From 33c52be1c56105fa1c01dd5cd63fd6b68959f90f Mon Sep 17 00:00:00 2001
From: Felix Wolf <felix.wolf@blueworld-gmbh.de>
Date: Sun, 3 May 2026 00:52:45 +0200
Subject: [PATCH] feat(pss): drop 5 namespaces from PSS privileged to
 restricted
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

argocd, cert-manager, cloudnative-pg already compliant — label flip only.
ocis: add overlay injecting seccompProfile=RuntimeDefault, drop ALL caps,
allowPrivilegeEscalation=false across all chart Deployments/CronJobs;
patch idm initContainer; harden custom precheck Job; refactor s3-backup
to rclone/rclone image (avoids apk-add-as-root).
victoria-metrics-single: overlay sets full restricted SC on the StatefulSet
that ships with empty securityContext: {}.

forgejo, traefik, kube-system stay privileged (hostPort / CSI driver).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 prototypes/argocd/ytt/ns.ytt.yaml             |  2 +-
 prototypes/cert-manager/ytt/ns.ytt.yaml       |  2 +-
 prototypes/cloudnative-pg/ytt/ns.ytt.yaml     |  2 +-
 .../ytt/external-secret-precheck-job.ytt.yaml | 12 +++
 prototypes/ocis/ytt/ns.ytt.yaml               |  2 +-
 prototypes/ocis/ytt/pss-restricted.ytt.yaml   | 62 +++++++++++++
 .../ocis/ytt/s3-backup-cronjob.ytt.yaml       | 92 ++++++++++---------
 .../victoria-metrics-single/ytt/ns.ytt.yaml   |  2 +-
 .../ytt/pss-restricted.ytt.yaml               | 25 +++++
 .../production/argocd/namespace-argocd.yaml   |  2 +-
 .../cert-manager/namespace-cert-manager.yaml  |  2 +-
 .../cloudnative-pg/namespace-cnpg-system.yaml |  2 +-
 .../ocis/cronjob-ocis-s3-backup.yaml          | 92 ++++++++++---------
 ...b-storage-users-clean-expired-uploads.yaml |  6 ++
 ...e-users-purge-expired-trash-bin-items.yaml |  6 ++
 ...-storage-users-restart-postprocessing.yaml |  6 ++
 .../ocis/cronjob-thumbnails-cleanup.yaml      |  6 ++
 .../ocis/deployment-activitylog.yaml          |  6 ++
 .../ocis/deployment-appregistry.yaml          |  6 ++
 .../production/ocis/deployment-audit.yaml     |  6 ++
 .../ocis/deployment-authmachine.yaml          |  6 ++
 .../ocis/deployment-authservice.yaml          |  6 ++
 .../production/ocis/deployment-clientlog.yaml |  6 ++
 .../ocis/deployment-eventhistory.yaml         |  6 ++
 .../production/ocis/deployment-frontend.yaml  |  6 ++
 .../production/ocis/deployment-gateway.yaml   |  6 ++
 .../production/ocis/deployment-graph.yaml     |  6 ++
 .../production/ocis/deployment-groups.yaml    |  6 ++
 .../envs/production/ocis/deployment-idm.yaml  | 10 ++
 .../envs/production/ocis/deployment-idp.yaml  |  6 ++
 .../envs/production/ocis/deployment-nats.yaml |  6 ++
 .../production/ocis/deployment-ocdav.yaml     |  6 ++
 .../envs/production/ocis/deployment-ocs.yaml  |  6 ++
 .../ocis/deployment-postprocessing.yaml       |  6 ++
 .../production/ocis/deployment-proxy.yaml     |  6 ++
 .../production/ocis/deployment-search.yaml    |  6 ++
 .../production/ocis/deployment-settings.yaml  |  6 ++
 .../production/ocis/deployment-sharing.yaml   |  6 ++
 .../envs/production/ocis/deployment-sse.yaml  |  6 ++
 .../ocis/deployment-storagepubliclink.yaml    |  6 ++
 .../ocis/deployment-storageshares.yaml        |  6 ++
 .../ocis/deployment-storagesystem.yaml        |  6 ++
 .../ocis/deployment-storageusers.yaml         |  6 ++
 .../ocis/deployment-thumbnails.yaml           |  6 ++
 .../production/ocis/deployment-userlog.yaml   |  6 ++
 .../production/ocis/deployment-users.yaml     |  6 ++
 .../envs/production/ocis/deployment-web.yaml  |  6 ++
 .../production/ocis/deployment-webdav.yaml    |  6 ++
 .../production/ocis/deployment-webfinger.yaml |  6 ++
 .../job-ocis-external-secret-precheck.yaml    | 12 +++
 .../envs/production/ocis/namespace-ocis.yaml  |  2 +-
 .../namespace-monitoring.yaml                 |  2 +-
 ...fulset-victoria-metrics-single-server.yaml | 15 ++-
 53 files changed, 448 insertions(+), 102 deletions(-)
 create mode 100644 prototypes/ocis/ytt/pss-restricted.ytt.yaml
 create mode 100644 prototypes/victoria-metrics-single/ytt/pss-restricted.ytt.yaml

diff --git a/prototypes/argocd/ytt/ns.ytt.yaml b/prototypes/argocd/ytt/ns.ytt.yaml
index f66069b..1bc2a22 100644
--- a/prototypes/argocd/ytt/ns.ytt.yaml
+++ b/prototypes/argocd/ytt/ns.ytt.yaml
@@ -9,7 +9,7 @@ kind: Namespace
 metadata:
   name: #@ ns
   labels:
-    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/enforce: restricted
 
 #@overlay/match by=overlay.all, expects="1+"
 ---
diff --git a/prototypes/cert-manager/ytt/ns.ytt.yaml b/prototypes/cert-manager/ytt/ns.ytt.yaml
index f66069b..1bc2a22 100644
--- a/prototypes/cert-manager/ytt/ns.ytt.yaml
+++ b/prototypes/cert-manager/ytt/ns.ytt.yaml
@@ -9,7 +9,7 @@ kind: Namespace
 metadata:
   name: #@ ns
   labels:
-    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/enforce: restricted
 
 #@overlay/match by=overlay.all, expects="1+"
 ---
diff --git a/prototypes/cloudnative-pg/ytt/ns.ytt.yaml b/prototypes/cloudnative-pg/ytt/ns.ytt.yaml
index f66069b..1bc2a22 100644
--- a/prototypes/cloudnative-pg/ytt/ns.ytt.yaml
+++ b/prototypes/cloudnative-pg/ytt/ns.ytt.yaml
@@ -9,7 +9,7 @@ kind: Namespace
 metadata:
   name: #@ ns
   labels:
-    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/enforce: restricted
 
