k/{forgejo,keycloak}: add securityContexts
This commit is contained in:
parent
214da23282
commit
8d864924de
|
@ -8,6 +8,11 @@ spec:
|
||||||
initContainers:
|
initContainers:
|
||||||
- name: forgejo-ssh-key-prep
|
- name: forgejo-ssh-key-prep
|
||||||
image: codeberg.org/forgejo/forgejo:1.19.3-0
|
image: codeberg.org/forgejo/forgejo:1.19.3-0
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
command: ["sh"]
|
command: ["sh"]
|
||||||
args:
|
args:
|
||||||
- -c
|
- -c
|
||||||
|
|
|
@ -33,10 +33,20 @@ spec:
|
||||||
labels:
|
labels:
|
||||||
app: forgejo
|
app: forgejo
|
||||||
spec:
|
spec:
|
||||||
# shareProcessNamespace: true
|
securityContext:
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 1000
|
||||||
|
runAsGroup: 1000
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
initContainers:
|
initContainers:
|
||||||
- name: config-templater
|
- name: config-templater
|
||||||
image: codeberg.org/forgejo/forgejo:1.19.3-0
|
image: codeberg.org/forgejo/forgejo:1.19.3-0
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
command: ["environment-to-ini"]
|
command: ["environment-to-ini"]
|
||||||
args:
|
args:
|
||||||
- --config
|
- --config
|
||||||
|
@ -50,6 +60,11 @@ spec:
|
||||||
mountPath: /output
|
mountPath: /output
|
||||||
- name: forgejo-migrate
|
- name: forgejo-migrate
|
||||||
image: codeberg.org/forgejo/forgejo:1.19.3-0
|
image: codeberg.org/forgejo/forgejo:1.19.3-0
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
command: ["forgejo"]
|
command: ["forgejo"]
|
||||||
args:
|
args:
|
||||||
- -c
|
- -c
|
||||||
|
@ -62,6 +77,11 @@ spec:
|
||||||
mountPath: /etc/forgejo
|
mountPath: /etc/forgejo
|
||||||
- name: forgejo-oidc
|
- name: forgejo-oidc
|
||||||
image: codeberg.org/forgejo/forgejo:1.19.3-0
|
image: codeberg.org/forgejo/forgejo:1.19.3-0
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
command: ["sh"]
|
command: ["sh"]
|
||||||
args:
|
args:
|
||||||
- -c
|
- -c
|
||||||
|
@ -81,6 +101,11 @@ spec:
|
||||||
containers:
|
containers:
|
||||||
- name: forgejo-web
|
- name: forgejo-web
|
||||||
image: codeberg.org/forgejo/forgejo:1.19.3-0
|
image: codeberg.org/forgejo/forgejo:1.19.3-0
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
command: ["forgejo"]
|
command: ["forgejo"]
|
||||||
args:
|
args:
|
||||||
- -c
|
- -c
|
||||||
|
@ -96,6 +121,11 @@ spec:
|
||||||
mountPath: /etc/forgejo
|
mountPath: /etc/forgejo
|
||||||
- name: forgejo-ssh
|
- name: forgejo-ssh
|
||||||
image: codeberg.org/forgejo/forgejo:1.19.3-0
|
image: codeberg.org/forgejo/forgejo:1.19.3-0
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
command: ["/usr/sbin/sshd"]
|
command: ["/usr/sbin/sshd"]
|
||||||
args:
|
args:
|
||||||
- -D
|
- -D
|
||||||
|
@ -118,9 +148,6 @@ spec:
|
||||||
- name: forgejo-config-template
|
- name: forgejo-config-template
|
||||||
configMap:
|
configMap:
|
||||||
name: forgejo-config-template
|
name: forgejo-config-template
|
||||||
securityContext:
|
|
||||||
runAsUser: 1000
|
|
||||||
runAsGroup: 1000
|
|
||||||
volumeClaimTemplates:
|
volumeClaimTemplates:
|
||||||
- metadata:
|
- metadata:
|
||||||
name: forgejo-data
|
name: forgejo-data
|
||||||
|
|
|
@ -8,11 +8,20 @@ spec:
|
||||||
spec:
|
spec:
|
||||||
template:
|
template:
|
||||||
spec:
|
spec:
|
||||||
|
securityContext:
|
||||||
|
runAsNonRoot: true
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
restartPolicy: OnFailure
|
restartPolicy: OnFailure
|
||||||
serviceAccountName: forgejo-snapshot
|
serviceAccountName: forgejo-snapshot
|
||||||
initContainers:
|
initContainers:
|
||||||
- name: template-snapshot-name
|
- name: template-snapshot-name
|
||||||
image: bitnami/kubectl:1.27.1
|
image: bitnami/kubectl:1.27.1
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
command: ["/bin/sh"]
|
command: ["/bin/sh"]
|
||||||
args:
|
args:
|
||||||
- -c
|
- -c
|
||||||
|
@ -30,6 +39,11 @@ spec:
|
||||||
containers:
|
containers:
|
||||||
- name: create-volume-snapshot
|
- name: create-volume-snapshot
|
||||||
image: bitnami/kubectl:1.27.1
|
image: bitnami/kubectl:1.27.1
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
args:
|
args:
|
||||||
- -n
|
- -n
|
||||||
- $(POD_NAMESPACE)
|
- $(POD_NAMESPACE)
|
||||||
|
@ -46,6 +60,11 @@ spec:
|
||||||
mountPath: /in
|
mountPath: /in
|
||||||
- name: cleanup-volume-snapshot
|
- name: cleanup-volume-snapshot
|
||||||
image: bitnami/kubectl:1.27.1
|
image: bitnami/kubectl:1.27.1
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
command: ["sh"]
|
command: ["sh"]
|
||||||
args:
|
args:
|
||||||
- -c
|
- -c
|
||||||
|
|
|
@ -29,9 +29,18 @@ spec:
|
||||||
labels:
|
labels:
|
||||||
app: keycloak
|
app: keycloak
|
||||||
spec:
|
spec:
|
||||||
|
securityContext:
|
||||||
|
runAsNonRoot: true
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
containers:
|
containers:
|
||||||
- name: keycloak
|
- name: keycloak
|
||||||
image: quay.io/keycloak/keycloak:21.1.1
|
image: quay.io/keycloak/keycloak:21.1.1
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
args: ["start"]
|
args: ["start"]
|
||||||
env:
|
env:
|
||||||
- name: KC_PROXY
|
- name: KC_PROXY
|
||||||
|
|
Loading…
Reference in New Issue