33c52be1c5
argocd, cert-manager, cloudnative-pg already compliant — label flip only.
ocis: add overlay injecting seccompProfile=RuntimeDefault, drop ALL caps,
allowPrivilegeEscalation=false across all chart Deployments/CronJobs;
patch idm initContainer; harden custom precheck Job; refactor s3-backup
to rclone/rclone image (avoids apk-add-as-root).
victoria-metrics-single: overlay sets full restricted SC on the StatefulSet
that ships with empty securityContext: {}.
forgejo, traefik, kube-system stay privileged (hostPort / CSI driver).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
102 lines
3.5 KiB
YAML
102 lines
3.5 KiB
YAML
apiVersion: batch/v1
|
|
kind: CronJob
|
|
metadata:
|
|
annotations:
|
|
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
|
name: ocis-s3-backup
|
|
namespace: ocis
|
|
spec:
|
|
concurrencyPolicy: Forbid
|
|
failedJobsHistoryLimit: 3
|
|
jobTemplate:
|
|
spec:
|
|
template:
|
|
spec:
|
|
containers:
|
|
- args:
|
|
- sync
|
|
- s3:ocis-tr1ceracop
|
|
- 'backup:'
|
|
- --transfers=4
|
|
- -v
|
|
env:
|
|
- name: RCLONE_CONFIG_S3_TYPE
|
|
value: s3
|
|
- name: RCLONE_CONFIG_S3_PROVIDER
|
|
value: Other
|
|
- name: RCLONE_CONFIG_S3_ENDPOINT
|
|
value: https://nbg1.your-objectstorage.com
|
|
- name: RCLONE_CONFIG_S3_ACL
|
|
value: private
|
|
- name: RCLONE_CONFIG_S3_ACCESS_KEY_ID
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: accessKey
|
|
name: ocis-s3-credentials
|
|
- name: RCLONE_CONFIG_S3_SECRET_ACCESS_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: secretKey
|
|
name: ocis-s3-credentials
|
|
- name: RCLONE_CONFIG_STORAGEBOX_TYPE
|
|
value: sftp
|
|
- name: RCLONE_CONFIG_STORAGEBOX_PORT
|
|
value: "23"
|
|
- name: RCLONE_CONFIG_STORAGEBOX_KEY_FILE
|
|
value: /etc/storagebox/ssh-key
|
|
- name: RCLONE_CONFIG_STORAGEBOX_SHELL_TYPE
|
|
value: none
|
|
- name: RCLONE_CONFIG_STORAGEBOX_MD5SUM_COMMAND
|
|
value: none
|
|
- name: RCLONE_CONFIG_STORAGEBOX_SHA1SUM_COMMAND
|
|
value: none
|
|
- name: RCLONE_CONFIG_STORAGEBOX_HOST
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: host
|
|
name: ocis-storagebox-credentials
|
|
- name: RCLONE_CONFIG_STORAGEBOX_USER
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: user
|
|
name: ocis-storagebox-credentials
|
|
- name: RCLONE_CONFIG_BACKUP_TYPE
|
|
value: compress
|
|
- name: RCLONE_CONFIG_BACKUP_REMOTE
|
|
value: storagebox:ocis-backup
|
|
image: rclone/rclone:1.69.0
|
|
name: backup
|
|
resources:
|
|
requests:
|
|
cpu: 50m
|
|
memory: 128Mi
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: true
|
|
volumeMounts:
|
|
- mountPath: /etc/storagebox
|
|
name: storagebox-ssh
|
|
readOnly: true
|
|
restartPolicy: OnFailure
|
|
securityContext:
|
|
runAsGroup: 1009
|
|
runAsNonRoot: true
|
|
runAsUser: 1009
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
serviceAccountName: ocis-s3-backup
|
|
volumes:
|
|
- name: storagebox-ssh
|
|
secret:
|
|
defaultMode: 256
|
|
items:
|
|
- key: ssh-key
|
|
path: ssh-key
|
|
secretName: ocis-storagebox-credentials
|
|
ttlSecondsAfterFinished: 86400
|
|
schedule: 0 2 * * *
|
|
successfulJobsHistoryLimit: 3
|