 #@overlay/match by=overlay.all, expects="1+"
 ---
diff --git a/prototypes/ocis/ytt/external-secret-precheck-job.ytt.yaml b/prototypes/ocis/ytt/external-secret-precheck-job.ytt.yaml
index 694dd6d..49a8f78 100644
--- a/prototypes/ocis/ytt/external-secret-precheck-job.ytt.yaml
+++ b/prototypes/ocis/ytt/external-secret-precheck-job.ytt.yaml
@@ -60,6 +60,12 @@ spec:
     spec:
       serviceAccountName: ocis-external-secret-precheck
       restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65532
+        runAsGroup: 65532
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: precheck
           image: alpine/k8s:1.32.3
@@ -80,3 +86,9 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+              - ALL
diff --git a/prototypes/ocis/ytt/ns.ytt.yaml b/prototypes/ocis/ytt/ns.ytt.yaml
index f66069b..1bc2a22 100644
--- a/prototypes/ocis/ytt/ns.ytt.yaml
+++ b/prototypes/ocis/ytt/ns.ytt.yaml
@@ -9,7 +9,7 @@ kind: Namespace
 metadata:
   name: #@ ns
   labels:
-    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/enforce: restricted
 
 #@overlay/match by=overlay.all, expects="1+"
 ---
diff --git a/prototypes/ocis/ytt/pss-restricted.ytt.yaml b/prototypes/ocis/ytt/pss-restricted.ytt.yaml
new file mode 100644
index 0000000..ca21d34
--- /dev/null
+++ b/prototypes/ocis/ytt/pss-restricted.ytt.yaml
@@ -0,0 +1,62 @@
+#@ load("@ytt:overlay", "overlay")
+
+#@ helm_match = overlay.subset({"metadata": {"labels": {"app.kubernetes.io/managed-by": "Helm"}}})
+
+#@overlay/match by=overlay.and_op(overlay.subset({"kind": "Deployment"}), helm_match), expects="1+"
+---
+spec:
+  template:
+    spec:
+      securityContext:
+        #@overlay/match missing_ok=True
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+      #@overlay/match by=overlay.all, expects="1+"
+      -
+        securityContext:
+          #@overlay/match missing_ok=True
+          allowPrivilegeEscalation: false
+          #@overlay/match missing_ok=True
+          capabilities:
+            drop:
+            - ALL
+
+#! idm is the only chart Deployment with initContainers
+#@overlay/match by=overlay.subset({"kind": "Deployment", "metadata": {"name": "idm"}})
+---
+spec:
+  template:
+    spec:
+      initContainers:
+      #@overlay/match by=overlay.all, expects="1+"
+      -
+        securityContext:
+          #@overlay/match missing_ok=True
+          allowPrivilegeEscalation: false
+          #@overlay/match missing_ok=True
+          capabilities:
+            drop:
+            - ALL
+
+#@overlay/match by=overlay.and_op(overlay.subset({"kind": "CronJob"}), helm_match), expects="1+"
+---
+spec:
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          securityContext:
+            #@overlay/match missing_ok=True
+            seccompProfile:
+              type: RuntimeDefault
+          containers:
+          #@overlay/match by=overlay.all, expects="1+"
+          -
+            securityContext:
+              #@overlay/match missing_ok=True
+              allowPrivilegeEscalation: false
+              #@overlay/match missing_ok=True
+              capabilities:
+                drop:
+                - ALL
diff --git a/prototypes/ocis/ytt/s3-backup-cronjob.ytt.yaml b/prototypes/ocis/ytt/s3-backup-cronjob.ytt.yaml
index 329d2e0..b6e79cc 100644
--- a/prototypes/ocis/ytt/s3-backup-cronjob.ytt.yaml
+++ b/prototypes/ocis/ytt/s3-backup-cronjob.ytt.yaml
@@ -27,74 +27,76 @@ spec:
         spec:
           restartPolicy: OnFailure
           serviceAccountName: ocis-s3-backup
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1009
+            runAsGroup: 1009
+            seccompProfile:
+              type: RuntimeDefault
           containers:
             - name: backup
-              image: alpine:3.20
+              image: rclone/rclone:1.69.0
+              args:
+                - sync
+                - "s3:ocis-tr1ceracop"
+                - "backup:"
+                - --transfers=4
+                - -v
               resources:
                 requests:
                   memory: 128Mi
                   cpu: 50m
-              command:
-                - sh
-                - -c
-                - |
-                  set -e
-                  apk add --no-cache rclone >/dev/null 2>&1
-
-                  mkdir -p /tmp/rclone
-                  cat > /tmp/rclone/rclone.conf <<CONF
-                  [s3]
-                  type = s3
-                  provider = Other
-                  access_key_id = ${S3_ACCESS_KEY}
-                  secret_access_key = ${S3_SECRET_KEY}
-                  endpoint = https://nbg1.your-objectstorage.com
-                  acl = private
-
-                  [storagebox]
-                  type = sftp
-                  host = ${STORAGEBOX_HOST}
-                  port = 23
-                  user = ${STORAGEBOX_USER}
-                  key_file = /etc/storagebox/ssh-key
-                  shell_type = none
-                  md5sum_command = none
-                  sha1sum_command = none
-
-                  [backup]
-                  type = compress
-                  remote = storagebox:ocis-backup
-                  CONF
-
-                  echo "Syncing S3 bucket to Storage Box (compressed)..."
-                  rclone sync s3:ocis-tr1ceracop backup: \
-                    --config /tmp/rclone/rclone.conf \
-                    --transfers 4 \
-                    -v
-
-                  rm -rf /tmp/rclone
-                  echo "Backup complete."
               env:
-                - name: S3_ACCESS_KEY
+                - name: RCLONE_CONFIG_S3_TYPE
+                  value: s3
+                - name: RCLONE_CONFIG_S3_PROVIDER
+                  value: Other
+                - name: RCLONE_CONFIG_S3_ENDPOINT
+                  value: https://nbg1.your-objectstorage.com
+                - name: RCLONE_CONFIG_S3_ACL
+                  value: private
+                - name: RCLONE_CONFIG_S3_ACCESS_KEY_ID
                   valueFrom:
                     secretKeyRef:
                       name: ocis-s3-credentials
                       key: accessKey
-                - name: S3_SECRET_KEY
+                - name: RCLONE_CONFIG_S3_SECRET_ACCESS_KEY
                   valueFrom:
                     secretKeyRef:
                       name: ocis-s3-credentials
                       key: secretKey
-                - name: STORAGEBOX_HOST
+                - name: RCLONE_CONFIG_STORAGEBOX_TYPE
+                  value: sftp
+                - name: RCLONE_CONFIG_STORAGEBOX_PORT
+                  value: "23"
+                - name: RCLONE_CONFIG_STORAGEBOX_KEY_FILE
+                  value: /etc/storagebox/ssh-key
+                - name: RCLONE_CONFIG_STORAGEBOX_SHELL_TYPE
+                  value: none
+                - name: RCLONE_CONFIG_STORAGEBOX_MD5SUM_COMMAND
+                  value: none
+                - name: RCLONE_CONFIG_STORAGEBOX_SHA1SUM_COMMAND
+                  value: none
+                - name: RCLONE_CONFIG_STORAGEBOX_HOST
                   valueFrom:
                     secretKeyRef:
                       name: ocis-storagebox-credentials
                       key: host
-                - name: STORAGEBOX_USER
+                - name: RCLONE_CONFIG_STORAGEBOX_USER
                   valueFrom:
                     secretKeyRef:
                       name: ocis-storagebox-credentials
                       key: user
+                - name: RCLONE_CONFIG_BACKUP_TYPE
+                  value: compress
+                - name: RCLONE_CONFIG_BACKUP_REMOTE
+                  value: storagebox:ocis-backup
+              securityContext:
+                allowPrivilegeEscalation: false
+                readOnlyRootFilesystem: true
+                capabilities:
+                  drop:
+                    - ALL
               volumeMounts:
                 - name: storagebox-ssh
                   mountPath: /etc/storagebox
diff --git a/prototypes/victoria-metrics-single/ytt/ns.ytt.yaml b/prototypes/victoria-metrics-single/ytt/ns.ytt.yaml
index f66069b..1bc2a22 100644
--- a/prototypes/victoria-metrics-single/ytt/ns.ytt.yaml
+++ b/prototypes/victoria-metrics-single/ytt/ns.ytt.yaml
@@ -9,7 +9,7 @@ kind: Namespace
 metadata:
   name: #@ ns
   labels:
-    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/enforce: restricted
 
 #@overlay/match by=overlay.all, expects="1+"
 ---
diff --git a/prototypes/victoria-metrics-single/ytt/pss-restricted.ytt.yaml b/prototypes/victoria-metrics-single/ytt/pss-restricted.ytt.yaml
new file mode 100644
index 0000000..bd625c9
--- /dev/null
+++ b/prototypes/victoria-metrics-single/ytt/pss-restricted.ytt.yaml
@@ -0,0 +1,25 @@
+#@ load("@ytt:overlay", "overlay")
+
+#@overlay/match by=overlay.subset({"kind": "StatefulSet", "metadata": {"name": "victoria-metrics-single-server"}})
+---
+spec:
+  template:
+    spec:
+      #@overlay/replace
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+      #@overlay/match by=overlay.subset({"name": "vmsingle"})
+      -
+        #@overlay/replace
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+              - ALL
diff --git a/rendered/envs/production/argocd/namespace-argocd.yaml b/rendered/envs/production/argocd/namespace-argocd.yaml
index a44ad41..235d858 100644
--- a/rendered/envs/production/argocd/namespace-argocd.yaml
+++ b/rendered/envs/production/argocd/namespace-argocd.yaml
@@ -4,6 +4,6 @@ metadata:
   annotations:
     a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
   labels:
-    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/enforce: restricted
   name: argocd
   namespace: argocd
diff --git a/rendered/envs/production/cert-manager/namespace-cert-manager.yaml b/rendered/envs/production/cert-manager/namespace-cert-manager.yaml
index 27c9353..87abf4a 100644
--- a/rendered/envs/production/cert-manager/namespace-cert-manager.yaml
+++ b/rendered/envs/production/cert-manager/namespace-cert-manager.yaml
@@ -4,6 +4,6 @@ metadata:
   annotations:
     a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
   labels:
-    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/enforce: restricted
   name: cert-manager
   namespace: cert-manager
diff --git a/rendered/envs/production/cloudnative-pg/namespace-cnpg-system.yaml b/rendered/envs/production/cloudnative-pg/namespace-cnpg-system.yaml
index ab8bd8e..d895d92 100644
--- a/rendered/envs/production/cloudnative-pg/namespace-cnpg-system.yaml
+++ b/rendered/envs/production/cloudnative-pg/namespace-cnpg-system.yaml
@@ -4,6 +4,6 @@ metadata:
   annotations:
     a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
   labels:
-    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/enforce: restricted
   name: cnpg-system
   namespace: cnpg-system
diff --git a/rendered/envs/production/ocis/cronjob-ocis-s3-backup.yaml b/rendered/envs/production/ocis/cronjob-ocis-s3-backup.yaml
index 21543fb..16c6c8a 100644
--- a/rendered/envs/production/ocis/cronjob-ocis-s3-backup.yaml
+++ b/rendered/envs/production/ocis/cronjob-ocis-s3-backup.yaml
@@ -13,78 +13,80 @@ spec:
       template:
         spec:
           containers:
-            - command:
-                - sh
-                - -c
-                - |
-                  set -e
-                  apk add --no-cache rclone >/dev/null 2>&1
-
-                  mkdir -p /tmp/rclone
-                  cat > /tmp/rclone/rclone.conf <<CONF
-                  [s3]
-                  type = s3
-                  provider = Other
-                  access_key_id = ${S3_ACCESS_KEY}
-                  secret_access_key = ${S3_SECRET_KEY}
-                  endpoint = https://nbg1.your-objectstorage.com
-                  acl = private
-
-                  [storagebox]
-                  type = sftp
-                  host = ${STORAGEBOX_HOST}
-                  port = 23
-                  user = ${STORAGEBOX_USER}
-                  key_file = /etc/storagebox/ssh-key
-                  shell_type = none
-                  md5sum_command = none
-                  sha1sum_command = none
-
-                  [backup]
-                  type = compress
-                  remote = storagebox:ocis-backup
-                  CONF
-
-                  echo "Syncing S3 bucket to Storage Box (compressed)..."
-                  rclone sync s3:ocis-tr1ceracop backup: \
-                    --config /tmp/rclone/rclone.conf \
-                    --transfers 4 \
-                    -v
-
-                  rm -rf /tmp/rclone
-                  echo "Backup complete."
+            - args:
+                - sync
+                - s3:ocis-tr1ceracop
+                - 'backup:'
+                - --transfers=4
+                - -v
               env:
-                - name: S3_ACCESS_KEY
+                - name: RCLONE_CONFIG_S3_TYPE
+                  value: s3
+                - name: RCLONE_CONFIG_S3_PROVIDER
+                  value: Other
+                - name: RCLONE_CONFIG_S3_ENDPOINT
+                  value: https://nbg1.your-objectstorage.com
+                - name: RCLONE_CONFIG_S3_ACL
+                  value: private
+                - name: RCLONE_CONFIG_S3_ACCESS_KEY_ID
                   valueFrom:
                     secretKeyRef:
                       key: accessKey
                       name: ocis-s3-credentials
-                - name: S3_SECRET_KEY
+                - name: RCLONE_CONFIG_S3_SECRET_ACCESS_KEY
                   valueFrom:
                     secretKeyRef:
                       key: secretKey
                       name: ocis-s3-credentials
-                - name: STORAGEBOX_HOST
+                - name: RCLONE_CONFIG_STORAGEBOX_TYPE
+                  value: sftp
+                - name: RCLONE_CONFIG_STORAGEBOX_PORT
+                  value: "23"
+                - name: RCLONE_CONFIG_STORAGEBOX_KEY_FILE
+                  value: /etc/storagebox/ssh-key
+                - name: RCLONE_CONFIG_STORAGEBOX_SHELL_TYPE
+                  value: none
+                - name: RCLONE_CONFIG_STORAGEBOX_MD5SUM_COMMAND
+                  value: none
+                - name: RCLONE_CONFIG_STORAGEBOX_SHA1SUM_COMMAND
+                  value: none
+                - name: RCLONE_CONFIG_STORAGEBOX_HOST
                   valueFrom:
                     secretKeyRef:
                       key: host
                       name: ocis-storagebox-credentials
-                - name: STORAGEBOX_USER
+                - name: RCLONE_CONFIG_STORAGEBOX_USER
                   valueFrom:
                     secretKeyRef:
                       key: user
                       name: ocis-storagebox-credentials
-              image: alpine:3.20
+                - name: RCLONE_CONFIG_BACKUP_TYPE
+                  value: compress
+                - name: RCLONE_CONFIG_BACKUP_REMOTE
+                  value: storagebox:ocis-backup
+              image: rclone/rclone:1.69.0
               name: backup
               resources:
                 requests:
                   cpu: 50m
                   memory: 128Mi
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                    - ALL
+                readOnlyRootFilesystem: true
               volumeMounts:
                 - mountPath: /etc/storagebox
                   name: storagebox-ssh
                   readOnly: true
           restartPolicy: OnFailure
+          securityContext:
+            runAsGroup: 1009
+            runAsNonRoot: true
+            runAsUser: 1009
+            seccompProfile:
+              type: RuntimeDefault
           serviceAccountName: ocis-s3-backup
           volumes:
             - name: storagebox-ssh
diff --git a/rendered/envs/production/ocis/cronjob-storage-users-clean-expired-uploads.yaml b/rendered/envs/production/ocis/cronjob-storage-users-clean-expired-uploads.yaml
index 5808db6..b5d3990 100644
--- a/rendered/envs/production/ocis/cronjob-storage-users-clean-expired-uploads.yaml
+++ b/rendered/envs/production/ocis/cronjob-storage-users-clean-expired-uploads.yaml
@@ -96,6 +96,10 @@ spec:
               name: storage-users-clean-expired-uploads
               resources: {}
               securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                    - ALL
                 readOnlyRootFilesystem: true
                 runAsGroup: 1000
                 runAsNonRoot: true
@@ -110,6 +114,8 @@ spec:
           securityContext:
             fsGroup: 1000
             fsGroupChangePolicy: OnRootMismatch
+            seccompProfile:
+              type: RuntimeDefault
           volumes:
             - emptyDir: {}
               name: tmp-volume
diff --git a/rendered/envs/production/ocis/cronjob-storage-users-purge-expired-trash-bin-items.yaml b/rendered/envs/production/ocis/cronjob-storage-users-purge-expired-trash-bin-items.yaml
index 0485c10..14ef1a0 100644
--- a/rendered/envs/production/ocis/cronjob-storage-users-purge-expired-trash-bin-items.yaml
+++ b/rendered/envs/production/ocis/cronjob-storage-users-purge-expired-trash-bin-items.yaml
@@ -77,6 +77,10 @@ spec:
               name: storage-users-purge-expired-trash-bin-items
               resources: {}
               securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                    - ALL
                 readOnlyRootFilesystem: true
                 runAsGroup: 1000
                 runAsNonRoot: true
@@ -91,6 +95,8 @@ spec:
           securityContext:
             fsGroup: 1000
             fsGroupChangePolicy: OnRootMismatch
+            seccompProfile:
+              type: RuntimeDefault
           volumes:
             - emptyDir: {}
               name: tmp-volume
diff --git a/rendered/envs/production/ocis/cronjob-storage-users-restart-postprocessing.yaml b/rendered/envs/production/ocis/cronjob-storage-users-restart-postprocessing.yaml
index 6907bc9..ebf66cf 100644
--- a/rendered/envs/production/ocis/cronjob-storage-users-restart-postprocessing.yaml
+++ b/rendered/envs/production/ocis/cronjob-storage-users-restart-postprocessing.yaml
@@ -79,6 +79,10 @@ spec:
               name: storage-users-restart-postprocessing
               resources: {}
               securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                    - ALL
                 readOnlyRootFilesystem: true
                 runAsGroup: 1000
                 runAsNonRoot: true
@@ -93,6 +97,8 @@ spec:
           securityContext:
             fsGroup: 1000
             fsGroupChangePolicy: OnRootMismatch
+            seccompProfile:
+              type: RuntimeDefault
           volumes:
             - emptyDir: {}
               name: tmp-volume
diff --git a/rendered/envs/production/ocis/cronjob-thumbnails-cleanup.yaml b/rendered/envs/production/ocis/cronjob-thumbnails-cleanup.yaml
index 8e78875..6c771a6 100644
--- a/rendered/envs/production/ocis/cronjob-thumbnails-cleanup.yaml
+++ b/rendered/envs/production/ocis/cronjob-thumbnails-cleanup.yaml
@@ -37,6 +37,10 @@ spec:
               name: thumbnails-cleanup
               resources: {}
               securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                    - ALL
                 readOnlyRootFilesystem: true
                 runAsGroup: 1000
                 runAsNonRoot: true
@@ -51,6 +55,8 @@ spec:
           securityContext:
             fsGroup: 1000
             fsGroupChangePolicy: OnRootMismatch
+            seccompProfile:
+              type: RuntimeDefault
           volumes:
             - name: thumbnails-data
               persistentVolumeClaim:
diff --git a/rendered/envs/production/ocis/deployment-activitylog.yaml b/rendered/envs/production/ocis/deployment-activitylog.yaml
index 18b6bb5..4cab297 100644
--- a/rendered/envs/production/ocis/deployment-activitylog.yaml
+++ b/rendered/envs/production/ocis/deployment-activitylog.yaml
@@ -106,6 +106,10 @@ spec:
               cpu: 10m
               memory: 64Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -118,6 +122,8 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
         - emptyDir: {}
           name: messaging-system-ca
diff --git a/rendered/envs/production/ocis/deployment-appregistry.yaml b/rendered/envs/production/ocis/deployment-appregistry.yaml
index 0934d0c..57fcbdf 100644
--- a/rendered/envs/production/ocis/deployment-appregistry.yaml
+++ b/rendered/envs/production/ocis/deployment-appregistry.yaml
@@ -90,6 +90,10 @@ spec:
               cpu: 10m
               memory: 64Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -103,6 +107,8 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
         - emptyDir: {}
           name: tmp-volume
diff --git a/rendered/envs/production/ocis/deployment-audit.yaml b/rendered/envs/production/ocis/deployment-audit.yaml
index d061c78..ab9a95c 100644
--- a/rendered/envs/production/ocis/deployment-audit.yaml
+++ b/rendered/envs/production/ocis/deployment-audit.yaml
@@ -75,6 +75,10 @@ spec:
               cpu: 10m
               memory: 64Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -87,6 +91,8 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
         - emptyDir: {}
           name: messaging-system-ca
diff --git a/rendered/envs/production/ocis/deployment-authmachine.yaml b/rendered/envs/production/ocis/deployment-authmachine.yaml
index c3aa607..7bf366c 100644
--- a/rendered/envs/production/ocis/deployment-authmachine.yaml
+++ b/rendered/envs/production/ocis/deployment-authmachine.yaml
@@ -93,6 +93,10 @@ spec:
               cpu: 10m
               memory: 64Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -104,6 +108,8 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
         - emptyDir: {}
           name: tmp-volume
diff --git a/rendered/envs/production/ocis/deployment-authservice.yaml b/rendered/envs/production/ocis/deployment-authservice.yaml
index c7daff0..eaec54d 100644
--- a/rendered/envs/production/ocis/deployment-authservice.yaml
+++ b/rendered/envs/production/ocis/deployment-authservice.yaml
@@ -98,6 +98,10 @@ spec:
               cpu: 10m
               memory: 64Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -109,6 +113,8 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
         - emptyDir: {}
           name: tmp-volume
diff --git a/rendered/envs/production/ocis/deployment-clientlog.yaml b/rendered/envs/production/ocis/deployment-clientlog.yaml
index 625d9d7..0f7f1a1 100644
--- a/rendered/envs/production/ocis/deployment-clientlog.yaml
+++ b/rendered/envs/production/ocis/deployment-clientlog.yaml
@@ -96,6 +96,10 @@ spec:
               cpu: 10m
               memory: 64Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -108,6 +112,8 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
         - emptyDir: {}
           name: messaging-system-ca
diff --git a/rendered/envs/production/ocis/deployment-eventhistory.yaml b/rendered/envs/production/ocis/deployment-eventhistory.yaml
index 90b6e0f..bf9ac9f 100644
--- a/rendered/envs/production/ocis/deployment-eventhistory.yaml
+++ b/rendered/envs/production/ocis/deployment-eventhistory.yaml
@@ -81,6 +81,10 @@ spec:
               cpu: 10m
               memory: 64Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -93,6 +97,8 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
         - emptyDir: {}
           name: messaging-system-ca
diff --git a/rendered/envs/production/ocis/deployment-frontend.yaml b/rendered/envs/production/ocis/deployment-frontend.yaml
index 0cdbd6b..387361e 100644
--- a/rendered/envs/production/ocis/deployment-frontend.yaml
+++ b/rendered/envs/production/ocis/deployment-frontend.yaml
@@ -158,6 +158,10 @@ spec:
               cpu: 10m
               memory: 64Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -171,6 +175,8 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
         - emptyDir: {}
           name: tmp-volume
diff --git a/rendered/envs/production/ocis/deployment-gateway.yaml b/rendered/envs/production/ocis/deployment-gateway.yaml
index 5b695b6..7369da6 100644
--- a/rendered/envs/production/ocis/deployment-gateway.yaml
+++ b/rendered/envs/production/ocis/deployment-gateway.yaml
@@ -106,6 +106,10 @@ spec:
               cpu: 10m
               memory: 64Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -117,6 +121,8 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
         - emptyDir: {}
           name: tmp-volume
diff --git a/rendered/envs/production/ocis/deployment-graph.yaml b/rendered/envs/production/ocis/deployment-graph.yaml
index af31fc9..d0af1e1 100644
--- a/rendered/envs/production/ocis/deployment-graph.yaml
+++ b/rendered/envs/production/ocis/deployment-graph.yaml
@@ -132,6 +132,10 @@ spec:
               cpu: 10m
               memory: 64Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -147,6 +151,8 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
         - emptyDir: {}
           name: messaging-system-ca
diff --git a/rendered/envs/production/ocis/deployment-groups.yaml b/rendered/envs/production/ocis/deployment-groups.yaml
index 84a55fd..623fa2b 100644
--- a/rendered/envs/production/ocis/deployment-groups.yaml
+++ b/rendered/envs/production/ocis/deployment-groups.yaml
@@ -99,6 +99,10 @@ spec:
               cpu: 10m
               memory: 64Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -113,6 +117,8 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
         - emptyDir: {}
           name: tmp-volume
diff --git a/rendered/envs/production/ocis/deployment-idm.yaml b/rendered/envs/production/ocis/deployment-idm.yaml
index 73a1935..93a7ad2 100644
--- a/rendered/envs/production/ocis/deployment-idm.yaml
+++ b/rendered/envs/production/ocis/deployment-idm.yaml
@@ -113,6 +113,10 @@ spec:
               cpu: 10m
               memory: 256Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -136,6 +140,10 @@ spec:
               cpu: 10m
               memory: 256Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -147,6 +155,8 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
         - name: ldap-cert
           secret:
diff --git a/rendered/envs/production/ocis/deployment-idp.yaml b/rendered/envs/production/ocis/deployment-idp.yaml
index 351f32b..82c62a1 100644
--- a/rendered/envs/production/ocis/deployment-idp.yaml
+++ b/rendered/envs/production/ocis/deployment-idp.yaml
@@ -96,6 +96,10 @@ spec:
               cpu: 10m
               memory: 64Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -113,6 +117,8 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
         - emptyDir: {}
           name: ocis-data-tmp
diff --git a/rendered/envs/production/ocis/deployment-nats.yaml b/rendered/envs/production/ocis/deployment-nats.yaml
index 43d28b0..1f978ae 100644
--- a/rendered/envs/production/ocis/deployment-nats.yaml
+++ b/rendered/envs/production/ocis/deployment-nats.yaml
@@ -70,6 +70,10 @@ spec:
               cpu: 10m
               memory: 192Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -81,6 +85,8 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
         - name: nats-data
           persistentVolumeClaim:
diff --git a/rendered/envs/production/ocis/deployment-ocdav.yaml b/rendered/envs/production/ocis/deployment-ocdav.yaml
index c46c633..42d223f 100644
--- a/rendered/envs/production/ocis/deployment-ocdav.yaml
+++ b/rendered/envs/production/ocis/deployment-ocdav.yaml
@@ -101,6 +101,10 @@ spec:
               cpu: 10m
               memory: 64Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -110,4 +114,6 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes: null
diff --git a/rendered/envs/production/ocis/deployment-ocs.yaml b/rendered/envs/production/ocis/deployment-ocs.yaml
index c38f790..c1b6c12 100644
--- a/rendered/envs/production/ocis/deployment-ocs.yaml
+++ b/rendered/envs/production/ocis/deployment-ocs.yaml
@@ -98,6 +98,10 @@ spec:
               cpu: 10m
               memory: 64Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -107,4 +111,6 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes: null
diff --git a/rendered/envs/production/ocis/deployment-postprocessing.yaml b/rendered/envs/production/ocis/deployment-postprocessing.yaml
index 630905c..9e4ba0a 100644
--- a/rendered/envs/production/ocis/deployment-postprocessing.yaml
+++ b/rendered/envs/production/ocis/deployment-postprocessing.yaml
@@ -79,6 +79,10 @@ spec:
               cpu: 10m
               memory: 64Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -91,6 +95,8 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
         - emptyDir: {}
           name: messaging-system-ca
diff --git a/rendered/envs/production/ocis/deployment-proxy.yaml b/rendered/envs/production/ocis/deployment-proxy.yaml
index efbae0c..d4355de 100644
--- a/rendered/envs/production/ocis/deployment-proxy.yaml
+++ b/rendered/envs/production/ocis/deployment-proxy.yaml
@@ -123,6 +123,10 @@ spec:
               cpu: 10m
               memory: 96Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -134,6 +138,8 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
         - configMap:
             name: proxy-config
diff --git a/rendered/envs/production/ocis/deployment-search.yaml b/rendered/envs/production/ocis/deployment-search.yaml
index e8022da..9fe20ae 100644
--- a/rendered/envs/production/ocis/deployment-search.yaml
+++ b/rendered/envs/production/ocis/deployment-search.yaml
@@ -103,6 +103,10 @@ spec:
               cpu: 10m
               memory: 64Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -117,6 +121,8 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
         - emptyDir: {}
           name: messaging-system-ca
diff --git a/rendered/envs/production/ocis/deployment-settings.yaml b/rendered/envs/production/ocis/deployment-settings.yaml
index 6b9df5e..8dcc44e 100644
--- a/rendered/envs/production/ocis/deployment-settings.yaml
+++ b/rendered/envs/production/ocis/deployment-settings.yaml
@@ -124,6 +124,10 @@ spec:
               cpu: 10m
               memory: 64Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -133,4 +137,6 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes: null
diff --git a/rendered/envs/production/ocis/deployment-sharing.yaml b/rendered/envs/production/ocis/deployment-sharing.yaml
index 246682d..a390377 100644
--- a/rendered/envs/production/ocis/deployment-sharing.yaml
+++ b/rendered/envs/production/ocis/deployment-sharing.yaml
@@ -132,6 +132,10 @@ spec:
               cpu: 10m
               memory: 64Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -148,6 +152,8 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
         - emptyDir: {}
           name: tmp-volume
diff --git a/rendered/envs/production/ocis/deployment-sse.yaml b/rendered/envs/production/ocis/deployment-sse.yaml
index 77aae6a..8de4432 100644
--- a/rendered/envs/production/ocis/deployment-sse.yaml
+++ b/rendered/envs/production/ocis/deployment-sse.yaml
@@ -94,6 +94,10 @@ spec:
               cpu: 10m
               memory: 64Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -106,6 +110,8 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
         - emptyDir: {}
           name: messaging-system-ca
diff --git a/rendered/envs/production/ocis/deployment-storagepubliclink.yaml b/rendered/envs/production/ocis/deployment-storagepubliclink.yaml
index 148e1cc..e2499b3 100644
--- a/rendered/envs/production/ocis/deployment-storagepubliclink.yaml
+++ b/rendered/envs/production/ocis/deployment-storagepubliclink.yaml
@@ -92,6 +92,10 @@ spec:
               cpu: 10m
               memory: 64Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -103,6 +107,8 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
         - emptyDir: {}
           name: tmp-volume
diff --git a/rendered/envs/production/ocis/deployment-storageshares.yaml b/rendered/envs/production/ocis/deployment-storageshares.yaml
index a399d0b..851ca9e 100644
--- a/rendered/envs/production/ocis/deployment-storageshares.yaml
+++ b/rendered/envs/production/ocis/deployment-storageshares.yaml
@@ -88,6 +88,10 @@ spec:
               cpu: 10m
               memory: 64Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -99,6 +103,8 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
         - emptyDir: {}
           name: tmp-volume
diff --git a/rendered/envs/production/ocis/deployment-storagesystem.yaml b/rendered/envs/production/ocis/deployment-storagesystem.yaml
index 77a5ec5..4b1bb2d 100644
--- a/rendered/envs/production/ocis/deployment-storagesystem.yaml
+++ b/rendered/envs/production/ocis/deployment-storagesystem.yaml
@@ -112,6 +112,10 @@ spec:
               cpu: 10m
               memory: 64Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -125,6 +129,8 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
         - emptyDir: {}
           name: tmp-volume
diff --git a/rendered/envs/production/ocis/deployment-storageusers.yaml b/rendered/envs/production/ocis/deployment-storageusers.yaml
index d6220aa..c81d93a 100644
--- a/rendered/envs/production/ocis/deployment-storageusers.yaml
+++ b/rendered/envs/production/ocis/deployment-storageusers.yaml
@@ -186,6 +186,10 @@ spec:
               cpu: 10m
               memory: 512Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -202,6 +206,8 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
         - emptyDir: {}
           name: tmp-volume
diff --git a/rendered/envs/production/ocis/deployment-thumbnails.yaml b/rendered/envs/production/ocis/deployment-thumbnails.yaml
index 986986b..cb6c57e 100644
--- a/rendered/envs/production/ocis/deployment-thumbnails.yaml
+++ b/rendered/envs/production/ocis/deployment-thumbnails.yaml
@@ -108,6 +108,10 @@ spec:
               cpu: 10m
               memory: 96Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -119,6 +123,8 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
         - name: thumbnails-data
           persistentVolumeClaim:
diff --git a/rendered/envs/production/ocis/deployment-userlog.yaml b/rendered/envs/production/ocis/deployment-userlog.yaml
index c91c7d1..ac34e2d 100644
--- a/rendered/envs/production/ocis/deployment-userlog.yaml
+++ b/rendered/envs/production/ocis/deployment-userlog.yaml
@@ -102,6 +102,10 @@ spec:
               cpu: 10m
               memory: 64Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -114,6 +118,8 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
         - emptyDir: {}
           name: messaging-system-ca
diff --git a/rendered/envs/production/ocis/deployment-users.yaml b/rendered/envs/production/ocis/deployment-users.yaml
index 822ea4b..6a43d96 100644
--- a/rendered/envs/production/ocis/deployment-users.yaml
+++ b/rendered/envs/production/ocis/deployment-users.yaml
@@ -99,6 +99,10 @@ spec:
               cpu: 10m
               memory: 64Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -113,6 +117,8 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
         - emptyDir: {}
           name: tmp-volume
diff --git a/rendered/envs/production/ocis/deployment-web.yaml b/rendered/envs/production/ocis/deployment-web.yaml
index fb1bdb0..1fec297 100644
--- a/rendered/envs/production/ocis/deployment-web.yaml
+++ b/rendered/envs/production/ocis/deployment-web.yaml
@@ -110,6 +110,10 @@ spec:
               cpu: 10m
               memory: 64Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -125,6 +129,8 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
         - configMap:
             name: web-config
diff --git a/rendered/envs/production/ocis/deployment-webdav.yaml b/rendered/envs/production/ocis/deployment-webdav.yaml
index 4507889..691b84d 100644
--- a/rendered/envs/production/ocis/deployment-webdav.yaml
+++ b/rendered/envs/production/ocis/deployment-webdav.yaml
@@ -87,6 +87,10 @@ spec:
               cpu: 10m
               memory: 64Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -96,4 +100,6 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes: null
diff --git a/rendered/envs/production/ocis/deployment-webfinger.yaml b/rendered/envs/production/ocis/deployment-webfinger.yaml
index 8464312..3a1a0bb 100644
--- a/rendered/envs/production/ocis/deployment-webfinger.yaml
+++ b/rendered/envs/production/ocis/deployment-webfinger.yaml
@@ -91,6 +91,10 @@ spec:
               cpu: 10m
               memory: 64Mi
           securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
@@ -100,4 +104,6 @@ spec:
       securityContext:
         fsGroup: 1000
         fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
       volumes: null
diff --git a/rendered/envs/production/ocis/job-ocis-external-secret-precheck.yaml b/rendered/envs/production/ocis/job-ocis-external-secret-precheck.yaml
index fbd6718..97e6abd 100644
--- a/rendered/envs/production/ocis/job-ocis-external-secret-precheck.yaml
+++ b/rendered/envs/production/ocis/job-ocis-external-secret-precheck.yaml
@@ -31,6 +31,18 @@ spec:
                   fieldPath: metadata.namespace
           image: alpine/k8s:1.32.3
           name: precheck
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
       restartPolicy: OnFailure
+      securityContext:
+        runAsGroup: 65532
+        runAsNonRoot: true
+        runAsUser: 65532
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: ocis-external-secret-precheck
   ttlSecondsAfterFinished: 300
diff --git a/rendered/envs/production/ocis/namespace-ocis.yaml b/rendered/envs/production/ocis/namespace-ocis.yaml
index 50dc8b5..d139e5b 100644
--- a/rendered/envs/production/ocis/namespace-ocis.yaml
+++ b/rendered/envs/production/ocis/namespace-ocis.yaml
@@ -4,6 +4,6 @@ metadata:
   annotations:
     a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
   labels:
-    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/enforce: restricted
   name: ocis
   namespace: ocis
diff --git a/rendered/envs/production/victoria-metrics-single/namespace-monitoring.yaml b/rendered/envs/production/victoria-metrics-single/namespace-monitoring.yaml
index 3e574c6..6f463ce 100644
--- a/rendered/envs/production/victoria-metrics-single/namespace-monitoring.yaml
+++ b/rendered/envs/production/victoria-metrics-single/namespace-monitoring.yaml
@@ -4,6 +4,6 @@ metadata:
   annotations:
     a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
   labels:
-    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/enforce: restricted
   name: monitoring
   namespace: monitoring
diff --git a/rendered/envs/production/victoria-metrics-single/statefulset-victoria-metrics-single-server.yaml b/rendered/envs/production/victoria-metrics-single/statefulset-victoria-metrics-single-server.yaml
index 9e1a4fe..673001d 100644
--- a/rendered/envs/production/victoria-metrics-single/statefulset-victoria-metrics-single-server.yaml
+++ b/rendered/envs/production/victoria-metrics-single/statefulset-victoria-metrics-single-server.yaml
@@ -69,13 +69,24 @@ spec:
             requests:
               cpu: 100m
               memory: 256Mi
-          securityContext: {}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
           volumeMounts:
             - mountPath: /storage
               name: server-volume
             - mountPath: /scrapeconfig
               name: scrapeconfig
-      securityContext: {}
+      securityContext:
+        fsGroup: 1000
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: victoria-metrics-single-server
       terminationGracePeriodSeconds: 60
       volumes: