gitea_admin/k8s-and-chill
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
k8s-and-chill/rendered/envs/production/cloudnative-pg
History
Felix Wolf 4d4f51c179 feat: drop 5 namespaces from PSS privileged to restricted 
argocd, cert-manager, cloudnative-pg already compliant — label flip only.
ocis: add overlay injecting seccompProfile=RuntimeDefault, drop ALL caps,
allowPrivilegeEscalation=false across all chart Deployments/CronJobs;
patch idm initContainer; harden custom precheck Job; refactor s3-backup
to rclone/rclone image (avoids apk-add-as-root).
victoria-metrics-single: overlay sets full restricted SC on the StatefulSet
that ships with empty securityContext: {}.

forgejo, traefik, kube-system stay privileged (hostPort / CSI driver).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-03 00:52:45 +02:00
..
clusterrole-cloudnative-pg-edit.yaml feat: Migrate Forgejo to CNPG PostgreSQL + Hetzner CSI volumes 2026-04-03 16:37:13 +02:00
clusterrole-cloudnative-pg-view.yaml feat: Migrate Forgejo to CNPG PostgreSQL + Hetzner CSI volumes 2026-04-03 16:37:13 +02:00
clusterrole-cloudnative-pg.yaml feat: Migrate Forgejo to CNPG PostgreSQL + Hetzner CSI volumes 2026-04-03 16:37:13 +02:00
clusterrolebinding-cloudnative-pg.yaml feat: Migrate Forgejo to CNPG PostgreSQL + Hetzner CSI volumes 2026-04-03 16:37:13 +02:00
configmap-cnpg-controller-manager-config.yaml feat: Migrate Forgejo to CNPG PostgreSQL + Hetzner CSI volumes 2026-04-03 16:37:13 +02:00
configmap-cnpg-default-monitoring.yaml feat: Migrate Forgejo to CNPG PostgreSQL + Hetzner CSI volumes 2026-04-03 16:37:13 +02:00
customresourcedefinition-backups.postgresql.cnpg.io.yaml feat: Migrate Forgejo to CNPG PostgreSQL + Hetzner CSI volumes 2026-04-03 16:37:13 +02:00
customresourcedefinition-clusterimagecatalogs.postgresql.cnpg.io.yaml feat: Migrate Forgejo to CNPG PostgreSQL + Hetzner CSI volumes 2026-04-03 16:37:13 +02:00
customresourcedefinition-clusters.postgresql.cnpg.io.yaml feat: Migrate Forgejo to CNPG PostgreSQL + Hetzner CSI volumes 2026-04-03 16:37:13 +02:00
customresourcedefinition-databases.postgresql.cnpg.io.yaml feat: Migrate Forgejo to CNPG PostgreSQL + Hetzner CSI volumes 2026-04-03 16:37:13 +02:00
customresourcedefinition-imagecatalogs.postgresql.cnpg.io.yaml feat: Migrate Forgejo to CNPG PostgreSQL + Hetzner CSI volumes 2026-04-03 16:37:13 +02:00
customresourcedefinition-poolers.postgresql.cnpg.io.yaml feat: Migrate Forgejo to CNPG PostgreSQL + Hetzner CSI volumes 2026-04-03 16:37:13 +02:00
customresourcedefinition-publications.postgresql.cnpg.io.yaml feat: Migrate Forgejo to CNPG PostgreSQL + Hetzner CSI volumes 2026-04-03 16:37:13 +02:00
customresourcedefinition-scheduledbackups.postgresql.cnpg.io.yaml feat: Migrate Forgejo to CNPG PostgreSQL + Hetzner CSI volumes 2026-04-03 16:37:13 +02:00
customresourcedefinition-subscriptions.postgresql.cnpg.io.yaml feat: Migrate Forgejo to CNPG PostgreSQL + Hetzner CSI volumes 2026-04-03 16:37:13 +02:00
deployment-cloudnative-pg.yaml feat: Migrate Forgejo to CNPG PostgreSQL + Hetzner CSI volumes 2026-04-03 16:37:13 +02:00
mutatingwebhookconfiguration-cnpg-mutating-webhook-configuration.yaml feat: Migrate Forgejo to CNPG PostgreSQL + Hetzner CSI volumes 2026-04-03 16:37:13 +02:00
namespace-cnpg-system.yaml feat: drop 5 namespaces from PSS privileged to restricted 2026-05-03 00:52:45 +02:00
service-cnpg-webhook-service.yaml feat: Migrate Forgejo to CNPG PostgreSQL + Hetzner CSI volumes 2026-04-03 16:37:13 +02:00
serviceaccount-cloudnative-pg.yaml feat: Migrate Forgejo to CNPG PostgreSQL + Hetzner CSI volumes 2026-04-03 16:37:13 +02:00
validatingwebhookconfiguration-cnpg-validating-webhook-configuration.yaml feat: Migrate Forgejo to CNPG PostgreSQL + Hetzner CSI volumes 2026-04-03 16:37:13 +02:00