forked from public/stack
k/{forgejo,keycloak}: add securityContexts
This commit is contained in:
parent
214da23282
commit
8d864924de
|
@ -8,6 +8,11 @@ spec:
|
|||
initContainers:
|
||||
- name: forgejo-ssh-key-prep
|
||||
image: codeberg.org/forgejo/forgejo:1.19.3-0
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
command: ["sh"]
|
||||
args:
|
||||
- -c
|
||||
|
|
|
@ -33,10 +33,20 @@ spec:
|
|||
labels:
|
||||
app: forgejo
|
||||
spec:
|
||||
# shareProcessNamespace: true
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
initContainers:
|
||||
- name: config-templater
|
||||
image: codeberg.org/forgejo/forgejo:1.19.3-0
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
command: ["environment-to-ini"]
|
||||
args:
|
||||
- --config
|
||||
|
@ -50,6 +60,11 @@ spec:
|
|||
mountPath: /output
|
||||
- name: forgejo-migrate
|
||||
image: codeberg.org/forgejo/forgejo:1.19.3-0
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
command: ["forgejo"]
|
||||
args:
|
||||
- -c
|
||||
|
@ -62,6 +77,11 @@ spec:
|
|||
mountPath: /etc/forgejo
|
||||
- name: forgejo-oidc
|
||||
image: codeberg.org/forgejo/forgejo:1.19.3-0
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
command: ["sh"]
|
||||
args:
|
||||
- -c
|
||||
|
@ -81,6 +101,11 @@ spec:
|
|||
containers:
|
||||
- name: forgejo-web
|
||||
image: codeberg.org/forgejo/forgejo:1.19.3-0
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
command: ["forgejo"]
|
||||
args:
|
||||
- -c
|
||||
|
@ -96,6 +121,11 @@ spec:
|
|||
mountPath: /etc/forgejo
|
||||
- name: forgejo-ssh
|
||||
image: codeberg.org/forgejo/forgejo:1.19.3-0
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
command: ["/usr/sbin/sshd"]
|
||||
args:
|
||||
- -D
|
||||
|
@ -118,9 +148,6 @@ spec:
|
|||
- name: forgejo-config-template
|
||||
configMap:
|
||||
name: forgejo-config-template
|
||||
securityContext:
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
volumeClaimTemplates:
|
||||
- metadata:
|
||||
name: forgejo-data
|
||||
|
|
|
@ -8,11 +8,20 @@ spec:
|
|||
spec:
|
||||
template:
|
||||
spec:
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
restartPolicy: OnFailure
|
||||
serviceAccountName: forgejo-snapshot
|
||||
initContainers:
|
||||
- name: template-snapshot-name
|
||||
image: bitnami/kubectl:1.27.1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
command: ["/bin/sh"]
|
||||
args:
|
||||
- -c
|
||||
|
@ -30,6 +39,11 @@ spec:
|
|||
containers:
|
||||
- name: create-volume-snapshot
|
||||
image: bitnami/kubectl:1.27.1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
args:
|
||||
- -n
|
||||
- $(POD_NAMESPACE)
|
||||
|
@ -46,6 +60,11 @@ spec:
|
|||
mountPath: /in
|
||||
- name: cleanup-volume-snapshot
|
||||
image: bitnami/kubectl:1.27.1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
command: ["sh"]
|
||||
args:
|
||||
- -c
|
||||
|
|
|
@ -29,9 +29,18 @@ spec:
|
|||
labels:
|
||||
app: keycloak
|
||||
spec:
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: keycloak
|
||||
image: quay.io/keycloak/keycloak:21.1.1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
args: ["start"]
|
||||
env:
|
||||
- name: KC_PROXY
|
||||
|
|
Loading…
Reference in New Issue