gitea_admin/k8s-and-chill
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

feat(pss): drop 5 namespaces from PSS privileged to restricted

Browse source 
argocd, cert-manager, cloudnative-pg already compliant — label flip only.
ocis: add overlay injecting seccompProfile=RuntimeDefault, drop ALL caps,
allowPrivilegeEscalation=false across all chart Deployments/CronJobs;
patch idm initContainer; harden custom precheck Job; refactor s3-backup
to rclone/rclone image (avoids apk-add-as-root).
victoria-metrics-single: overlay sets full restricted SC on the StatefulSet
that ships with empty securityContext: {}.

forgejo, traefik, kube-system stay privileged (hostPort / CSI driver).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Felix Wolf 2026-05-03 00:52:45 +02:00
parent bf0cf0a11d
commit 33c52be1c5
53 changed files with 448 additions and 102 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
prototypes/argocd/ytt/ns.ytt.yaml
View file

@ -9,7 +9,7 @@ kind: Namespace
metadata:
name: #@ ns
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce: restricted
#@overlay/match by=overlay.all, expects="1+"
---

2
prototypes/cert-manager/ytt/ns.ytt.yaml
View file

@ -9,7 +9,7 @@ kind: Namespace
metadata:
name: #@ ns
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce: restricted
#@overlay/match by=overlay.all, expects="1+"
---

2
prototypes/cloudnative-pg/ytt/ns.ytt.yaml
View file

@ -9,7 +9,7 @@ kind: Namespace
metadata:
name: #@ ns
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce: restricted
#@overlay/match by=overlay.all, expects="1+"
---

12
prototypes/ocis/ytt/external-secret-precheck-job.ytt.yaml
View file

@ -60,6 +60,12 @@ spec:
spec:
serviceAccountName: ocis-external-secret-precheck
restartPolicy: OnFailure
securityContext:
runAsNonRoot: true
runAsUser: 65532
runAsGroup: 65532
seccompProfile:
type: RuntimeDefault
containers:
- name: precheck
image: alpine/k8s:1.32.3
@ -80,3 +86,9 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL

2
prototypes/ocis/ytt/ns.ytt.yaml
View file

@ -9,7 +9,7 @@ kind: Namespace
metadata:
name: #@ ns
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce: restricted
#@overlay/match by=overlay.all, expects="1+"
---

62
prototypes/ocis/ytt/pss-restricted.ytt.yaml Normal file
View file

@ -0,0 +1,62 @@
#@ load("@ytt:overlay", "overlay")
#@ helm_match = overlay.subset({"metadata": {"labels": {"app.kubernetes.io/managed-by": "Helm"}}})
#@overlay/match by=overlay.and_op(overlay.subset({"kind": "Deployment"}), helm_match), expects="1+"
---
spec:
template:
spec:
securityContext:
#@overlay/match missing_ok=True
seccompProfile:
type: RuntimeDefault
containers:
#@overlay/match by=overlay.all, expects="1+"
-
securityContext:
#@overlay/match missing_ok=True
allowPrivilegeEscalation: false
#@overlay/match missing_ok=True
capabilities:
drop:
- ALL
#! idm is the only chart Deployment with initContainers
#@overlay/match by=overlay.subset({"kind": "Deployment", "metadata": {"name": "idm"}})
---
spec:
template:
spec:
initContainers:
#@overlay/match by=overlay.all, expects="1+"
-
securityContext:
#@overlay/match missing_ok=True
allowPrivilegeEscalation: false
#@overlay/match missing_ok=True
capabilities:
drop:
- ALL
#@overlay/match by=overlay.and_op(overlay.subset({"kind": "CronJob"}), helm_match), expects="1+"
---
spec:
jobTemplate:
spec:
template:
spec:
securityContext:
#@overlay/match missing_ok=True
seccompProfile:
type: RuntimeDefault
containers:
#@overlay/match by=overlay.all, expects="1+"
-
securityContext:
#@overlay/match missing_ok=True
allowPrivilegeEscalation: false
#@overlay/match missing_ok=True
capabilities:
drop:
- ALL

92
prototypes/ocis/ytt/s3-backup-cronjob.ytt.yaml
View file

@ -27,74 +27,76 @@ spec:
spec:
restartPolicy: OnFailure
serviceAccountName: ocis-s3-backup
securityContext:
runAsNonRoot: true
runAsUser: 1009
runAsGroup: 1009
seccompProfile:
type: RuntimeDefault
containers:
- name: backup
image: alpine:3.20
image: rclone/rclone:1.69.0
args:
- sync
- "s3:ocis-tr1ceracop"
- "backup:"
- --transfers=4
- -v
resources:
requests:
memory: 128Mi
cpu: 50m
command:
- sh
- -c
- |
set -e
apk add --no-cache rclone >/dev/null 2>&1
mkdir -p /tmp/rclone
cat > /tmp/rclone/rclone.conf <<CONF
[s3]
type = s3
provider = Other
access_key_id = ${S3_ACCESS_KEY}
secret_access_key = ${S3_SECRET_KEY}
endpoint = https://nbg1.your-objectstorage.com
acl = private
[storagebox]
type = sftp
host = ${STORAGEBOX_HOST}
port = 23
user = ${STORAGEBOX_USER}
key_file = /etc/storagebox/ssh-key
shell_type = none
md5sum_command = none
sha1sum_command = none
[backup]
type = compress
remote = storagebox:ocis-backup
CONF
echo "Syncing S3 bucket to Storage Box (compressed)..."
rclone sync s3:ocis-tr1ceracop backup: \
--config /tmp/rclone/rclone.conf \
--transfers 4 \
-v
rm -rf /tmp/rclone
echo "Backup complete."
env:
- name: S3_ACCESS_KEY
- name: RCLONE_CONFIG_S3_TYPE
value: s3
- name: RCLONE_CONFIG_S3_PROVIDER
value: Other
- name: RCLONE_CONFIG_S3_ENDPOINT
value: https://nbg1.your-objectstorage.com
- name: RCLONE_CONFIG_S3_ACL
value: private
- name: RCLONE_CONFIG_S3_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: ocis-s3-credentials
key: accessKey
- name: S3_SECRET_KEY
- name: RCLONE_CONFIG_S3_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: ocis-s3-credentials
key: secretKey
- name: STORAGEBOX_HOST
- name: RCLONE_CONFIG_STORAGEBOX_TYPE
value: sftp
- name: RCLONE_CONFIG_STORAGEBOX_PORT
value: "23"
- name: RCLONE_CONFIG_STORAGEBOX_KEY_FILE
value: /etc/storagebox/ssh-key
- name: RCLONE_CONFIG_STORAGEBOX_SHELL_TYPE
value: none
- name: RCLONE_CONFIG_STORAGEBOX_MD5SUM_COMMAND
value: none
- name: RCLONE_CONFIG_STORAGEBOX_SHA1SUM_COMMAND
value: none
- name: RCLONE_CONFIG_STORAGEBOX_HOST
valueFrom:
secretKeyRef:
name: ocis-storagebox-credentials
key: host
- name: STORAGEBOX_USER
- name: RCLONE_CONFIG_STORAGEBOX_USER
valueFrom:
secretKeyRef:
name: ocis-storagebox-credentials
key: user
- name: RCLONE_CONFIG_BACKUP_TYPE
value: compress
- name: RCLONE_CONFIG_BACKUP_REMOTE
value: storagebox:ocis-backup
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
volumeMounts:
- name: storagebox-ssh
mountPath: /etc/storagebox

2
prototypes/victoria-metrics-single/ytt/ns.ytt.yaml
View file

@ -9,7 +9,7 @@ kind: Namespace
metadata:
name: #@ ns
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce: restricted
#@overlay/match by=overlay.all, expects="1+"
---

25
prototypes/victoria-metrics-single/ytt/pss-restricted.ytt.yaml Normal file
View file

@ -0,0 +1,25 @@
#@ load("@ytt:overlay", "overlay")
#@overlay/match by=overlay.subset({"kind": "StatefulSet", "metadata": {"name": "victoria-metrics-single-server"}})
---
spec:
template:
spec:
#@overlay/replace
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers:
#@overlay/match by=overlay.subset({"name": "vmsingle"})
-
#@overlay/replace
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL

2
rendered/envs/production/argocd/namespace-argocd.yaml
View file

@ -4,6 +4,6 @@ metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce: restricted
name: argocd
namespace: argocd

