | init-chown-data pod securityContext           | `{"readOnlyRootFilesystem": true, "runAsNonRoot": false}`, "runAsUser": 0, "seccompProfile": {"type": "RuntimeDefault"}, "capabilities": {"add": ["CHOWN", "DAC_READ_SEARCH"], "drop": ["ALL"]}}` |
 | `schedulerName`                           | Alternate scheduler name                      | `nil`                                                   |
 | `env`                                     | Extra environment variables passed to pods    | `{}`                                                    |
 | `envValueFrom`                            | Environment variables from alternate sources. See the API docs on [EnvVarSource](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#envvarsource-v1-core) for format details. Can be templated | `{}` |
diff --git a/charts/grafana/values.yaml b/charts/grafana/values.yaml
index 98c0bafa5d..0d0474a9c0 100644
--- a/charts/grafana/values.yaml
+++ b/charts/grafana/values.yaml
@@ -475,7 +475,7 @@ initChownData:
   #    cpu: 100m
   #    memory: 128Mi
   securityContext:
-    readOnlyRootFilesystem: false
+    readOnlyRootFilesystem: true
     runAsNonRoot: false
     runAsUser: 0
     seccompProfile:
@@ -483,6 +483,7 @@ initChownData:
     capabilities:
       add:
         - CHOWN
+        - DAC_READ_SEARCH
       drop:
         - ALL