From 8d864924de58197c4bb3dd66ebc96f315fa2d73c Mon Sep 17 00:00:00 2001
From: "ryan-distrust.co" <ryan@hashbang.sh>
Date: Tue, 16 May 2023 20:46:41 -0400
Subject: [PATCH] k/{forgejo,keycloak}: add securityContexts

---
 .../forgejo/forgejo-ssh-keys.patch.yaml       |  5 +++
 kustomizations/forgejo/resources.yaml         | 35 ++++++++++++++++---
 .../forgejo/snapshots/resources.yaml          | 19 ++++++++++
 kustomizations/keycloak/resources.yaml        |  9 +++++
 4 files changed, 64 insertions(+), 4 deletions(-)

diff --git a/kustomizations/forgejo/forgejo-ssh-keys.patch.yaml b/kustomizations/forgejo/forgejo-ssh-keys.patch.yaml
index a125a1a..10db90e 100644
--- a/kustomizations/forgejo/forgejo-ssh-keys.patch.yaml
+++ b/kustomizations/forgejo/forgejo-ssh-keys.patch.yaml
@@ -8,6 +8,11 @@ spec:
       initContainers:
       - name: forgejo-ssh-key-prep
         image: codeberg.org/forgejo/forgejo:1.19.3-0
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
         command: ["sh"]
         args:
         - -c
diff --git a/kustomizations/forgejo/resources.yaml b/kustomizations/forgejo/resources.yaml
index a7f04db..f468d65 100644
--- a/kustomizations/forgejo/resources.yaml
+++ b/kustomizations/forgejo/resources.yaml
@@ -33,10 +33,20 @@ spec:
       labels:
         app: forgejo
     spec:
-      # shareProcessNamespace: true
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        seccompProfile:
+          type: RuntimeDefault
       initContainers:
       - name: config-templater
         image: codeberg.org/forgejo/forgejo:1.19.3-0
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
         command: ["environment-to-ini"]
         args:
         - --config
@@ -50,6 +60,11 @@ spec:
           mountPath: /output
       - name: forgejo-migrate
         image: codeberg.org/forgejo/forgejo:1.19.3-0
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
         command: ["forgejo"]
         args:
         - -c
@@ -62,6 +77,11 @@ spec:
           mountPath: /etc/forgejo
       - name: forgejo-oidc
         image: codeberg.org/forgejo/forgejo:1.19.3-0
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
         command: ["sh"]
         args:
         - -c
@@ -81,6 +101,11 @@ spec:
       containers:
       - name: forgejo-web
         image: codeberg.org/forgejo/forgejo:1.19.3-0
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
         command: ["forgejo"]
         args:
         - -c
@@ -96,6 +121,11 @@ spec:
           mountPath: /etc/forgejo
       - name: forgejo-ssh
         image: codeberg.org/forgejo/forgejo:1.19.3-0
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
         command: ["/usr/sbin/sshd"]
         args:
         - -D
@@ -118,9 +148,6 @@ spec:
       - name: forgejo-config-template
         configMap:
           name: forgejo-config-template
-      securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
   volumeClaimTemplates:
   - metadata:
       name: forgejo-data
diff --git a/kustomizations/forgejo/snapshots/resources.yaml b/kustomizations/forgejo/snapshots/resources.yaml
index 8ca8d5d..45c78ca 100644
--- a/kustomizations/forgejo/snapshots/resources.yaml
+++ b/kustomizations/forgejo/snapshots/resources.yaml
@@ -8,11 +8,20 @@ spec:
     spec:
       template:
         spec:
+          securityContext:
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
           restartPolicy: OnFailure
           serviceAccountName: forgejo-snapshot
           initContainers:
           - name: template-snapshot-name
             image: bitnami/kubectl:1.27.1
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                - ALL
             command: ["/bin/sh"]
             args:
             - -c
@@ -30,6 +39,11 @@ spec:
           containers:
           - name: create-volume-snapshot
             image: bitnami/kubectl:1.27.1
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                - ALL
             args:
             - -n
             - $(POD_NAMESPACE)
@@ -46,6 +60,11 @@ spec:
               mountPath: /in
           - name: cleanup-volume-snapshot
             image: bitnami/kubectl:1.27.1
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                - ALL
             command: ["sh"]
             args:
             - -c
diff --git a/kustomizations/keycloak/resources.yaml b/kustomizations/keycloak/resources.yaml
index 1f9a8e4..3c25fff 100644
--- a/kustomizations/keycloak/resources.yaml
+++ b/kustomizations/keycloak/resources.yaml
@@ -29,9 +29,18 @@ spec:
       labels:
         app: keycloak
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: keycloak
         image: quay.io/keycloak/keycloak:21.1.1
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
         args: ["start"]
         env:
         - name: KC_PROXY