gitea_admin/k8s-and-chill
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: gitea_admin:010c47b03bdb2c9363485e4d2f735e54f5e4a1c4
Branches Tags
gitea_admin:main
...
compare: gitea_admin:0389eb5d205d6ead36b2442ba5c59a18d2921a40
Branches Tags
gitea_admin:main

2 commits
010c47b03b ... 0389eb5d20

Author SHA1 Message Date
Felix Wolf 0389eb5d20 feat(monitoring): Add comprehensive oCIS monitoring 
Integrates oCIS services into the monitoring stack by:
- Adding a new scrape configuration to VictoriaMetrics to collect metrics from oCIS services in the 'ocis' namespace.
- Introducing a new "ocis Overview" Grafana dashboard. This dashboard includes panels for user experience (proxy), service health, storage activity (uploads/downloads), and resource utilization, all leveraging the VictoriaMetrics datasource.
 2026-05-03 01:25:15 +02:00
Felix Wolf 33c52be1c5 feat(pss): drop 5 namespaces from PSS privileged to restricted 
argocd, cert-manager, cloudnative-pg already compliant — label flip only.
ocis: add overlay injecting seccompProfile=RuntimeDefault, drop ALL caps,
allowPrivilegeEscalation=false across all chart Deployments/CronJobs;
patch idm initContainer; harden custom precheck Job; refactor s3-backup
to rclone/rclone image (avoids apk-add-as-root).
victoria-metrics-single: overlay sets full restricted SC on the StatefulSet
that ships with empty securityContext: {}.

forgejo, traefik, kube-system stay privileged (hostPort / CSI driver).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-03 01:24:59 +02:00
58 changed files with 638 additions and 104 deletions
Show stats Expand all files Collapse all files

2
prototypes/argocd/ytt/ns.ytt.yaml
View file

@ -9,7 +9,7 @@ kind: Namespace
metadata: metadata:
name: #@ ns name: #@ ns
labels: labels:
pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/enforce: restricted
#@overlay/match by=overlay.all, expects="1+" #@overlay/match by=overlay.all, expects="1+"
--- ---

2
prototypes/cert-manager/ytt/ns.ytt.yaml
View file

@ -9,7 +9,7 @@ kind: Namespace
metadata: metadata:
name: #@ ns name: #@ ns
labels: labels:
pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/enforce: restricted
#@overlay/match by=overlay.all, expects="1+" #@overlay/match by=overlay.all, expects="1+"
--- ---

2
prototypes/cloudnative-pg/ytt/ns.ytt.yaml
View file

@ -9,7 +9,7 @@ kind: Namespace
metadata: metadata:
name: #@ ns name: #@ ns
labels: labels:
pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/enforce: restricted
#@overlay/match by=overlay.all, expects="1+" #@overlay/match by=overlay.all, expects="1+"
--- ---

