k8s-and-chill

gitea_admin/k8s-and-chill

Fork 0

Author	SHA1	Message	Date
Felix Wolf	010c47b03b	feat: Add comprehensive oCIS monitoring Integrates oCIS services into the monitoring stack by: - Adding a new scrape configuration to VictoriaMetrics to collect metrics from oCIS services in the 'ocis' namespace. - Introducing a new "ocis Overview" Grafana dashboard. This dashboard includes panels for user experience (proxy), service health, storage activity (uploads/downloads), and resource utilization, all leveraging the VictoriaMetrics datasource.	2026-05-03 01:19:53 +02:00
Felix Wolf	4d4f51c179	feat: drop 5 namespaces from PSS privileged to restricted argocd, cert-manager, cloudnative-pg already compliant — label flip only. ocis: add overlay injecting seccompProfile=RuntimeDefault, drop ALL caps, allowPrivilegeEscalation=false across all chart Deployments/CronJobs; patch idm initContainer; harden custom precheck Job; refactor s3-backup to rclone/rclone image (avoids apk-add-as-root). victoria-metrics-single: overlay sets full restricted SC on the StatefulSet that ships with empty securityContext: {}. forgejo, traefik, kube-system stay privileged (hostPort / CSI driver). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-03 00:52:45 +02:00

Author

SHA1

Message

Date

Felix Wolf

010c47b03b

feat: Add comprehensive oCIS monitoring

Integrates oCIS services into the monitoring stack by:
- Adding a new scrape configuration to VictoriaMetrics to collect metrics from oCIS services in the 'ocis' namespace.
- Introducing a new "ocis Overview" Grafana dashboard. This dashboard includes panels for user experience (proxy), service health, storage activity (uploads/downloads), and resource utilization, all leveraging the VictoriaMetrics datasource.

2026-05-03 01:19:53 +02:00

Felix Wolf

4d4f51c179

feat: drop 5 namespaces from PSS privileged to restricted

argocd, cert-manager, cloudnative-pg already compliant — label flip only.
ocis: add overlay injecting seccompProfile=RuntimeDefault, drop ALL caps,
allowPrivilegeEscalation=false across all chart Deployments/CronJobs;
patch idm initContainer; harden custom precheck Job; refactor s3-backup
to rclone/rclone image (avoids apk-add-as-root).
victoria-metrics-single: overlay sets full restricted SC on the StatefulSet
that ships with empty securityContext: {}.

forgejo, traefik, kube-system stay privileged (hostPort / CSI driver).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-03 00:52:45 +02:00

Compare commits

2 commits

0389eb5d20 ... 010c47b03b

Diff content is not available

Compare commits

2 commits 0389eb5d20 ... 010c47b03b

Diff content is not available

2 commits

0389eb5d20 ... 010c47b03b