From 41681522612578d9a653d9c26fb4da6000a0f396 Mon Sep 17 00:00:00 2001
From: Chip Zoller <chipzoller@gmail.com>
Date: Wed, 8 Nov 2023 06:57:05 -0500
Subject: [PATCH] fix and improve basic-health test (#2733)

Signed-off-by: chipzoller <chipzoller@gmail.com>
---
 .../templates/tests/basic-health.yaml          | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/cost-analyzer/templates/tests/basic-health.yaml b/cost-analyzer/templates/tests/basic-health.yaml
index b91bc12eb..b4278c76f 100644
--- a/cost-analyzer/templates/tests/basic-health.yaml
+++ b/cost-analyzer/templates/tests/basic-health.yaml
@@ -7,17 +7,31 @@ metadata:
   annotations:
     {{- include "kubecost.test.annotations" . | nindent 4 }}
 spec:
-  serviceAccountName: {{ template "cost-analyzer.serviceAccountName" . }}
+  automountServiceAccountToken: false
   restartPolicy: Never
+  securityContext:
+    seccompProfile:
+      type: RuntimeDefault
+    runAsNonRoot: true
+    runAsUser: 1000
+    runAsGroup: 3000
+    fsGroup: 2000
   containers:
   - name: test-kubecost
     image: alpine/k8s:1.26.9
+    securityContext:
+      privileged: false
+      capabilities:
+        drop: 
+        - ALL
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: true
     command:
       - /bin/sh
     args:
       - -c
       - >-
-        svc=$(kubectl -n {{ .Release.Namespace }} get svc -l app.kubernetes.io/name=cost-analyzer -o json | jq -r .items[0].metadata.name);
+        svc="{{ .Release.Name }}-cost-analyzer";
         echo Getting current Kubecost state.;
         response=$(curl -sL http://${svc}:9090/model/getConfigs);
         code=$(echo ${response} | jq .code);