78
prototypes/grafana/helm/grafana.yaml
View file

@ -62,3 +62,81 @@ dashboards:
gnetId: 15757 gnetId: 15757
revision: 37 revision: 37
datasource: VictoriaMetrics datasource: VictoriaMetrics
ocis:
datasource: VictoriaMetrics
json: |-
{
"annotations": {"list": []},
"editable": true,
"graphTooltip": 1,
"links": [],
"panels": [
{"collapsed": false, "gridPos": {"h": 1, "w": 24, "x": 0, "y": 0}, "id": 100, "panels": [], "title": "User experience (proxy)", "type": "row"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "thresholds"}, "thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}]}, "unit": "reqps"}, "overrides": []}, "gridPos": {"h": 4, "w": 6, "x": 0, "y": 1}, "id": 1, "options": {"colorMode": "value", "graphMode": "area", "justifyMode": "auto", "orientation": "auto", "reduceOptions": {"calcs": ["lastNotNull"]}, "textMode": "auto"}, "targets": [{"datasource": "VictoriaMetrics", "expr": "sum(rate(ocis_proxy_requests_total[5m]))", "refId": "A"}], "title": "Proxy req/s", "type": "stat"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "thresholds"}, "thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}, {"color": "yellow", "value": 1}, {"color": "red", "value": 5}]}, "unit": "percent", "min": 0, "max": 100}, "overrides": []}, "gridPos": {"h": 4, "w": 6, "x": 6, "y": 1}, "id": 2, "options": {"colorMode": "value", "graphMode": "area", "justifyMode": "auto", "orientation": "auto", "reduceOptions": {"calcs": ["lastNotNull"]}, "textMode": "auto"}, "targets": [{"datasource": "VictoriaMetrics", "expr": "100 * sum(rate(ocis_proxy_errors_total[5m])) / clamp_min(sum(rate(ocis_proxy_requests_total[5m])), 0.001)", "refId": "A"}], "title": "Proxy error %", "type": "stat"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 10, "lineWidth": 1, "showPoints": "never"}, "unit": "s"}, "overrides": []}, "gridPos": {"h": 8, "w": 12, "x": 12, "y": 1}, "id": 3, "options": {"legend": {"displayMode": "table", "placement": "right", "showLegend": true, "calcs": ["lastNotNull"]}, "tooltip": {"mode": "multi"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "histogram_quantile(0.50, sum by (method, le) (rate(ocis_proxy_duration_seconds_bucket[5m])))", "legendFormat": "p50 {{method}}", "refId": "A"}, {"datasource": "VictoriaMetrics", "expr": "histogram_quantile(0.95, sum by (method, le) (rate(ocis_proxy_duration_seconds_bucket[5m])))", "legendFormat": "p95 {{method}}", "refId": "B"}, {"datasource": "VictoriaMetrics", "expr": "histogram_quantile(0.99, sum by (method, le) (rate(ocis_proxy_duration_seconds_bucket[5m])))", "legendFormat": "p99 {{method}}", "refId": "C"}], "title": "Proxy latency by method", "type": "timeseries"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 20, "lineWidth": 1, "stacking": {"mode": "normal"}}, "unit": "reqps"}, "overrides": []}, "gridPos": {"h": 4, "w": 12, "x": 0, "y": 5}, "id": 4, "options": {"legend": {"displayMode": "list", "placement": "bottom", "showLegend": true}, "tooltip": {"mode": "multi"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "sum by (method) (rate(ocis_proxy_requests_total[5m]))", "legendFormat": "{{method}}", "refId": "A"}], "title": "Proxy requests by method", "type": "timeseries"},
{"collapsed": false, "gridPos": {"h": 1, "w": 24, "x": 0, "y": 9}, "id": 101, "panels": [], "title": "Service health", "type": "row"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "thresholds"}, "custom": {"fillOpacity": 80, "lineWidth": 0}, "mappings": [{"type": "value", "options": {"0": {"text": "DOWN", "color": "red"}, "1": {"text": "UP", "color": "green"}}}], "thresholds": {"mode": "absolute", "steps": [{"color": "red", "value": null}, {"color": "green", "value": 1}]}}, "overrides": []}, "gridPos": {"h": 8, "w": 18, "x": 0, "y": 10}, "id": 5, "options": {"alignValue": "left", "legend": {"displayMode": "list", "placement": "bottom", "showLegend": false}, "mergeValues": true, "rowHeight": 0.9, "showValue": "never", "tooltip": {"mode": "single"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "up{job=\"ocis\"}", "legendFormat": "{{ocis_service}}", "refId": "A"}], "title": "ocis services up/down", "type": "state-timeline"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "thresholds"}, "thresholds": {"mode": "absolute", "steps": [{"color": "red", "value": null}, {"color": "yellow", "value": 95}, {"color": "green", "value": 100}]}, "unit": "percent", "min": 0, "max": 100}, "overrides": []}, "gridPos": {"h": 4, "w": 6, "x": 18, "y": 10}, "id": 6, "options": {"colorMode": "value", "graphMode": "none", "justifyMode": "auto", "orientation": "auto", "reduceOptions": {"calcs": ["lastNotNull"]}, "textMode": "auto"}, "targets": [{"datasource": "VictoriaMetrics", "expr": "100 * count(up{job=\"ocis\"} == 1) / count(up{job=\"ocis\"})", "refId": "A"}], "title": "Services up", "type": "stat"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "thresholds"}, "thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}, {"color": "yellow", "value": 1}, {"color": "red", "value": 5}]}}, "overrides": []}, "gridPos": {"h": 4, "w": 6, "x": 18, "y": 14}, "id": 7, "options": {"colorMode": "value", "graphMode": "area", "justifyMode": "auto", "orientation": "auto", "reduceOptions": {"calcs": ["lastNotNull"]}, "textMode": "auto"}, "targets": [{"datasource": "VictoriaMetrics", "expr": "sum(changes(process_start_time_seconds{job=\"ocis\"}[1h]))", "refId": "A"}], "title": "Restarts (last 1h)", "type": "stat"},
{"collapsed": false, "gridPos": {"h": 1, "w": 24, "x": 0, "y": 18}, "id": 102, "panels": [], "title": "Storage activity (uploads/downloads)", "type": "row"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "thresholds"}, "thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}]}}, "overrides": []}, "gridPos": {"h": 4, "w": 6, "x": 0, "y": 19}, "id": 8, "options": {"colorMode": "value", "graphMode": "area", "justifyMode": "auto", "orientation": "auto", "reduceOptions": {"calcs": ["lastNotNull"]}, "textMode": "auto"}, "targets": [{"datasource": "VictoriaMetrics", "expr": "sum(reva_upload_active{ocis_service=\"storageusers\"})", "refId": "A"}], "title": "Active uploads", "type": "stat"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "thresholds"}, "thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}]}}, "overrides": []}, "gridPos": {"h": 4, "w": 6, "x": 6, "y": 19}, "id": 9, "options": {"colorMode": "value", "graphMode": "area", "justifyMode": "auto", "orientation": "auto", "reduceOptions": {"calcs": ["lastNotNull"]}, "textMode": "auto"}, "targets": [{"datasource": "VictoriaMetrics", "expr": "sum(reva_download_active{ocis_service=\"storageusers\"})", "refId": "A"}], "title": "Active downloads", "type": "stat"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 10, "lineWidth": 1}, "unit": "ops"}, "overrides": [{"matcher": {"id": "byName", "options": "aborted"}, "properties": [{"id": "color", "value": {"mode": "fixed", "fixedColor": "red"}}]}, {"matcher": {"id": "byName", "options": "finalized"}, "properties": [{"id": "color", "value": {"mode": "fixed", "fixedColor": "green"}}]}]}, "gridPos": {"h": 8, "w": 12, "x": 12, "y": 19}, "id": 10, "options": {"legend": {"displayMode": "table", "placement": "bottom", "showLegend": true, "calcs": ["lastNotNull", "sum"]}, "tooltip": {"mode": "multi"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "rate(reva_upload_sessions_initiated{ocis_service=\"storageusers\"}[5m])", "legendFormat": "initiated", "refId": "A"}, {"datasource": "VictoriaMetrics", "expr": "rate(reva_upload_sessions_finalized{ocis_service=\"storageusers\"}[5m])", "legendFormat": "finalized", "refId": "B"}, {"datasource": "VictoriaMetrics", "expr": "rate(reva_upload_sessions_aborted{ocis_service=\"storageusers\"}[5m])", "legendFormat": "aborted", "refId": "C"}, {"datasource": "VictoriaMetrics", "expr": "rate(reva_upload_sessions_restarted{ocis_service=\"storageusers\"}[5m])", "legendFormat": "restarted", "refId": "D"}], "title": "Upload sessions/s", "type": "timeseries"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 20, "lineWidth": 1}, "unit": "Bps"}, "overrides": []}, "gridPos": {"h": 4, "w": 12, "x": 0, "y": 23}, "id": 11, "options": {"legend": {"displayMode": "list", "placement": "bottom", "showLegend": true}, "tooltip": {"mode": "single"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "rate(reva_upload_sessions_bytes_received{ocis_service=\"storageusers\"}[5m])", "legendFormat": "bytes received", "refId": "A"}], "title": "Upload throughput", "type": "timeseries"},
{"collapsed": false, "gridPos": {"h": 1, "w": 24, "x": 0, "y": 27}, "id": 103, "panels": [], "title": "Resources (filtered by $ocis_service)", "type": "row"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 5, "lineWidth": 1, "showPoints": "never"}, "unit": "bytes"}, "overrides": []}, "gridPos": {"h": 8, "w": 12, "x": 0, "y": 28}, "id": 12, "options": {"legend": {"displayMode": "table", "placement": "right", "showLegend": true, "calcs": ["lastNotNull", "max"]}, "tooltip": {"mode": "multi", "sort": "desc"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "go_memstats_heap_inuse_bytes{job=\"ocis\", ocis_service=~\"$ocis_service\"}", "legendFormat": "{{ocis_service}}", "refId": "A"}], "title": "Heap in use by service", "type": "timeseries"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 5, "lineWidth": 1, "showPoints": "never"}, "unit": "short"}, "overrides": []}, "gridPos": {"h": 8, "w": 12, "x": 12, "y": 28}, "id": 13, "options": {"legend": {"displayMode": "table", "placement": "right", "showLegend": true, "calcs": ["lastNotNull", "max"]}, "tooltip": {"mode": "multi", "sort": "desc"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "go_goroutines{job=\"ocis\", ocis_service=~\"$ocis_service\"}", "legendFormat": "{{ocis_service}}", "refId": "A"}], "title": "Goroutines by service (leak detector)", "type": "timeseries"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 5, "lineWidth": 1}, "unit": "percentunit"}, "overrides": []}, "gridPos": {"h": 8, "w": 12, "x": 0, "y": 36}, "id": 14, "options": {"legend": {"displayMode": "table", "placement": "right", "showLegend": true, "calcs": ["lastNotNull", "max"]}, "tooltip": {"mode": "multi", "sort": "desc"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "rate(process_cpu_seconds_total{job=\"ocis\", ocis_service=~\"$ocis_service\"}[5m])", "legendFormat": "{{ocis_service}}", "refId": "A"}], "title": "CPU by service (cores)", "type": "timeseries"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 5, "lineWidth": 1}, "unit": "bytes"}, "overrides": []}, "gridPos": {"h": 8, "w": 12, "x": 12, "y": 36}, "id": 15, "options": {"legend": {"displayMode": "table", "placement": "right", "showLegend": true, "calcs": ["lastNotNull", "max"]}, "tooltip": {"mode": "multi", "sort": "desc"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "process_resident_memory_bytes{job=\"ocis\", ocis_service=~\"$ocis_service\"}", "legendFormat": "{{ocis_service}}", "refId": "A"}], "title": "Resident memory by service", "type": "timeseries"}
],
"refresh": "30s",
"schemaVersion": 39,
"tags": ["ocis"],
"templating": {
"list": [
{
"current": {"selected": false, "text": "All", "value": "$__all"},
"datasource": "VictoriaMetrics",
"hide": 0,
"includeAll": true,
"label": "Service",
"multi": true,
"name": "ocis_service",
"options": [],
"query": {"query": "label_values(up{job=\"ocis\"}, ocis_service)", "refId": "StandardVariableQuery"},
"refresh": 2,
"regex": "",
"skipUrlSync": false,
"sort": 1,
"type": "query"
}
]
},
"time": {"from": "now-3h", "to": "now"},
"timepicker": {},
"timezone": "browser",
"title": "ocis Overview",
"uid": "ocis-overview",
"version": 1,
"weekStart": ""
}

12
prototypes/ocis/ytt/external-secret-precheck-job.ytt.yaml
View file

@ -60,6 +60,12 @@ spec:
spec: spec:
serviceAccountName: ocis-external-secret-precheck serviceAccountName: ocis-external-secret-precheck
restartPolicy: OnFailure restartPolicy: OnFailure
securityContext:
runAsNonRoot: true
runAsUser: 65532
runAsGroup: 65532
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: precheck - name: precheck
image: alpine/k8s:1.32.3 image: alpine/k8s:1.32.3
@ -80,3 +86,9 @@ spec:
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: metadata.namespace fieldPath: metadata.namespace
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL

2
prototypes/ocis/ytt/ns.ytt.yaml
View file

@ -9,7 +9,7 @@ kind: Namespace
metadata: metadata:
name: #@ ns name: #@ ns
labels: labels:
pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/enforce: restricted
#@overlay/match by=overlay.all, expects="1+" #@overlay/match by=overlay.all, expects="1+"
--- ---

62
prototypes/ocis/ytt/pss-restricted.ytt.yaml Normal file
View file

@ -0,0 +1,62 @@
#@ load("@ytt:overlay", "overlay")
#@ helm_match = overlay.subset({"metadata": {"labels": {"app.kubernetes.io/managed-by": "Helm"}}})
#@overlay/match by=overlay.and_op(overlay.subset({"kind": "Deployment"}), helm_match), expects="1+"
---
spec:
template:
spec:
securityContext:
#@overlay/match missing_ok=True
seccompProfile:
type: RuntimeDefault
containers:
#@overlay/match by=overlay.all, expects="1+"
-
securityContext:
#@overlay/match missing_ok=True
allowPrivilegeEscalation: false
#@overlay/match missing_ok=True
capabilities:
drop:
- ALL
#! idm is the only chart Deployment with initContainers
#@overlay/match by=overlay.subset({"kind": "Deployment", "metadata": {"name": "idm"}})
---
spec:
template:
spec:
initContainers:
#@overlay/match by=overlay.all, expects="1+"
-
securityContext:
#@overlay/match missing_ok=True
allowPrivilegeEscalation: false
#@overlay/match missing_ok=True
capabilities:
drop:
- ALL
#@overlay/match by=overlay.and_op(overlay.subset({"kind": "CronJob"}), helm_match), expects="1+"
---
spec:
jobTemplate:
spec:
template:
spec:
securityContext:
#@overlay/match missing_ok=True
seccompProfile:
type: RuntimeDefault
containers:
#@overlay/match by=overlay.all, expects="1+"
-
securityContext:
#@overlay/match missing_ok=True
allowPrivilegeEscalation: false
#@overlay/match missing_ok=True
capabilities:
drop:
- ALL

92
prototypes/ocis/ytt/s3-backup-cronjob.ytt.yaml
View file

@ -27,74 +27,76 @@ spec:
spec: spec:
restartPolicy: OnFailure restartPolicy: OnFailure
serviceAccountName: ocis-s3-backup serviceAccountName: ocis-s3-backup
securityContext:
runAsNonRoot: true
runAsUser: 1009
runAsGroup: 1009
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: backup - name: backup
image: alpine:3.20 image: rclone/rclone:1.69.0
args:
- sync
- "s3:ocis-tr1ceracop"
- "backup:"
- --transfers=4
- -v
resources: resources:
requests: requests:
memory: 128Mi memory: 128Mi
cpu: 50m cpu: 50m
command:
- sh
- -c
- |
set -e
apk add --no-cache rclone >/dev/null 2>&1
mkdir -p /tmp/rclone
cat > /tmp/rclone/rclone.conf <<CONF
[s3]
type = s3
provider = Other
access_key_id = ${S3_ACCESS_KEY}
secret_access_key = ${S3_SECRET_KEY}
endpoint = https://nbg1.your-objectstorage.com
acl = private
[storagebox]
type = sftp
host = ${STORAGEBOX_HOST}
port = 23
user = ${STORAGEBOX_USER}
key_file = /etc/storagebox/ssh-key
shell_type = none
md5sum_command = none
sha1sum_command = none
[backup]
type = compress
remote = storagebox:ocis-backup
CONF
echo "Syncing S3 bucket to Storage Box (compressed)..."
rclone sync s3:ocis-tr1ceracop backup: \
--config /tmp/rclone/rclone.conf \
--transfers 4 \
-v
rm -rf /tmp/rclone
echo "Backup complete."
env: env:
- name: S3_ACCESS_KEY - name: RCLONE_CONFIG_S3_TYPE
value: s3
- name: RCLONE_CONFIG_S3_PROVIDER
value: Other
- name: RCLONE_CONFIG_S3_ENDPOINT
value: https://nbg1.your-objectstorage.com
- name: RCLONE_CONFIG_S3_ACL
value: private
- name: RCLONE_CONFIG_S3_ACCESS_KEY_ID
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: ocis-s3-credentials name: ocis-s3-credentials
key: accessKey key: accessKey
- name: S3_SECRET_KEY - name: RCLONE_CONFIG_S3_SECRET_ACCESS_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: ocis-s3-credentials name: ocis-s3-credentials
key: secretKey key: secretKey
- name: STORAGEBOX_HOST - name: RCLONE_CONFIG_STORAGEBOX_TYPE
value: sftp
- name: RCLONE_CONFIG_STORAGEBOX_PORT
value: "23"
- name: RCLONE_CONFIG_STORAGEBOX_KEY_FILE
value: /etc/storagebox/ssh-key
- name: RCLONE_CONFIG_STORAGEBOX_SHELL_TYPE
value: none
- name: RCLONE_CONFIG_STORAGEBOX_MD5SUM_COMMAND
value: none
- name: RCLONE_CONFIG_STORAGEBOX_SHA1SUM_COMMAND
value: none
- name: RCLONE_CONFIG_STORAGEBOX_HOST
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: ocis-storagebox-credentials name: ocis-storagebox-credentials
key: host key: host
- name: STORAGEBOX_USER - name: RCLONE_CONFIG_STORAGEBOX_USER
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: ocis-storagebox-credentials name: ocis-storagebox-credentials
key: user key: user
- name: RCLONE_CONFIG_BACKUP_TYPE
value: compress
- name: RCLONE_CONFIG_BACKUP_REMOTE
value: storagebox:ocis-backup
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
volumeMounts: volumeMounts:
- name: storagebox-ssh - name: storagebox-ssh
mountPath: /etc/storagebox mountPath: /etc/storagebox

