k/{forgejo,keycloak}: add securityContexts

This commit is contained in:
ryan-distrust.co 2023-05-16 20:46:41 -04:00
parent 214da23282
commit 8d864924de
Signed by untrusted user who does not match committer: ryan
GPG Key ID: 8E401478A3FBEF72
4 changed files with 64 additions and 4 deletions

View File

@ -8,6 +8,11 @@ spec:
initContainers: initContainers:
- name: forgejo-ssh-key-prep - name: forgejo-ssh-key-prep
image: codeberg.org/forgejo/forgejo:1.19.3-0 image: codeberg.org/forgejo/forgejo:1.19.3-0
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
command: ["sh"] command: ["sh"]
args: args:
- -c - -c

View File

@ -33,10 +33,20 @@ spec:
labels: labels:
app: forgejo app: forgejo
spec: spec:
# shareProcessNamespace: true securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: RuntimeDefault
initContainers: initContainers:
- name: config-templater - name: config-templater
image: codeberg.org/forgejo/forgejo:1.19.3-0 image: codeberg.org/forgejo/forgejo:1.19.3-0
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
command: ["environment-to-ini"] command: ["environment-to-ini"]
args: args:
- --config - --config
@ -50,6 +60,11 @@ spec:
mountPath: /output mountPath: /output
- name: forgejo-migrate - name: forgejo-migrate
image: codeberg.org/forgejo/forgejo:1.19.3-0 image: codeberg.org/forgejo/forgejo:1.19.3-0
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
command: ["forgejo"] command: ["forgejo"]
args: args:
- -c - -c
@ -62,6 +77,11 @@ spec:
mountPath: /etc/forgejo mountPath: /etc/forgejo
- name: forgejo-oidc - name: forgejo-oidc
image: codeberg.org/forgejo/forgejo:1.19.3-0 image: codeberg.org/forgejo/forgejo:1.19.3-0
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
command: ["sh"] command: ["sh"]
args: args:
- -c - -c
@ -81,6 +101,11 @@ spec:
containers: containers:
- name: forgejo-web - name: forgejo-web
image: codeberg.org/forgejo/forgejo:1.19.3-0 image: codeberg.org/forgejo/forgejo:1.19.3-0
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
command: ["forgejo"] command: ["forgejo"]
args: args:
- -c - -c
@ -96,6 +121,11 @@ spec:
mountPath: /etc/forgejo mountPath: /etc/forgejo
- name: forgejo-ssh - name: forgejo-ssh
image: codeberg.org/forgejo/forgejo:1.19.3-0 image: codeberg.org/forgejo/forgejo:1.19.3-0
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
command: ["/usr/sbin/sshd"] command: ["/usr/sbin/sshd"]
args: args:
- -D - -D
@ -118,9 +148,6 @@ spec:
- name: forgejo-config-template - name: forgejo-config-template
configMap: configMap:
name: forgejo-config-template name: forgejo-config-template
securityContext:
runAsUser: 1000
runAsGroup: 1000
volumeClaimTemplates: volumeClaimTemplates:
- metadata: - metadata:
name: forgejo-data name: forgejo-data

View File

@ -8,11 +8,20 @@ spec:
spec: spec:
template: template:
spec: spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
restartPolicy: OnFailure restartPolicy: OnFailure
serviceAccountName: forgejo-snapshot serviceAccountName: forgejo-snapshot
initContainers: initContainers:
- name: template-snapshot-name - name: template-snapshot-name
image: bitnami/kubectl:1.27.1 image: bitnami/kubectl:1.27.1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
command: ["/bin/sh"] command: ["/bin/sh"]
args: args:
- -c - -c
@ -30,6 +39,11 @@ spec:
containers: containers:
- name: create-volume-snapshot - name: create-volume-snapshot
image: bitnami/kubectl:1.27.1 image: bitnami/kubectl:1.27.1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
args: args:
- -n - -n
- $(POD_NAMESPACE) - $(POD_NAMESPACE)
@ -46,6 +60,11 @@ spec:
mountPath: /in mountPath: /in
- name: cleanup-volume-snapshot - name: cleanup-volume-snapshot
image: bitnami/kubectl:1.27.1 image: bitnami/kubectl:1.27.1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
command: ["sh"] command: ["sh"]
args: args:
- -c - -c

View File

@ -29,9 +29,18 @@ spec:
labels: labels:
app: keycloak app: keycloak
spec: spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers: containers:
- name: keycloak - name: keycloak
image: quay.io/keycloak/keycloak:21.1.1 image: quay.io/keycloak/keycloak:21.1.1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
args: ["start"] args: ["start"]
env: env:
- name: KC_PROXY - name: KC_PROXY