2
rendered/envs/production/cert-manager/namespace-cert-manager.yaml
View file

@ -4,6 +4,6 @@ metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce: restricted
name: cert-manager
namespace: cert-manager

2
rendered/envs/production/cloudnative-pg/namespace-cnpg-system.yaml
View file

@ -4,6 +4,6 @@ metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce: restricted
name: cnpg-system
namespace: cnpg-system

92
rendered/envs/production/ocis/cronjob-ocis-s3-backup.yaml
View file

@ -13,78 +13,80 @@ spec:
template:
spec:
containers:
- command:
- sh
- -c
- |
set -e
apk add --no-cache rclone >/dev/null 2>&1
mkdir -p /tmp/rclone
cat > /tmp/rclone/rclone.conf <<CONF
[s3]
type = s3
provider = Other
access_key_id = ${S3_ACCESS_KEY}
secret_access_key = ${S3_SECRET_KEY}
endpoint = https://nbg1.your-objectstorage.com
acl = private
[storagebox]
type = sftp
host = ${STORAGEBOX_HOST}
port = 23
user = ${STORAGEBOX_USER}
key_file = /etc/storagebox/ssh-key
shell_type = none
md5sum_command = none
sha1sum_command = none
[backup]
type = compress
remote = storagebox:ocis-backup
CONF
echo "Syncing S3 bucket to Storage Box (compressed)..."
rclone sync s3:ocis-tr1ceracop backup: \
--config /tmp/rclone/rclone.conf \
--transfers 4 \
-v
rm -rf /tmp/rclone
echo "Backup complete."
- args:
- sync
- s3:ocis-tr1ceracop
- 'backup:'
- --transfers=4
- -v
env:
- name: S3_ACCESS_KEY
- name: RCLONE_CONFIG_S3_TYPE
value: s3
- name: RCLONE_CONFIG_S3_PROVIDER
value: Other
- name: RCLONE_CONFIG_S3_ENDPOINT
value: https://nbg1.your-objectstorage.com
- name: RCLONE_CONFIG_S3_ACL
value: private
- name: RCLONE_CONFIG_S3_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
key: accessKey
name: ocis-s3-credentials
- name: S3_SECRET_KEY
- name: RCLONE_CONFIG_S3_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
key: secretKey
name: ocis-s3-credentials
- name: STORAGEBOX_HOST
- name: RCLONE_CONFIG_STORAGEBOX_TYPE
value: sftp
- name: RCLONE_CONFIG_STORAGEBOX_PORT
value: "23"
- name: RCLONE_CONFIG_STORAGEBOX_KEY_FILE
value: /etc/storagebox/ssh-key
- name: RCLONE_CONFIG_STORAGEBOX_SHELL_TYPE
value: none
- name: RCLONE_CONFIG_STORAGEBOX_MD5SUM_COMMAND
value: none
- name: RCLONE_CONFIG_STORAGEBOX_SHA1SUM_COMMAND
value: none
- name: RCLONE_CONFIG_STORAGEBOX_HOST
valueFrom:
secretKeyRef:
key: host
name: ocis-storagebox-credentials
- name: STORAGEBOX_USER
- name: RCLONE_CONFIG_STORAGEBOX_USER
valueFrom:
secretKeyRef:
key: user
name: ocis-storagebox-credentials
image: alpine:3.20
- name: RCLONE_CONFIG_BACKUP_TYPE
value: compress
- name: RCLONE_CONFIG_BACKUP_REMOTE
value: storagebox:ocis-backup
image: rclone/rclone:1.69.0
name: backup
resources:
requests:
cpu: 50m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /etc/storagebox
name: storagebox-ssh
readOnly: true
restartPolicy: OnFailure
securityContext:
runAsGroup: 1009
runAsNonRoot: true
runAsUser: 1009
seccompProfile:
type: RuntimeDefault
serviceAccountName: ocis-s3-backup
volumes:
- name: storagebox-ssh

6
rendered/envs/production/ocis/cronjob-storage-users-clean-expired-uploads.yaml
View file

@ -96,6 +96,10 @@ spec:
name: storage-users-clean-expired-uploads
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -110,6 +114,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- emptyDir: {}
name: tmp-volume