13
prototypes/victoria-metrics-single/helm/victoria-metrics-single.yaml
View file

@ -80,3 +80,16 @@ server:
- source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep action: keep
regex: cert-manager;cert-manager;tcp-prometheus-servicemonitor regex: cert-manager;cert-manager;tcp-prometheus-servicemonitor
- job_name: ocis
kubernetes_sd_configs:
- role: endpoints
namespaces:
names: [ocis]
relabel_configs:
- source_labels: [__meta_kubernetes_service_label_ocis_metrics, __meta_kubernetes_endpoint_port_name]
action: keep
regex: enabled;metrics-debug
- source_labels: [__meta_kubernetes_service_name]
target_label: ocis_service
- source_labels: [__meta_kubernetes_pod_name]
target_label: pod

2
prototypes/victoria-metrics-single/ytt/ns.ytt.yaml
View file

@ -9,7 +9,7 @@ kind: Namespace
metadata: metadata:
name: #@ ns name: #@ ns
labels: labels:
pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/enforce: restricted
#@overlay/match by=overlay.all, expects="1+" #@overlay/match by=overlay.all, expects="1+"
--- ---

25
prototypes/victoria-metrics-single/ytt/pss-restricted.ytt.yaml Normal file
View file

@ -0,0 +1,25 @@
#@ load("@ytt:overlay", "overlay")
#@overlay/match by=overlay.subset({"kind": "StatefulSet", "metadata": {"name": "victoria-metrics-single-server"}})
---
spec:
template:
spec:
#@overlay/replace
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers:
#@overlay/match by=overlay.subset({"name": "vmsingle"})
-
#@overlay/replace
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL

2
rendered/envs/production/argocd/namespace-argocd.yaml
View file

@ -4,6 +4,6 @@ metadata:
annotations: annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels: labels:
pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/enforce: restricted
name: argocd name: argocd
namespace: argocd namespace: argocd

2
rendered/envs/production/cert-manager/namespace-cert-manager.yaml
View file

@ -4,6 +4,6 @@ metadata:
annotations: annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels: labels:
pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/enforce: restricted
name: cert-manager name: cert-manager
namespace: cert-manager namespace: cert-manager

2
rendered/envs/production/cloudnative-pg/namespace-cnpg-system.yaml
View file

@ -4,6 +4,6 @@ metadata:
annotations: annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels: labels:
pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/enforce: restricted
name: cnpg-system name: cnpg-system
namespace: cnpg-system namespace: cnpg-system

78
rendered/envs/production/grafana/configmap-grafana-dashboards-default.yaml
View file

@ -1,5 +1,81 @@
apiVersion: v1 apiVersion: v1
data: {} data:
ocis.json: |-
{
"annotations": {"list": []},
"editable": true,
"graphTooltip": 1,
"links": [],
"panels": [
{"collapsed": false, "gridPos": {"h": 1, "w": 24, "x": 0, "y": 0}, "id": 100, "panels": [], "title": "User experience (proxy)", "type": "row"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "thresholds"}, "thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}]}, "unit": "reqps"}, "overrides": []}, "gridPos": {"h": 4, "w": 6, "x": 0, "y": 1}, "id": 1, "options": {"colorMode": "value", "graphMode": "area", "justifyMode": "auto", "orientation": "auto", "reduceOptions": {"calcs": ["lastNotNull"]}, "textMode": "auto"}, "targets": [{"datasource": "VictoriaMetrics", "expr": "sum(rate(ocis_proxy_requests_total[5m]))", "refId": "A"}], "title": "Proxy req/s", "type": "stat"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "thresholds"}, "thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}, {"color": "yellow", "value": 1}, {"color": "red", "value": 5}]}, "unit": "percent", "min": 0, "max": 100}, "overrides": []}, "gridPos": {"h": 4, "w": 6, "x": 6, "y": 1}, "id": 2, "options": {"colorMode": "value", "graphMode": "area", "justifyMode": "auto", "orientation": "auto", "reduceOptions": {"calcs": ["lastNotNull"]}, "textMode": "auto"}, "targets": [{"datasource": "VictoriaMetrics", "expr": "100 * sum(rate(ocis_proxy_errors_total[5m])) / clamp_min(sum(rate(ocis_proxy_requests_total[5m])), 0.001)", "refId": "A"}], "title": "Proxy error %", "type": "stat"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 10, "lineWidth": 1, "showPoints": "never"}, "unit": "s"}, "overrides": []}, "gridPos": {"h": 8, "w": 12, "x": 12, "y": 1}, "id": 3, "options": {"legend": {"displayMode": "table", "placement": "right", "showLegend": true, "calcs": ["lastNotNull"]}, "tooltip": {"mode": "multi"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "histogram_quantile(0.50, sum by (method, le) (rate(ocis_proxy_duration_seconds_bucket[5m])))", "legendFormat": "p50 {{method}}", "refId": "A"}, {"datasource": "VictoriaMetrics", "expr": "histogram_quantile(0.95, sum by (method, le) (rate(ocis_proxy_duration_seconds_bucket[5m])))", "legendFormat": "p95 {{method}}", "refId": "B"}, {"datasource": "VictoriaMetrics", "expr": "histogram_quantile(0.99, sum by (method, le) (rate(ocis_proxy_duration_seconds_bucket[5m])))", "legendFormat": "p99 {{method}}", "refId": "C"}], "title": "Proxy latency by method", "type": "timeseries"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 20, "lineWidth": 1, "stacking": {"mode": "normal"}}, "unit": "reqps"}, "overrides": []}, "gridPos": {"h": 4, "w": 12, "x": 0, "y": 5}, "id": 4, "options": {"legend": {"displayMode": "list", "placement": "bottom", "showLegend": true}, "tooltip": {"mode": "multi"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "sum by (method) (rate(ocis_proxy_requests_total[5m]))", "legendFormat": "{{method}}", "refId": "A"}], "title": "Proxy requests by method", "type": "timeseries"},
{"collapsed": false, "gridPos": {"h": 1, "w": 24, "x": 0, "y": 9}, "id": 101, "panels": [], "title": "Service health", "type": "row"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "thresholds"}, "custom": {"fillOpacity": 80, "lineWidth": 0}, "mappings": [{"type": "value", "options": {"0": {"text": "DOWN", "color": "red"}, "1": {"text": "UP", "color": "green"}}}], "thresholds": {"mode": "absolute", "steps": [{"color": "red", "value": null}, {"color": "green", "value": 1}]}}, "overrides": []}, "gridPos": {"h": 8, "w": 18, "x": 0, "y": 10}, "id": 5, "options": {"alignValue": "left", "legend": {"displayMode": "list", "placement": "bottom", "showLegend": false}, "mergeValues": true, "rowHeight": 0.9, "showValue": "never", "tooltip": {"mode": "single"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "up{job=\"ocis\"}", "legendFormat": "{{ocis_service}}", "refId": "A"}], "title": "ocis services up/down", "type": "state-timeline"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "thresholds"}, "thresholds": {"mode": "absolute", "steps": [{"color": "red", "value": null}, {"color": "yellow", "value": 95}, {"color": "green", "value": 100}]}, "unit": "percent", "min": 0, "max": 100}, "overrides": []}, "gridPos": {"h": 4, "w": 6, "x": 18, "y": 10}, "id": 6, "options": {"colorMode": "value", "graphMode": "none", "justifyMode": "auto", "orientation": "auto", "reduceOptions": {"calcs": ["lastNotNull"]}, "textMode": "auto"}, "targets": [{"datasource": "VictoriaMetrics", "expr": "100 * count(up{job=\"ocis\"} == 1) / count(up{job=\"ocis\"})", "refId": "A"}], "title": "Services up", "type": "stat"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "thresholds"}, "thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}, {"color": "yellow", "value": 1}, {"color": "red", "value": 5}]}}, "overrides": []}, "gridPos": {"h": 4, "w": 6, "x": 18, "y": 14}, "id": 7, "options": {"colorMode": "value", "graphMode": "area", "justifyMode": "auto", "orientation": "auto", "reduceOptions": {"calcs": ["lastNotNull"]}, "textMode": "auto"}, "targets": [{"datasource": "VictoriaMetrics", "expr": "sum(changes(process_start_time_seconds{job=\"ocis\"}[1h]))", "refId": "A"}], "title": "Restarts (last 1h)", "type": "stat"},
{"collapsed": false, "gridPos": {"h": 1, "w": 24, "x": 0, "y": 18}, "id": 102, "panels": [], "title": "Storage activity (uploads/downloads)", "type": "row"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "thresholds"}, "thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}]}}, "overrides": []}, "gridPos": {"h": 4, "w": 6, "x": 0, "y": 19}, "id": 8, "options": {"colorMode": "value", "graphMode": "area", "justifyMode": "auto", "orientation": "auto", "reduceOptions": {"calcs": ["lastNotNull"]}, "textMode": "auto"}, "targets": [{"datasource": "VictoriaMetrics", "expr": "sum(reva_upload_active{ocis_service=\"storageusers\"})", "refId": "A"}], "title": "Active uploads", "type": "stat"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "thresholds"}, "thresholds": {"mode": "absolute", "steps": [{"color": "green", "value": null}]}}, "overrides": []}, "gridPos": {"h": 4, "w": 6, "x": 6, "y": 19}, "id": 9, "options": {"colorMode": "value", "graphMode": "area", "justifyMode": "auto", "orientation": "auto", "reduceOptions": {"calcs": ["lastNotNull"]}, "textMode": "auto"}, "targets": [{"datasource": "VictoriaMetrics", "expr": "sum(reva_download_active{ocis_service=\"storageusers\"})", "refId": "A"}], "title": "Active downloads", "type": "stat"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 10, "lineWidth": 1}, "unit": "ops"}, "overrides": [{"matcher": {"id": "byName", "options": "aborted"}, "properties": [{"id": "color", "value": {"mode": "fixed", "fixedColor": "red"}}]}, {"matcher": {"id": "byName", "options": "finalized"}, "properties": [{"id": "color", "value": {"mode": "fixed", "fixedColor": "green"}}]}]}, "gridPos": {"h": 8, "w": 12, "x": 12, "y": 19}, "id": 10, "options": {"legend": {"displayMode": "table", "placement": "bottom", "showLegend": true, "calcs": ["lastNotNull", "sum"]}, "tooltip": {"mode": "multi"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "rate(reva_upload_sessions_initiated{ocis_service=\"storageusers\"}[5m])", "legendFormat": "initiated", "refId": "A"}, {"datasource": "VictoriaMetrics", "expr": "rate(reva_upload_sessions_finalized{ocis_service=\"storageusers\"}[5m])", "legendFormat": "finalized", "refId": "B"}, {"datasource": "VictoriaMetrics", "expr": "rate(reva_upload_sessions_aborted{ocis_service=\"storageusers\"}[5m])", "legendFormat": "aborted", "refId": "C"}, {"datasource": "VictoriaMetrics", "expr": "rate(reva_upload_sessions_restarted{ocis_service=\"storageusers\"}[5m])", "legendFormat": "restarted", "refId": "D"}], "title": "Upload sessions/s", "type": "timeseries"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 20, "lineWidth": 1}, "unit": "Bps"}, "overrides": []}, "gridPos": {"h": 4, "w": 12, "x": 0, "y": 23}, "id": 11, "options": {"legend": {"displayMode": "list", "placement": "bottom", "showLegend": true}, "tooltip": {"mode": "single"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "rate(reva_upload_sessions_bytes_received{ocis_service=\"storageusers\"}[5m])", "legendFormat": "bytes received", "refId": "A"}], "title": "Upload throughput", "type": "timeseries"},
{"collapsed": false, "gridPos": {"h": 1, "w": 24, "x": 0, "y": 27}, "id": 103, "panels": [], "title": "Resources (filtered by $ocis_service)", "type": "row"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 5, "lineWidth": 1, "showPoints": "never"}, "unit": "bytes"}, "overrides": []}, "gridPos": {"h": 8, "w": 12, "x": 0, "y": 28}, "id": 12, "options": {"legend": {"displayMode": "table", "placement": "right", "showLegend": true, "calcs": ["lastNotNull", "max"]}, "tooltip": {"mode": "multi", "sort": "desc"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "go_memstats_heap_inuse_bytes{job=\"ocis\", ocis_service=~\"$ocis_service\"}", "legendFormat": "{{ocis_service}}", "refId": "A"}], "title": "Heap in use by service", "type": "timeseries"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 5, "lineWidth": 1, "showPoints": "never"}, "unit": "short"}, "overrides": []}, "gridPos": {"h": 8, "w": 12, "x": 12, "y": 28}, "id": 13, "options": {"legend": {"displayMode": "table", "placement": "right", "showLegend": true, "calcs": ["lastNotNull", "max"]}, "tooltip": {"mode": "multi", "sort": "desc"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "go_goroutines{job=\"ocis\", ocis_service=~\"$ocis_service\"}", "legendFormat": "{{ocis_service}}", "refId": "A"}], "title": "Goroutines by service (leak detector)", "type": "timeseries"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 5, "lineWidth": 1}, "unit": "percentunit"}, "overrides": []}, "gridPos": {"h": 8, "w": 12, "x": 0, "y": 36}, "id": 14, "options": {"legend": {"displayMode": "table", "placement": "right", "showLegend": true, "calcs": ["lastNotNull", "max"]}, "tooltip": {"mode": "multi", "sort": "desc"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "rate(process_cpu_seconds_total{job=\"ocis\", ocis_service=~\"$ocis_service\"}[5m])", "legendFormat": "{{ocis_service}}", "refId": "A"}], "title": "CPU by service (cores)", "type": "timeseries"},
{"datasource": "VictoriaMetrics", "fieldConfig": {"defaults": {"color": {"mode": "palette-classic"}, "custom": {"drawStyle": "line", "fillOpacity": 5, "lineWidth": 1}, "unit": "bytes"}, "overrides": []}, "gridPos": {"h": 8, "w": 12, "x": 12, "y": 36}, "id": 15, "options": {"legend": {"displayMode": "table", "placement": "right", "showLegend": true, "calcs": ["lastNotNull", "max"]}, "tooltip": {"mode": "multi", "sort": "desc"}}, "targets": [{"datasource": "VictoriaMetrics", "expr": "process_resident_memory_bytes{job=\"ocis\", ocis_service=~\"$ocis_service\"}", "legendFormat": "{{ocis_service}}", "refId": "A"}], "title": "Resident memory by service", "type": "timeseries"}
],
"refresh": "30s",
"schemaVersion": 39,
"tags": ["ocis"],
"templating": {
"list": [
{
"current": {"selected": false, "text": "All", "value": "$__all"},
"datasource": "VictoriaMetrics",
"hide": 0,
"includeAll": true,
"label": "Service",
"multi": true,
"name": "ocis_service",
"options": [],
"query": {"query": "label_values(up{job=\"ocis\"}, ocis_service)", "refId": "StandardVariableQuery"},
"refresh": 2,
"regex": "",
"skipUrlSync": false,
"sort": 1,
"type": "query"
}
]
},
"time": {"from": "now-3h", "to": "now"},
"timepicker": {},
"timezone": "browser",
"title": "ocis Overview",
"uid": "ocis-overview",
"version": 1,
"weekStart": ""
}
kind: ConfigMap kind: ConfigMap
metadata: metadata:
annotations: annotations:

5
rendered/envs/production/grafana/deployment-grafana.yaml
View file

@ -23,7 +23,7 @@ spec:
metadata: metadata:
annotations: annotations:
checksum/config: de8d6f16e9721409f5848bcc101e6aa9815e6455bd4fb9b59306159e705ac1cb checksum/config: de8d6f16e9721409f5848bcc101e6aa9815e6455bd4fb9b59306159e705ac1cb
checksum/dashboards-json-config: 63ff5f7bd5ab0b6c241c689c0aa4d78be9bef984e63c1089dc988905fbb61f74 checksum/dashboards-json-config: a919cbb2747e3cee36a843a96cf75d3761b8fe53f7731cdcf106689db20d44fd
checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24 checksum/sc-dashboard-provider-config: e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24
kubectl.kubernetes.io/default-container: grafana kubectl.kubernetes.io/default-container: grafana
labels: labels:
@ -113,6 +113,9 @@ spec:
name: storage name: storage
- mountPath: /var/lib/grafana-search - mountPath: /var/lib/grafana-search
name: search name: search
- mountPath: /var/lib/grafana/dashboards/default/ocis.json
name: dashboards-default
subPath: ocis.json
- mountPath: /etc/grafana/provisioning/datasources/datasources.yaml - mountPath: /etc/grafana/provisioning/datasources/datasources.yaml
name: config name: config
subPath: datasources.yaml subPath: datasources.yaml

92
rendered/envs/production/ocis/cronjob-ocis-s3-backup.yaml
View file

@ -13,78 +13,80 @@ spec:
template: template:
spec: spec:
containers: containers:
- command: - args:
- sh - sync
- -c - s3:ocis-tr1ceracop
- | - 'backup:'
set -e - --transfers=4
apk add --no-cache rclone >/dev/null 2>&1 - -v
mkdir -p /tmp/rclone
cat > /tmp/rclone/rclone.conf <<CONF
[s3]
type = s3
provider = Other
access_key_id = ${S3_ACCESS_KEY}
secret_access_key = ${S3_SECRET_KEY}
endpoint = https://nbg1.your-objectstorage.com
acl = private
[storagebox]
type = sftp
host = ${STORAGEBOX_HOST}
port = 23
user = ${STORAGEBOX_USER}
key_file = /etc/storagebox/ssh-key
shell_type = none
md5sum_command = none
sha1sum_command = none
[backup]
type = compress
remote = storagebox:ocis-backup
CONF
echo "Syncing S3 bucket to Storage Box (compressed)..."
rclone sync s3:ocis-tr1ceracop backup: \
--config /tmp/rclone/rclone.conf \
--transfers 4 \
-v
rm -rf /tmp/rclone
echo "Backup complete."
env: env:
- name: S3_ACCESS_KEY - name: RCLONE_CONFIG_S3_TYPE
value: s3
- name: RCLONE_CONFIG_S3_PROVIDER
value: Other
- name: RCLONE_CONFIG_S3_ENDPOINT
value: https://nbg1.your-objectstorage.com
- name: RCLONE_CONFIG_S3_ACL
value: private
- name: RCLONE_CONFIG_S3_ACCESS_KEY_ID
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: accessKey key: accessKey
name: ocis-s3-credentials name: ocis-s3-credentials
- name: S3_SECRET_KEY - name: RCLONE_CONFIG_S3_SECRET_ACCESS_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: secretKey key: secretKey
name: ocis-s3-credentials name: ocis-s3-credentials
- name: STORAGEBOX_HOST - name: RCLONE_CONFIG_STORAGEBOX_TYPE
value: sftp
- name: RCLONE_CONFIG_STORAGEBOX_PORT
value: "23"
- name: RCLONE_CONFIG_STORAGEBOX_KEY_FILE
value: /etc/storagebox/ssh-key
- name: RCLONE_CONFIG_STORAGEBOX_SHELL_TYPE
value: none
- name: RCLONE_CONFIG_STORAGEBOX_MD5SUM_COMMAND
value: none
- name: RCLONE_CONFIG_STORAGEBOX_SHA1SUM_COMMAND
value: none
- name: RCLONE_CONFIG_STORAGEBOX_HOST
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: host key: host
name: ocis-storagebox-credentials name: ocis-storagebox-credentials
- name: STORAGEBOX_USER - name: RCLONE_CONFIG_STORAGEBOX_USER
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
key: user key: user
name: ocis-storagebox-credentials name: ocis-storagebox-credentials
image: alpine:3.20 - name: RCLONE_CONFIG_BACKUP_TYPE
value: compress
- name: RCLONE_CONFIG_BACKUP_REMOTE
value: storagebox:ocis-backup
image: rclone/rclone:1.69.0
name: backup name: backup
resources: resources:
requests: requests:
cpu: 50m cpu: 50m
memory: 128Mi memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
volumeMounts: volumeMounts:
- mountPath: /etc/storagebox - mountPath: /etc/storagebox
name: storagebox-ssh name: storagebox-ssh
readOnly: true readOnly: true
restartPolicy: OnFailure restartPolicy: OnFailure
securityContext:
runAsGroup: 1009
runAsNonRoot: true
runAsUser: 1009
seccompProfile:
type: RuntimeDefault
serviceAccountName: ocis-s3-backup serviceAccountName: ocis-s3-backup
volumes: volumes:
- name: storagebox-ssh - name: storagebox-ssh

6
rendered/envs/production/ocis/cronjob-storage-users-clean-expired-uploads.yaml
View file

@ -96,6 +96,10 @@ spec:
name: storage-users-clean-expired-uploads name: storage-users-clean-expired-uploads
resources: {} resources: {}
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -110,6 +114,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- emptyDir: {} - emptyDir: {}
name: tmp-volume name: tmp-volume

6
rendered/envs/production/ocis/cronjob-storage-users-purge-expired-trash-bin-items.yaml
View file

@ -77,6 +77,10 @@ spec:
name: storage-users-purge-expired-trash-bin-items name: storage-users-purge-expired-trash-bin-items
resources: {} resources: {}
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -91,6 +95,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- emptyDir: {} - emptyDir: {}
name: tmp-volume name: tmp-volume

6
rendered/envs/production/ocis/cronjob-storage-users-restart-postprocessing.yaml
View file

@ -79,6 +79,10 @@ spec:
name: storage-users-restart-postprocessing name: storage-users-restart-postprocessing
resources: {} resources: {}
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -93,6 +97,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- emptyDir: {} - emptyDir: {}
name: tmp-volume name: tmp-volume

6
rendered/envs/production/ocis/cronjob-thumbnails-cleanup.yaml
View file

@ -37,6 +37,10 @@ spec:
name: thumbnails-cleanup name: thumbnails-cleanup
resources: {} resources: {}
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -51,6 +55,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- name: thumbnails-data - name: thumbnails-data
persistentVolumeClaim: persistentVolumeClaim:

6
rendered/envs/production/ocis/deployment-activitylog.yaml
View file

@ -106,6 +106,10 @@ spec:
cpu: 10m cpu: 10m
memory: 64Mi memory: 64Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -118,6 +122,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- emptyDir: {} - emptyDir: {}
name: messaging-system-ca name: messaging-system-ca

6
rendered/envs/production/ocis/deployment-appregistry.yaml
View file

@ -90,6 +90,10 @@ spec:
cpu: 10m cpu: 10m
memory: 64Mi memory: 64Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -103,6 +107,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- emptyDir: {} - emptyDir: {}
name: tmp-volume name: tmp-volume

6
rendered/envs/production/ocis/deployment-audit.yaml
View file

@ -75,6 +75,10 @@ spec:
cpu: 10m cpu: 10m
memory: 64Mi memory: 64Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -87,6 +91,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- emptyDir: {} - emptyDir: {}
name: messaging-system-ca name: messaging-system-ca

6
rendered/envs/production/ocis/deployment-authmachine.yaml
View file

@ -93,6 +93,10 @@ spec:
cpu: 10m cpu: 10m
memory: 64Mi memory: 64Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -104,6 +108,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- emptyDir: {} - emptyDir: {}
name: tmp-volume name: tmp-volume

6
rendered/envs/production/ocis/deployment-authservice.yaml
View file

@ -98,6 +98,10 @@ spec:
cpu: 10m cpu: 10m
memory: 64Mi memory: 64Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -109,6 +113,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- emptyDir: {} - emptyDir: {}
name: tmp-volume name: tmp-volume

6
rendered/envs/production/ocis/deployment-clientlog.yaml
View file

@ -96,6 +96,10 @@ spec:
cpu: 10m cpu: 10m
memory: 64Mi memory: 64Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -108,6 +112,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- emptyDir: {} - emptyDir: {}
name: messaging-system-ca name: messaging-system-ca

6
rendered/envs/production/ocis/deployment-eventhistory.yaml
View file

@ -81,6 +81,10 @@ spec:
cpu: 10m cpu: 10m
memory: 64Mi memory: 64Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -93,6 +97,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- emptyDir: {} - emptyDir: {}
name: messaging-system-ca name: messaging-system-ca

6
rendered/envs/production/ocis/deployment-frontend.yaml
View file

@ -158,6 +158,10 @@ spec:
cpu: 10m cpu: 10m
memory: 64Mi memory: 64Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -171,6 +175,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- emptyDir: {} - emptyDir: {}
name: tmp-volume name: tmp-volume

6
rendered/envs/production/ocis/deployment-gateway.yaml
View file

@ -106,6 +106,10 @@ spec:
cpu: 10m cpu: 10m
memory: 64Mi memory: 64Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -117,6 +121,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- emptyDir: {} - emptyDir: {}
name: tmp-volume name: tmp-volume

6
rendered/envs/production/ocis/deployment-graph.yaml
View file

@ -132,6 +132,10 @@ spec:
cpu: 10m cpu: 10m
memory: 64Mi memory: 64Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -147,6 +151,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- emptyDir: {} - emptyDir: {}
name: messaging-system-ca name: messaging-system-ca

6
rendered/envs/production/ocis/deployment-groups.yaml
View file

@ -99,6 +99,10 @@ spec:
cpu: 10m cpu: 10m
memory: 64Mi memory: 64Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -113,6 +117,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- emptyDir: {} - emptyDir: {}
name: tmp-volume name: tmp-volume

10
rendered/envs/production/ocis/deployment-idm.yaml
View file

@ -113,6 +113,10 @@ spec:
cpu: 10m cpu: 10m
memory: 256Mi memory: 256Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -136,6 +140,10 @@ spec:
cpu: 10m cpu: 10m
memory: 256Mi memory: 256Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -147,6 +155,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- name: ldap-cert - name: ldap-cert
secret: secret:

6
rendered/envs/production/ocis/deployment-idp.yaml
View file

@ -96,6 +96,10 @@ spec:
cpu: 10m cpu: 10m
memory: 64Mi memory: 64Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -113,6 +117,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- emptyDir: {} - emptyDir: {}
name: ocis-data-tmp name: ocis-data-tmp

6
rendered/envs/production/ocis/deployment-nats.yaml
View file

@ -70,6 +70,10 @@ spec:
cpu: 10m cpu: 10m
memory: 192Mi memory: 192Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -81,6 +85,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- name: nats-data - name: nats-data
persistentVolumeClaim: persistentVolumeClaim:

6
rendered/envs/production/ocis/deployment-ocdav.yaml
View file

@ -101,6 +101,10 @@ spec:
cpu: 10m cpu: 10m
memory: 64Mi memory: 64Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -110,4 +114,6 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: null volumes: null

6
rendered/envs/production/ocis/deployment-ocs.yaml
View file

@ -98,6 +98,10 @@ spec:
cpu: 10m cpu: 10m
memory: 64Mi memory: 64Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -107,4 +111,6 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: null volumes: null

6
rendered/envs/production/ocis/deployment-postprocessing.yaml
View file

@ -79,6 +79,10 @@ spec:
cpu: 10m cpu: 10m
memory: 64Mi memory: 64Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -91,6 +95,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- emptyDir: {} - emptyDir: {}
name: messaging-system-ca name: messaging-system-ca

6
rendered/envs/production/ocis/deployment-proxy.yaml
View file

@ -123,6 +123,10 @@ spec:
cpu: 10m cpu: 10m
memory: 96Mi memory: 96Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -134,6 +138,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- configMap: - configMap:
name: proxy-config name: proxy-config

6
rendered/envs/production/ocis/deployment-search.yaml
View file

@ -103,6 +103,10 @@ spec:
cpu: 10m cpu: 10m
memory: 64Mi memory: 64Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -117,6 +121,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- emptyDir: {} - emptyDir: {}
name: messaging-system-ca name: messaging-system-ca

6
rendered/envs/production/ocis/deployment-settings.yaml
View file

@ -124,6 +124,10 @@ spec:
cpu: 10m cpu: 10m
memory: 64Mi memory: 64Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -133,4 +137,6 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: null volumes: null

6
rendered/envs/production/ocis/deployment-sharing.yaml
View file

@ -132,6 +132,10 @@ spec:
cpu: 10m cpu: 10m
memory: 64Mi memory: 64Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -148,6 +152,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- emptyDir: {} - emptyDir: {}
name: tmp-volume name: tmp-volume

6
rendered/envs/production/ocis/deployment-sse.yaml
View file

@ -94,6 +94,10 @@ spec:
cpu: 10m cpu: 10m
memory: 64Mi memory: 64Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -106,6 +110,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- emptyDir: {} - emptyDir: {}
name: messaging-system-ca name: messaging-system-ca

6
rendered/envs/production/ocis/deployment-storagepubliclink.yaml
View file

@ -92,6 +92,10 @@ spec:
cpu: 10m cpu: 10m
memory: 64Mi memory: 64Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -103,6 +107,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- emptyDir: {} - emptyDir: {}
name: tmp-volume name: tmp-volume

6
rendered/envs/production/ocis/deployment-storageshares.yaml
View file

@ -88,6 +88,10 @@ spec:
cpu: 10m cpu: 10m
memory: 64Mi memory: 64Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -99,6 +103,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- emptyDir: {} - emptyDir: {}
name: tmp-volume name: tmp-volume

6
rendered/envs/production/ocis/deployment-storagesystem.yaml
View file

@ -112,6 +112,10 @@ spec:
cpu: 10m cpu: 10m
memory: 64Mi memory: 64Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -125,6 +129,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- emptyDir: {} - emptyDir: {}
name: tmp-volume name: tmp-volume

6
rendered/envs/production/ocis/deployment-storageusers.yaml
View file

@ -186,6 +186,10 @@ spec:
cpu: 10m cpu: 10m
memory: 512Mi memory: 512Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -202,6 +206,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- emptyDir: {} - emptyDir: {}
name: tmp-volume name: tmp-volume

6
rendered/envs/production/ocis/deployment-thumbnails.yaml
View file

@ -108,6 +108,10 @@ spec:
cpu: 10m cpu: 10m
memory: 96Mi memory: 96Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -119,6 +123,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- name: thumbnails-data - name: thumbnails-data
persistentVolumeClaim: persistentVolumeClaim:

6
rendered/envs/production/ocis/deployment-userlog.yaml
View file

@ -102,6 +102,10 @@ spec:
cpu: 10m cpu: 10m
memory: 64Mi memory: 64Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -114,6 +118,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- emptyDir: {} - emptyDir: {}
name: messaging-system-ca name: messaging-system-ca

6
rendered/envs/production/ocis/deployment-users.yaml
View file

@ -99,6 +99,10 @@ spec:
cpu: 10m cpu: 10m
memory: 64Mi memory: 64Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -113,6 +117,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- emptyDir: {} - emptyDir: {}
name: tmp-volume name: tmp-volume

6
rendered/envs/production/ocis/deployment-web.yaml
View file

@ -110,6 +110,10 @@ spec:
cpu: 10m cpu: 10m
memory: 64Mi memory: 64Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -125,6 +129,8 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: volumes:
- configMap: - configMap:
name: web-config name: web-config

6
rendered/envs/production/ocis/deployment-webdav.yaml
View file

@ -87,6 +87,10 @@ spec:
cpu: 10m cpu: 10m
memory: 64Mi memory: 64Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -96,4 +100,6 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: null volumes: null

6
rendered/envs/production/ocis/deployment-webfinger.yaml
View file

@ -91,6 +91,10 @@ spec:
cpu: 10m cpu: 10m
memory: 64Mi memory: 64Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsGroup: 1000 runAsGroup: 1000
runAsNonRoot: true runAsNonRoot: true
@ -100,4 +104,6 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault
volumes: null volumes: null

12
rendered/envs/production/ocis/job-ocis-external-secret-precheck.yaml
View file

@ -31,6 +31,18 @@ spec:
fieldPath: metadata.namespace fieldPath: metadata.namespace
image: alpine/k8s:1.32.3 image: alpine/k8s:1.32.3
name: precheck name: precheck
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
restartPolicy: OnFailure restartPolicy: OnFailure
securityContext:
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
serviceAccountName: ocis-external-secret-precheck serviceAccountName: ocis-external-secret-precheck
ttlSecondsAfterFinished: 300 ttlSecondsAfterFinished: 300

2
rendered/envs/production/ocis/namespace-ocis.yaml
View file

@ -4,6 +4,6 @@ metadata:
annotations: annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels: labels:
pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/enforce: restricted
name: ocis name: ocis
namespace: ocis namespace: ocis

18
rendered/envs/production/victoria-metrics-single/configmap-victoria-metrics-single-server-scrapeconfig.yaml
View file

@ -83,6 +83,24 @@ data:
- __meta_kubernetes_namespace - __meta_kubernetes_namespace
- __meta_kubernetes_service_name - __meta_kubernetes_service_name
- __meta_kubernetes_endpoint_port_name - __meta_kubernetes_endpoint_port_name
- job_name: ocis
kubernetes_sd_configs:
- namespaces:
names:
- ocis
role: endpoints
relabel_configs:
- action: keep
regex: enabled;metrics-debug
source_labels:
- __meta_kubernetes_service_label_ocis_metrics
- __meta_kubernetes_endpoint_port_name
- source_labels:
- __meta_kubernetes_service_name
target_label: ocis_service
- source_labels:
- __meta_kubernetes_pod_name
target_label: pod
kind: ConfigMap kind: ConfigMap
metadata: metadata:
annotations: annotations:

2
rendered/envs/production/victoria-metrics-single/namespace-monitoring.yaml
View file

@ -4,6 +4,6 @@ metadata:
annotations: annotations:
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
labels: labels:
pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/enforce: restricted
name: monitoring name: monitoring
namespace: monitoring namespace: monitoring

15
rendered/envs/production/victoria-metrics-single/statefulset-victoria-metrics-single-server.yaml
View file

@ -69,13 +69,24 @@ spec:
requests: requests:
cpu: 100m cpu: 100m
memory: 256Mi memory: 256Mi
securityContext: {} securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
volumeMounts: volumeMounts:
- mountPath: /storage - mountPath: /storage
name: server-volume name: server-volume
- mountPath: /scrapeconfig - mountPath: /scrapeconfig
name: scrapeconfig name: scrapeconfig
securityContext: {} securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
serviceAccountName: victoria-metrics-single-server serviceAccountName: victoria-metrics-single-server
terminationGracePeriodSeconds: 60 terminationGracePeriodSeconds: 60
volumes: volumes: