1
0
Fork 0

k/{forgejo,keycloak}: add securityContexts

This commit is contained in:
ryan-distrust.co 2023-05-16 20:46:41 -04:00
parent 214da23282
commit 8d864924de
Signed by untrusted user who does not match committer: ryan
GPG Key ID: 8E401478A3FBEF72
4 changed files with 64 additions and 4 deletions

View File

@ -8,6 +8,11 @@ spec:
initContainers:
- name: forgejo-ssh-key-prep
image: codeberg.org/forgejo/forgejo:1.19.3-0
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
command: ["sh"]
args:
- -c

View File

@ -33,10 +33,20 @@ spec:
labels:
app: forgejo
spec:
# shareProcessNamespace: true
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: RuntimeDefault
initContainers:
- name: config-templater
image: codeberg.org/forgejo/forgejo:1.19.3-0
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
command: ["environment-to-ini"]
args:
- --config
@ -50,6 +60,11 @@ spec:
mountPath: /output
- name: forgejo-migrate
image: codeberg.org/forgejo/forgejo:1.19.3-0
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
command: ["forgejo"]
args:
- -c
@ -62,6 +77,11 @@ spec:
mountPath: /etc/forgejo
- name: forgejo-oidc
image: codeberg.org/forgejo/forgejo:1.19.3-0
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
command: ["sh"]
args:
- -c
@ -81,6 +101,11 @@ spec:
containers:
- name: forgejo-web
image: codeberg.org/forgejo/forgejo:1.19.3-0
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
command: ["forgejo"]
args:
- -c
@ -96,6 +121,11 @@ spec:
mountPath: /etc/forgejo
- name: forgejo-ssh
image: codeberg.org/forgejo/forgejo:1.19.3-0
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
command: ["/usr/sbin/sshd"]
args:
- -D
@ -118,9 +148,6 @@ spec:
- name: forgejo-config-template
configMap:
name: forgejo-config-template
securityContext:
runAsUser: 1000
runAsGroup: 1000
volumeClaimTemplates:
- metadata:
name: forgejo-data

View File

@ -8,11 +8,20 @@ spec:
spec:
template:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
restartPolicy: OnFailure
serviceAccountName: forgejo-snapshot
initContainers:
- name: template-snapshot-name
image: bitnami/kubectl:1.27.1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
command: ["/bin/sh"]
args:
- -c
@ -30,6 +39,11 @@ spec:
containers:
- name: create-volume-snapshot
image: bitnami/kubectl:1.27.1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
args:
- -n
- $(POD_NAMESPACE)
@ -46,6 +60,11 @@ spec:
mountPath: /in
- name: cleanup-volume-snapshot
image: bitnami/kubectl:1.27.1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
command: ["sh"]
args:
- -c

View File

@ -29,9 +29,18 @@ spec:
labels:
app: keycloak
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:21.1.1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
args: ["start"]
env:
- name: KC_PROXY