6
rendered/envs/production/ocis/cronjob-storage-users-purge-expired-trash-bin-items.yaml
View file

@ -77,6 +77,10 @@ spec:
name: storage-users-purge-expired-trash-bin-items
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -91,6 +95,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- emptyDir: {}
name: tmp-volume

6
rendered/envs/production/ocis/cronjob-storage-users-restart-postprocessing.yaml
View file

@ -79,6 +79,10 @@ spec:
name: storage-users-restart-postprocessing
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -93,6 +97,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- emptyDir: {}
name: tmp-volume

6
rendered/envs/production/ocis/cronjob-thumbnails-cleanup.yaml
View file

@ -37,6 +37,10 @@ spec:
name: thumbnails-cleanup
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -51,6 +55,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- name: thumbnails-data
persistentVolumeClaim:

6
rendered/envs/production/ocis/deployment-activitylog.yaml
View file

@ -106,6 +106,10 @@ spec:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -118,6 +122,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- emptyDir: {}
name: messaging-system-ca

6
rendered/envs/production/ocis/deployment-appregistry.yaml
View file

@ -90,6 +90,10 @@ spec:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -103,6 +107,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- emptyDir: {}
name: tmp-volume

6
rendered/envs/production/ocis/deployment-audit.yaml
View file

@ -75,6 +75,10 @@ spec:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -87,6 +91,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- emptyDir: {}
name: messaging-system-ca

6
rendered/envs/production/ocis/deployment-authmachine.yaml
View file

@ -93,6 +93,10 @@ spec:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -104,6 +108,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- emptyDir: {}
name: tmp-volume

6
rendered/envs/production/ocis/deployment-authservice.yaml
View file

@ -98,6 +98,10 @@ spec:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -109,6 +113,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- emptyDir: {}
name: tmp-volume

6
rendered/envs/production/ocis/deployment-clientlog.yaml
View file

@ -96,6 +96,10 @@ spec:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -108,6 +112,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- emptyDir: {}
name: messaging-system-ca

6
rendered/envs/production/ocis/deployment-eventhistory.yaml
View file

@ -81,6 +81,10 @@ spec:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -93,6 +97,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- emptyDir: {}
name: messaging-system-ca

6
rendered/envs/production/ocis/deployment-frontend.yaml
View file

@ -158,6 +158,10 @@ spec:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -171,6 +175,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- emptyDir: {}
name: tmp-volume

6
rendered/envs/production/ocis/deployment-gateway.yaml
View file

@ -106,6 +106,10 @@ spec:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -117,6 +121,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- emptyDir: {}
name: tmp-volume

6
rendered/envs/production/ocis/deployment-graph.yaml
View file

@ -132,6 +132,10 @@ spec:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -147,6 +151,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- emptyDir: {}
name: messaging-system-ca

6
rendered/envs/production/ocis/deployment-groups.yaml
View file

@ -99,6 +99,10 @@ spec:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -113,6 +117,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- emptyDir: {}
name: tmp-volume

10
rendered/envs/production/ocis/deployment-idm.yaml
View file

@ -113,6 +113,10 @@ spec:
cpu: 10m
memory: 256Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -136,6 +140,10 @@ spec:
cpu: 10m
memory: 256Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -147,6 +155,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- name: ldap-cert
secret:

6
rendered/envs/production/ocis/deployment-idp.yaml
View file

@ -96,6 +96,10 @@ spec:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -113,6 +117,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- emptyDir: {}
name: ocis-data-tmp

6
rendered/envs/production/ocis/deployment-nats.yaml
View file

@ -70,6 +70,10 @@ spec:
cpu: 10m
memory: 192Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -81,6 +85,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- name: nats-data
persistentVolumeClaim:

6
rendered/envs/production/ocis/deployment-ocdav.yaml
View file

@ -101,6 +101,10 @@ spec:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -110,4 +114,6 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: null

6
rendered/envs/production/ocis/deployment-ocs.yaml
View file

@ -98,6 +98,10 @@ spec:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -107,4 +111,6 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: null

6
rendered/envs/production/ocis/deployment-postprocessing.yaml
View file

@ -79,6 +79,10 @@ spec:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -91,6 +95,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- emptyDir: {}
name: messaging-system-ca

6
rendered/envs/production/ocis/deployment-proxy.yaml
View file

@ -123,6 +123,10 @@ spec:
cpu: 10m
memory: 96Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -134,6 +138,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- configMap:
name: proxy-config

6
rendered/envs/production/ocis/deployment-search.yaml
View file

@ -103,6 +103,10 @@ spec:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -117,6 +121,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- emptyDir: {}
name: messaging-system-ca

6
rendered/envs/production/ocis/deployment-settings.yaml
View file

@ -124,6 +124,10 @@ spec:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -133,4 +137,6 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: null

6
rendered/envs/production/ocis/deployment-sharing.yaml
View file

@ -132,6 +132,10 @@ spec:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -148,6 +152,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- emptyDir: {}
name: tmp-volume

6
rendered/envs/production/ocis/deployment-sse.yaml
View file

@ -94,6 +94,10 @@ spec:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -106,6 +110,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- emptyDir: {}
name: messaging-system-ca

6
rendered/envs/production/ocis/deployment-storagepubliclink.yaml
View file

@ -92,6 +92,10 @@ spec:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -103,6 +107,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- emptyDir: {}
name: tmp-volume

6
rendered/envs/production/ocis/deployment-storageshares.yaml
View file

@ -88,6 +88,10 @@ spec:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -99,6 +103,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- emptyDir: {}
name: tmp-volume

6
rendered/envs/production/ocis/deployment-storagesystem.yaml
View file

@ -112,6 +112,10 @@ spec:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -125,6 +129,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- emptyDir: {}
name: tmp-volume

6
rendered/envs/production/ocis/deployment-storageusers.yaml
View file

@ -186,6 +186,10 @@ spec:
cpu: 10m
memory: 512Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -202,6 +206,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- emptyDir: {}
name: tmp-volume

6
rendered/envs/production/ocis/deployment-thumbnails.yaml
View file

@ -108,6 +108,10 @@ spec:
cpu: 10m
memory: 96Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -119,6 +123,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- name: thumbnails-data
persistentVolumeClaim:

6
rendered/envs/production/ocis/deployment-userlog.yaml
View file

@ -102,6 +102,10 @@ spec:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -114,6 +118,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- emptyDir: {}
name: messaging-system-ca

6
rendered/envs/production/ocis/deployment-users.yaml
View file

@ -99,6 +99,10 @@ spec:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -113,6 +117,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- emptyDir: {}
name: tmp-volume

6
rendered/envs/production/ocis/deployment-web.yaml
View file

@ -110,6 +110,10 @@ spec:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -125,6 +129,8 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes:
- configMap:
name: web-config

6
rendered/envs/production/ocis/deployment-webdav.yaml
View file

@ -87,6 +87,10 @@ spec:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -96,4 +100,6 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: null

6
rendered/envs/production/ocis/deployment-webfinger.yaml
View file

@ -91,6 +91,10 @@ spec:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
@ -100,4 +104,6 @@ spec:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: null

12
rendered/envs/production/ocis/job-ocis-external-secret-precheck.yaml
View file

@ -31,6 +31,18 @@ spec:
fieldPath: metadata.namespace
image: alpine/k8s:1.32.3
name: precheck
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
restartPolicy: OnFailure
securityContext:
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
serviceAccountName: ocis-external-secret-precheck
ttlSecondsAfterFinished: 300

2
rendered/envs/production/ocis/namespace-ocis.yaml
View file

@ -4,6 +4,6 @@ metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce: restricted
name: ocis
namespace: ocis

2
rendered/envs/production/victoria-metrics-single/namespace-monitoring.yaml
View file

@ -4,6 +4,6 @@ metadata:
annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce: restricted
name: monitoring
namespace: monitoring

15
rendered/envs/production/victoria-metrics-single/statefulset-victoria-metrics-single-server.yaml
View file

@ -69,13 +69,24 @@ spec:
requests:
cpu: 100m
memory: 256Mi
securityContext: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /storage
name: server-volume
- mountPath: /scrapeconfig
name: scrapeconfig
securityContext: {}
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
serviceAccountName: victoria-metrics-single-server
terminationGracePeriodSeconds: 60
volumes: