fix: switch from pod to defaultPodOptions #7382
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Devin Buhl <devin@buhl.casa>
bot-ross
bot
added
area/kubernetes
--- kubernetes/main/apps/observability/alertmanager-silencer/app Kustomization: flux-system/alertmanager-silencer HelmRelease: observability/alertmanager-silencer
+++ kubernetes/main/apps/observability/alertmanager-silencer/app Kustomization: flux-system/alertmanager-silencer HelmRelease: observability/alertmanager-silencer
@@ -58,13 +58,15 @@
- ALL
readOnlyRootFilesystem: true
cronjob:
failedJobsHistory: 1
schedule: '@daily'
successfulJobsHistory: 1
- pod:
- securityContext:
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
type: cronjob
+ defaultPodOptions:
+ securityContext:
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
--- kubernetes/main/apps/default/atuin/app Kustomization: flux-system/atuin HelmRelease: default/atuin
+++ kubernetes/main/apps/default/atuin/app Kustomization: flux-system/atuin HelmRelease: default/atuin
@@ -89,21 +89,28 @@
envFrom:
- secretRef:
name: atuin-secret
image:
repository: ghcr.io/onedr0p/postgres-init
tag: 16
- pod:
- securityContext:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
replicas: 3
strategy: RollingUpdate
+ defaultPodOptions:
+ securityContext:
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: atuin
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
ingress:
app:
className: internal
hosts:
- host: sh.devbu.io
paths:
--- kubernetes/main/apps/default/authelia/app Kustomization: flux-system/authelia HelmRelease: default/authelia
+++ kubernetes/main/apps/default/authelia/app Kustomization: flux-system/authelia HelmRelease: default/authelia
@@ -89,26 +89,28 @@
envFrom:
- secretRef:
name: authelia-secret
image:
repository: ghcr.io/onedr0p/postgres-init
tag: 16
- pod:
- securityContext:
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/name: authelia
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
replicas: 3
strategy: RollingUpdate
+ defaultPodOptions:
+ securityContext:
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: authelia
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
ingress:
app:
annotations:
external-dns.alpha.kubernetes.io/target: external.devbu.io
nginx.ingress.kubernetes.io/configuration-snippet: |
add_header Cache-Control "no-store";
--- kubernetes/main/apps/default/autobrr/app Kustomization: flux-system/autobrr HelmRelease: default/autobrr
+++ kubernetes/main/apps/default/autobrr/app Kustomization: flux-system/autobrr HelmRelease: default/autobrr
@@ -83,17 +83,19 @@
envFrom:
- secretRef:
name: autobrr-secret
image:
repository: ghcr.io/onedr0p/postgres-init
tag: 16
- pod:
- securityContext:
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
+ defaultPodOptions:
+ securityContext:
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
ingress:
app:
className: internal
hosts:
- host: '{{ .Release.Name }}.devbu.io'
paths:
--- kubernetes/main/apps/network/cloudflared/app Kustomization: flux-system/cloudflared HelmRelease: network/cloudflared
+++ kubernetes/main/apps/network/cloudflared/app Kustomization: flux-system/cloudflared HelmRelease: network/cloudflared
@@ -83,26 +83,28 @@
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- pod:
- securityContext:
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/name: cloudflared
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
replicas: 3
strategy: RollingUpdate
+ defaultPodOptions:
+ securityContext:
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: cloudflared
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
persistence:
config:
globalMounts:
- path: /etc/cloudflared/config/config.yaml
readOnly: true
subPath: config.yaml
--- kubernetes/main/apps/default/cross-seed/app Kustomization: flux-system/cross-seed HelmRelease: default/cross-seed
+++ kubernetes/main/apps/default/cross-seed/app Kustomization: flux-system/cross-seed HelmRelease: default/cross-seed
@@ -60,21 +60,23 @@
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- pod:
- securityContext:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
- supplementalGroups:
- - 10000
+ defaultPodOptions:
+ securityContext:
+ fsGroup: 568
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 568
+ runAsNonRoot: true
+ runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
+ supplementalGroups:
+ - 10000
persistence:
config:
type: emptyDir
config-file:
globalMounts:
- path: /config/config.js
--- kubernetes/main/apps/database/dragonfly/app Kustomization: flux-system/dragonfly HelmRelease: database/dragonfly-operator
+++ kubernetes/main/apps/database/dragonfly/app Kustomization: flux-system/dragonfly HelmRelease: database/dragonfly-operator
@@ -70,25 +70,27 @@
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- pod:
- securityContext:
- runAsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/name: dragonfly-operator
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
strategy: RollingUpdate
+ defaultPodOptions:
+ securityContext:
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: dragonfly-operator
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
service:
app:
controller: dragonfly-operator
ports:
http:
port: 8081
--- kubernetes/main/apps/network/echo-server/app Kustomization: flux-system/echo-server HelmRelease: network/echo-server
+++ kubernetes/main/apps/network/echo-server/app Kustomization: flux-system/echo-server HelmRelease: network/echo-server
@@ -72,26 +72,28 @@
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
- pod:
- securityContext:
- runAsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/name: echo-server
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
replicas: 3
strategy: RollingUpdate
+ defaultPodOptions:
+ securityContext:
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: echo-server
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
ingress:
app:
annotations:
external-dns.alpha.kubernetes.io/target: external.devbu.io
className: external
hosts:
--- kubernetes/main/apps/kube-system/fstrim/app Kustomization: flux-system/fstrim HelmRelease: kube-system/fstrim
+++ kubernetes/main/apps/kube-system/fstrim/app Kustomization: flux-system/fstrim HelmRelease: kube-system/fstrim
@@ -45,23 +45,23 @@
privileged: true
cronjob:
failedJobsHistory: 1
parallelism: 6
schedule: '@weekly'
successfulJobsHistory: 1
- pod:
- hostNetwork: true
- hostPID: true
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/name: fstrim
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
type: cronjob
+ defaultPodOptions:
+ hostNetwork: true
+ hostPID: true
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: fstrim
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
persistence:
netfs:
globalMounts:
- path: /host/net
readOnly: true
hostPath: /sys
--- kubernetes/main/apps/observability/gatus/app Kustomization: flux-system/gatus HelmRelease: observability/gatus
+++ kubernetes/main/apps/observability/gatus/app Kustomization: flux-system/gatus HelmRelease: observability/gatus
@@ -101,23 +101,25 @@
envFrom:
- secretRef:
name: gatus-secret
image:
repository: ghcr.io/onedr0p/postgres-init
tag: 16
- pod:
- dnsConfig:
- options:
- - name: ndots
- value: '1'
- securityContext:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
+ defaultPodOptions:
+ dnsConfig:
+ options:
+ - name: ndots
+ value: '1'
+ securityContext:
+ fsGroup: 65534
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
ingress:
app:
annotations:
external-dns.alpha.kubernetes.io/target: external.devbu.io
className: external
hosts:
--- kubernetes/main/apps/default/glauth/app Kustomization: flux-system/glauth HelmRelease: default/glauth
+++ kubernetes/main/apps/default/glauth/app Kustomization: flux-system/glauth HelmRelease: default/glauth
@@ -71,26 +71,28 @@
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- pod:
- securityContext:
- runAsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/name: glauth
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
replicas: 3
strategy: RollingUpdate
+ defaultPodOptions:
+ securityContext:
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: glauth
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
persistence:
config:
globalMounts:
- path: /config/groups.toml
readOnly: true
subPath: groups.toml
--- kubernetes/main/apps/default/home-assistant/app Kustomization: flux-system/home-assistant HelmRelease: default/home-assistant
+++ kubernetes/main/apps/default/home-assistant/app Kustomization: flux-system/home-assistant HelmRelease: default/home-assistant
@@ -56,19 +56,21 @@
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- pod:
- securityContext:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
+ defaultPodOptions:
+ securityContext:
+ fsGroup: 568
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 568
+ runAsNonRoot: true
+ runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
ingress:
app:
annotations:
external-dns.alpha.kubernetes.io/target: external.devbu.io
className: external
hosts:
--- kubernetes/main/apps/default/frigate/app Kustomization: flux-system/frigate HelmRelease: default/frigate
+++ kubernetes/main/apps/default/frigate/app Kustomization: flux-system/frigate HelmRelease: default/frigate
@@ -77,26 +77,26 @@
gpu.intel.com/i915: '1'
memory: 8Gi
requests:
cpu: 100m
securityContext:
privileged: true
- pod:
- affinity:
- podAntiAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- - labelSelector:
- matchExpressions:
- - key: app.kubernetes.io/name
- operator: In
- values:
- - plex
- topologyKey: kubernetes.io/hostname
- nodeSelector:
- google.feature.node.kubernetes.io/coral: 'true'
- intel.feature.node.kubernetes.io/gpu: 'true'
+ defaultPodOptions:
+ affinity:
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: app.kubernetes.io/name
+ operator: In
+ values:
+ - plex
+ topologyKey: kubernetes.io/hostname
+ nodeSelector:
+ google.feature.node.kubernetes.io/coral: 'true'
+ intel.feature.node.kubernetes.io/gpu: 'true'
ingress:
app:
className: internal
hosts:
- host: '{{ .Release.Name }}.devbu.io'
paths:
--- kubernetes/main/apps/observability/kromgo/app Kustomization: flux-system/kromgo HelmRelease: observability/kromgo
+++ kubernetes/main/apps/observability/kromgo/app Kustomization: flux-system/kromgo HelmRelease: observability/kromgo
@@ -70,26 +70,28 @@
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- pod:
- securityContext:
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/name: kromgo
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
replicas: 3
strategy: RollingUpdate
+ defaultPodOptions:
+ securityContext:
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: kromgo
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
ingress:
app:
annotations:
external-dns.alpha.kubernetes.io/target: external.devbu.io
className: external
hosts:
--- kubernetes/main/apps/default/radarr/app Kustomization: flux-system/radarr HelmRelease: default/radarr
+++ kubernetes/main/apps/default/radarr/app Kustomization: flux-system/radarr HelmRelease: default/radarr
@@ -90,21 +90,23 @@
envFrom:
- secretRef:
name: radarr-secret
image:
repository: ghcr.io/onedr0p/postgres-init
tag: 16
- pod:
- securityContext:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
- supplementalGroups:
- - 10000
+ defaultPodOptions:
+ securityContext:
+ fsGroup: 568
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 568
+ runAsNonRoot: true
+ runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
+ supplementalGroups:
+ - 10000
ingress:
app:
className: internal
hosts:
- host: '{{ .Release.Name }}.devbu.io'
paths:
--- kubernetes/main/apps/default/plex/app Kustomization: flux-system/plex HelmRelease: default/plex
+++ kubernetes/main/apps/default/plex/app Kustomization: flux-system/plex HelmRelease: default/plex
@@ -79,34 +79,36 @@
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- pod:
- affinity:
- podAntiAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- - labelSelector:
- matchExpressions:
- - key: app.kubernetes.io/name
- operator: In
- values:
- - frigate
- topologyKey: kubernetes.io/hostname
- nodeSelector:
- intel.feature.node.kubernetes.io/gpu: 'true'
- securityContext:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
- supplementalGroups:
- - 44
- - 10000
+ defaultPodOptions:
+ affinity:
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: app.kubernetes.io/name
+ operator: In
+ values:
+ - frigate
+ topologyKey: kubernetes.io/hostname
+ nodeSelector:
+ intel.feature.node.kubernetes.io/gpu: 'true'
+ securityContext:
+ fsGroup: 568
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 568
+ runAsNonRoot: true
+ runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
+ supplementalGroups:
+ - 44
+ - 10000
ingress:
app:
annotations:
external-dns.alpha.kubernetes.io/target: external.devbu.io
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
className: external
--- kubernetes/main/apps/default/miniflux/app Kustomization: flux-system/miniflux HelmRelease: default/miniflux
+++ kubernetes/main/apps/default/miniflux/app Kustomization: flux-system/miniflux HelmRelease: default/miniflux
@@ -93,26 +93,28 @@
envFrom:
- secretRef:
name: miniflux-secret
image:
repository: ghcr.io/onedr0p/postgres-init
tag: 16
- pod:
- securityContext:
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/name: miniflux
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
replicas: 3
strategy: RollingUpdate
+ defaultPodOptions:
+ securityContext:
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: miniflux
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
ingress:
app:
annotations:
external-dns.alpha.kubernetes.io/target: external.devbu.io
className: external
hosts:
--- kubernetes/main/apps/default/qbittorrent/app Kustomization: flux-system/qbittorrent HelmRelease: default/qbittorrent
+++ kubernetes/main/apps/default/qbittorrent/app Kustomization: flux-system/qbittorrent HelmRelease: default/qbittorrent
@@ -87,20 +87,23 @@
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- pod:
- securityContext:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 568
- runAsUser: 568
- supplementalGroups:
- - 10000
+ defaultPodOptions:
+ securityContext:
+ fsGroup: 568
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 568
+ runAsNonRoot: true
+ runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
+ supplementalGroups:
+ - 10000
ingress:
app:
className: internal
hosts:
- host: qb.devbu.io
paths:
--- kubernetes/main/apps/default/recyclarr/app Kustomization: flux-system/recyclarr HelmRelease: default/recyclarr
+++ kubernetes/main/apps/default/recyclarr/app Kustomization: flux-system/recyclarr HelmRelease: default/recyclarr
@@ -61,20 +61,22 @@
- ALL
readOnlyRootFilesystem: true
cronjob:
failedJobsHistory: 1
schedule: '@daily'
successfulJobsHistory: 1
- pod:
- securityContext:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
type: cronjob
+ defaultPodOptions:
+ securityContext:
+ fsGroup: 568
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 568
+ runAsNonRoot: true
+ runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
persistence:
config:
existingClaim: recyclarr
config-file:
globalMounts:
- path: /config/recyclarr.yml
--- kubernetes/main/apps/default/overseerr/app Kustomization: flux-system/overseerr HelmRelease: default/overseerr
+++ kubernetes/main/apps/default/overseerr/app Kustomization: flux-system/overseerr HelmRelease: default/overseerr
@@ -76,19 +76,21 @@
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- pod:
- securityContext:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
+ defaultPodOptions:
+ securityContext:
+ fsGroup: 568
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 568
+ runAsNonRoot: true
+ runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
ingress:
app:
annotations:
external-dns.alpha.kubernetes.io/target: external.devbu.io
className: external
hosts:
--- kubernetes/main/apps/default/prowlarr/app Kustomization: flux-system/prowlarr HelmRelease: default/prowlarr
+++ kubernetes/main/apps/default/prowlarr/app Kustomization: flux-system/prowlarr HelmRelease: default/prowlarr
@@ -85,19 +85,21 @@
envFrom:
- secretRef:
name: prowlarr-secret
image:
repository: ghcr.io/onedr0p/postgres-init
tag: 16
- pod:
- securityContext:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
+ defaultPodOptions:
+ securityContext:
+ fsGroup: 568
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 568
+ runAsNonRoot: true
+ runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
ingress:
app:
className: internal
hosts:
- host: '{{ .Release.Name }}.devbu.io'
paths:
--- kubernetes/main/apps/default/qbittorrent/tools Kustomization: flux-system/qbittorrent-tools HelmRelease: default/qbtools
+++ kubernetes/main/apps/default/qbittorrent/tools Kustomization: flux-system/qbittorrent-tools HelmRelease: default/qbtools
@@ -65,16 +65,12 @@
failedJobsHistory: 1
schedule: '@daily'
successfulJobsHistory: 1
timeZone: America/New_York
pod:
restartPolicy: OnFailure
- securityContext:
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
type: cronjob
reannounce:
containers:
app:
args:
- reannounce
@@ -94,17 +90,12 @@
tag: v0.15.1@sha256:dc8957554902738837d1d0a6b4c4af5e27e1454341b0d9df5992be51cc1ecd65
resources:
limits:
memory: 256M
requests:
cpu: 25m
- pod:
- securityContext:
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
tagging:
containers:
expired:
args:
- prune
- --exclude-category
@@ -200,17 +191,20 @@
limits:
memory: 256M
requests:
cpu: 25m
pod:
restartPolicy: OnFailure
- securityContext:
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
type: cronjob
+ defaultPodOptions:
+ securityContext:
+ runAsGroup: 568
+ runAsNonRoot: true
+ runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
persistence:
media:
advancedMounts:
orphaned:
app:
- path: /media
--- kubernetes/main/apps/default/sabnzbd/app Kustomization: flux-system/sabnzbd HelmRelease: default/sabnzbd
+++ kubernetes/main/apps/default/sabnzbd/app Kustomization: flux-system/sabnzbd HelmRelease: default/sabnzbd
@@ -81,21 +81,23 @@
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- pod:
- securityContext:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
- supplementalGroups:
- - 10000
+ defaultPodOptions:
+ securityContext:
+ fsGroup: 568
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 568
+ runAsNonRoot: true
+ runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
+ supplementalGroups:
+ - 10000
ingress:
app:
className: internal
hosts:
- host: sab.devbu.io
paths:
--- kubernetes/main/apps/default/smtp-relay/app Kustomization: flux-system/smtp-relay HelmRelease: default/smtp-relay
+++ kubernetes/main/apps/default/smtp-relay/app Kustomization: flux-system/smtp-relay HelmRelease: default/smtp-relay
@@ -56,26 +56,28 @@
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- pod:
- securityContext:
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/name: smtp-relay
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
replicas: 3
strategy: RollingUpdate
+ defaultPodOptions:
+ securityContext:
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: smtp-relay
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
persistence:
cache:
globalMounts:
- path: /cache
type: emptyDir
config:
--- kubernetes/main/apps/default/rtlamr2mqtt/app Kustomization: flux-system/rtlamr2mqtt HelmRelease: default/rtlamr2mqtt
+++ kubernetes/main/apps/default/rtlamr2mqtt/app Kustomization: flux-system/rtlamr2mqtt HelmRelease: default/rtlamr2mqtt
@@ -40,15 +40,15 @@
limits:
memory: 256Mi
requests:
cpu: 10m
securityContext:
privileged: true
- pod:
- nodeSelector:
- nesdr.feature.node.kubernetes.io/rtlamr: 'true'
+ defaultPodOptions:
+ nodeSelector:
+ nesdr.feature.node.kubernetes.io/rtlamr: 'true'
persistence:
config-file:
globalMounts:
- path: /etc/rtlamr2mqtt.yaml
readOnly: true
subPath: rtlamr2mqtt.yaml
--- kubernetes/main/apps/default/sonarr/app Kustomization: flux-system/sonarr HelmRelease: default/sonarr
+++ kubernetes/main/apps/default/sonarr/app Kustomization: flux-system/sonarr HelmRelease: default/sonarr
@@ -90,21 +90,23 @@
envFrom:
- secretRef:
name: sonarr-secret
image:
repository: ghcr.io/onedr0p/postgres-init
tag: 16
- pod:
- securityContext:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
- supplementalGroups:
- - 10000
+ defaultPodOptions:
+ securityContext:
+ fsGroup: 568
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 568
+ runAsNonRoot: true
+ runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
+ supplementalGroups:
+ - 10000
ingress:
app:
className: internal
hosts:
- host: '{{ .Release.Name }}.devbu.io'
paths:
--- kubernetes/main/apps/system-upgrade/system-upgrade-controller/app Kustomization: flux-system/system-upgrade-controller HelmRelease: system-upgrade/system-upgrade-controller
+++ kubernetes/main/apps/system-upgrade/system-upgrade-controller/app Kustomization: flux-system/system-upgrade-controller HelmRelease: system-upgrade/system-upgrade-controller
@@ -54,34 +54,36 @@
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
- pod:
- affinity:
- nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- nodeSelectorTerms:
- - matchExpressions:
- - key: node-role.kubernetes.io/control-plane
- operator: Exists
- securityContext:
- runAsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
- tolerations:
- - key: CriticalAddonsOnly
- operator: Exists
- - effect: NoSchedule
- key: node-role.kubernetes.io/control-plane
- operator: Exists
- - effect: NoSchedule
- key: node-role.kubernetes.io/master
- operator: Exists
strategy: RollingUpdate
+ defaultPodOptions:
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: node-role.kubernetes.io/control-plane
+ operator: Exists
+ securityContext:
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ tolerations:
+ - key: CriticalAddonsOnly
+ operator: Exists
+ - effect: NoSchedule
+ key: node-role.kubernetes.io/control-plane
+ operator: Exists
+ - effect: NoSchedule
+ key: node-role.kubernetes.io/master
+ operator: Exists
persistence:
etc-ca-certificates:
globalMounts:
- readOnly: true
hostPath: /etc/ca-certificates
hostPathType: DirectoryOrCreate
--- kubernetes/main/apps/default/tautulli/app Kustomization: flux-system/tautulli HelmRelease: default/tautulli
+++ kubernetes/main/apps/default/tautulli/app Kustomization: flux-system/tautulli HelmRelease: default/tautulli
@@ -104,18 +104,21 @@
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- pod:
- securityContext:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 568
- runAsUser: 568
+ defaultPodOptions:
+ securityContext:
+ fsGroup: 568
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 568
+ runAsNonRoot: true
+ runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
ingress:
app:
className: internal
hosts:
- host: '{{ .Release.Name }}.devbu.io'
paths:
--- kubernetes/main/apps/default/thelounge/app Kustomization: flux-system/thelounge HelmRelease: default/thelounge
+++ kubernetes/main/apps/default/thelounge/app Kustomization: flux-system/thelounge HelmRelease: default/thelounge
@@ -56,19 +56,21 @@
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- pod:
- securityContext:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
+ defaultPodOptions:
+ securityContext:
+ fsGroup: 568
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 568
+ runAsNonRoot: true
+ runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
ingress:
app:
className: internal
hosts:
- host: '{{ .Release.Name }}.devbu.io'
paths:
--- kubernetes/main/apps/default/unpackerr/app Kustomization: flux-system/unpackerr HelmRelease: default/unpackerr
+++ kubernetes/main/apps/default/unpackerr/app Kustomization: flux-system/unpackerr HelmRelease: default/unpackerr
@@ -61,21 +61,23 @@
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- pod:
- securityContext:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
- supplementalGroups:
- - 10000
+ defaultPodOptions:
+ securityContext:
+ fsGroup: 568
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 568
+ runAsNonRoot: true
+ runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
+ supplementalGroups:
+ - 10000
persistence:
logs:
type: emptyDir
media:
globalMounts:
- path: /media
--- kubernetes/main/apps/observability/unpoller/app Kustomization: flux-system/unpoller HelmRelease: observability/unpoller
+++ kubernetes/main/apps/observability/unpoller/app Kustomization: flux-system/unpoller HelmRelease: observability/unpoller
@@ -58,17 +58,19 @@
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- pod:
- securityContext:
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
+ defaultPodOptions:
+ securityContext:
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
service:
app:
controller: unpoller
ports:
http:
port: 9130
--- kubernetes/main/apps/observability/vector/app Kustomization: flux-system/vector HelmRelease: observability/vector-aggregator
+++ kubernetes/main/apps/observability/vector/app Kustomization: flux-system/vector HelmRelease: observability/vector-aggregator
@@ -54,22 +54,22 @@
envFrom:
- secretRef:
name: vector-aggregator-secret
image:
repository: ghcr.io/maxmind/geoipupdate
tag: v7.0.1@sha256:80c57598a9ff552953e499cefc589cfe7b563d64262742ea42f2014251b557b0
- pod:
- topologySpreadConstraints:
- - labelSelector:
- matchLabels:
- app.kubernetes.io/name: vector-aggregator
- maxSkew: 1
- topologyKey: kubernetes.io/hostname
- whenUnsatisfiable: DoNotSchedule
replicas: 3
strategy: RollingUpdate
+ defaultPodOptions:
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: vector-aggregator
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
persistence:
config:
globalMounts:
- path: /etc/vector/vector.yaml
readOnly: true
subPath: vector.yaml
--- kubernetes/main/apps/default/zigbee2mqtt/app Kustomization: flux-system/zigbee2mqtt HelmRelease: default/zigbee2mqtt
+++ kubernetes/main/apps/default/zigbee2mqtt/app Kustomization: flux-system/zigbee2mqtt HelmRelease: default/zigbee2mqtt
@@ -91,19 +91,21 @@
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- pod:
- securityContext:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
+ defaultPodOptions:
+ securityContext:
+ fsGroup: 568
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 568
+ runAsNonRoot: true
+ runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
ingress:
app:
className: internal
hosts:
- host: zigbee.devbu.io
paths:
--- kubernetes/main/apps/default/zwave/app Kustomization: flux-system/zwave HelmRelease: default/zwave
+++ kubernetes/main/apps/default/zwave/app Kustomization: flux-system/zwave HelmRelease: default/zwave
@@ -75,18 +75,21 @@
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- pod:
- securityContext:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 568
- runAsUser: 568
+ defaultPodOptions:
+ securityContext:
+ fsGroup: 568
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 568
+ runAsNonRoot: true
+ runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
ingress:
app:
className: internal
hosts:
- host: '{{ .Release.Name }}.devbu.io'
paths: |
--- HelmRelease: network/cloudflared Deployment: network/cloudflared
+++ HelmRelease: network/cloudflared Deployment: network/cloudflared
@@ -28,15 +28,17 @@
app.kubernetes.io/name: cloudflared
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
securityContext:
- runAsGroup: 568
+ runAsGroup: 65534
runAsNonRoot: true
- runAsUser: 568
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
topologySpreadConstraints:
- labelSelector:
--- HelmRelease: observability/alertmanager-silencer CronJob: observability/alertmanager-silencer
+++ HelmRelease: observability/alertmanager-silencer CronJob: observability/alertmanager-silencer
@@ -26,15 +26,17 @@
app.kubernetes.io/name: alertmanager-silencer
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
securityContext:
- runAsGroup: 568
+ runAsGroup: 65534
runAsNonRoot: true
- runAsUser: 568
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
restartPolicy: Never
containers:
--- HelmRelease: default/autobrr Deployment: default/autobrr
+++ HelmRelease: default/autobrr Deployment: default/autobrr
@@ -28,15 +28,17 @@
app.kubernetes.io/name: autobrr
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
securityContext:
- runAsGroup: 568
+ runAsGroup: 65534
runAsNonRoot: true
- runAsUser: 568
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
initContainers:
- envFrom:
--- HelmRelease: default/glauth Deployment: default/glauth
+++ HelmRelease: default/glauth Deployment: default/glauth
@@ -31,12 +31,14 @@
serviceAccountName: default
automountServiceAccountToken: true
securityContext:
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
topologySpreadConstraints:
- labelSelector:
--- HelmRelease: default/authelia Deployment: default/authelia
+++ HelmRelease: default/authelia Deployment: default/authelia
@@ -28,15 +28,17 @@
app.kubernetes.io/name: authelia
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
securityContext:
- runAsGroup: 568
+ runAsGroup: 65534
runAsNonRoot: true
- runAsUser: 568
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
topologySpreadConstraints:
- labelSelector:
--- HelmRelease: observability/gatus Deployment: observability/gatus
+++ HelmRelease: observability/gatus Deployment: observability/gatus
@@ -30,17 +30,19 @@
app.kubernetes.io/name: gatus
spec:
enableServiceLinks: false
serviceAccountName: gatus
automountServiceAccountToken: true
securityContext:
- fsGroup: 568
+ fsGroup: 65534
fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 568
+ runAsGroup: 65534
runAsNonRoot: true
- runAsUser: 568
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
dnsConfig:
options:
--- HelmRelease: default/atuin Deployment: default/atuin
+++ HelmRelease: default/atuin Deployment: default/atuin
@@ -28,21 +28,28 @@
app.kubernetes.io/name: atuin
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
securityContext:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 568
+ runAsGroup: 65534
runAsNonRoot: true
- runAsUser: 568
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: atuin
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
initContainers:
- envFrom:
- secretRef:
name: atuin-secret
image: ghcr.io/onedr0p/postgres-init:16
name: init-db
--- HelmRelease: default/cross-seed Deployment: default/cross-seed
+++ HelmRelease: default/cross-seed Deployment: default/cross-seed
@@ -33,12 +33,14 @@
securityContext:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
supplementalGroups:
- 10000
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
--- HelmRelease: database/dragonfly-operator Deployment: database/dragonfly-operator
+++ HelmRelease: database/dragonfly-operator Deployment: database/dragonfly-operator
@@ -31,12 +31,14 @@
serviceAccountName: dragonfly-operator
automountServiceAccountToken: true
securityContext:
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
topologySpreadConstraints:
- labelSelector:
--- HelmRelease: observability/kromgo Deployment: observability/kromgo
+++ HelmRelease: observability/kromgo Deployment: observability/kromgo
@@ -28,15 +28,17 @@
app.kubernetes.io/name: kromgo
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
securityContext:
- runAsGroup: 568
+ runAsGroup: 65534
runAsNonRoot: true
- runAsUser: 568
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
topologySpreadConstraints:
- labelSelector:
--- HelmRelease: default/qbtools Deployment: default/qbtools-reannounce
+++ HelmRelease: default/qbtools Deployment: default/qbtools-reannounce
@@ -29,12 +29,14 @@
serviceAccountName: default
automountServiceAccountToken: true
securityContext:
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
containers:
- args:
--- HelmRelease: default/qbtools CronJob: default/qbtools-orphaned
+++ HelmRelease: default/qbtools CronJob: default/qbtools-orphaned
@@ -30,12 +30,14 @@
serviceAccountName: default
automountServiceAccountToken: true
securityContext:
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
restartPolicy: OnFailure
containers:
--- HelmRelease: default/qbtools CronJob: default/qbtools-tagging
+++ HelmRelease: default/qbtools CronJob: default/qbtools-tagging
@@ -30,12 +30,14 @@
serviceAccountName: default
automountServiceAccountToken: true
securityContext:
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
restartPolicy: OnFailure
initContainers:
--- HelmRelease: default/miniflux Deployment: default/miniflux
+++ HelmRelease: default/miniflux Deployment: default/miniflux
@@ -28,15 +28,17 @@
app.kubernetes.io/name: miniflux
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
securityContext:
- runAsGroup: 568
+ runAsGroup: 65534
runAsNonRoot: true
- runAsUser: 568
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
topologySpreadConstraints:
- labelSelector:
--- HelmRelease: network/echo-server Deployment: network/echo-server
+++ HelmRelease: network/echo-server Deployment: network/echo-server
@@ -29,12 +29,14 @@
serviceAccountName: default
automountServiceAccountToken: true
securityContext:
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
topologySpreadConstraints:
- labelSelector:
--- HelmRelease: default/prowlarr Deployment: default/prowlarr
+++ HelmRelease: default/prowlarr Deployment: default/prowlarr
@@ -33,12 +33,14 @@
securityContext:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
initContainers:
- envFrom:
--- HelmRelease: default/radarr Deployment: default/radarr
+++ HelmRelease: default/radarr Deployment: default/radarr
@@ -33,12 +33,14 @@
securityContext:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
supplementalGroups:
- 10000
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
--- HelmRelease: default/thelounge Deployment: default/thelounge
+++ HelmRelease: default/thelounge Deployment: default/thelounge
@@ -33,12 +33,14 @@
securityContext:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
containers:
- env:
--- HelmRelease: default/sonarr Deployment: default/sonarr
+++ HelmRelease: default/sonarr Deployment: default/sonarr
@@ -33,12 +33,14 @@
securityContext:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
supplementalGroups:
- 10000
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
--- HelmRelease: default/home-assistant Deployment: default/home-assistant
+++ HelmRelease: default/home-assistant Deployment: default/home-assistant
@@ -33,12 +33,14 @@
securityContext:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
containers:
- env:
--- HelmRelease: default/smtp-relay Deployment: default/smtp-relay
+++ HelmRelease: default/smtp-relay Deployment: default/smtp-relay
@@ -28,15 +28,17 @@
app.kubernetes.io/name: smtp-relay
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
securityContext:
- runAsGroup: 568
+ runAsGroup: 65534
runAsNonRoot: true
- runAsUser: 568
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
topologySpreadConstraints:
- labelSelector:
--- HelmRelease: default/overseerr Deployment: default/overseerr
+++ HelmRelease: default/overseerr Deployment: default/overseerr
@@ -33,12 +33,14 @@
securityContext:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
containers:
- env:
--- HelmRelease: observability/unpoller Deployment: observability/unpoller
+++ HelmRelease: observability/unpoller Deployment: observability/unpoller
@@ -26,15 +26,17 @@
app.kubernetes.io/name: unpoller
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
securityContext:
- runAsGroup: 568
+ runAsGroup: 65534
runAsNonRoot: true
- runAsUser: 568
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
containers:
- env:
--- HelmRelease: default/unpackerr Deployment: default/unpackerr
+++ HelmRelease: default/unpackerr Deployment: default/unpackerr
@@ -33,12 +33,14 @@
securityContext:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
supplementalGroups:
- 10000
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
--- HelmRelease: default/tautulli Deployment: default/tautulli
+++ HelmRelease: default/tautulli Deployment: default/tautulli
@@ -31,13 +31,16 @@
serviceAccountName: default
automountServiceAccountToken: true
securityContext:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 568
+ runAsNonRoot: true
runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
containers:
- args:
--- HelmRelease: default/plex Deployment: default/plex
+++ HelmRelease: default/plex Deployment: default/plex
@@ -33,12 +33,14 @@
securityContext:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
supplementalGroups:
- 44
- 10000
hostIPC: false
hostNetwork: false
hostPID: false
--- HelmRelease: default/qbittorrent Deployment: default/qbittorrent
+++ HelmRelease: default/qbittorrent Deployment: default/qbittorrent
@@ -31,13 +31,16 @@
serviceAccountName: default
automountServiceAccountToken: true
securityContext:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 568
+ runAsNonRoot: true
runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
supplementalGroups:
- 10000
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
--- HelmRelease: default/sabnzbd Deployment: default/sabnzbd
+++ HelmRelease: default/sabnzbd Deployment: default/sabnzbd
@@ -33,12 +33,14 @@
securityContext:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
supplementalGroups:
- 10000
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
--- HelmRelease: default/zigbee2mqtt Deployment: default/zigbee2mqtt
+++ HelmRelease: default/zigbee2mqtt Deployment: default/zigbee2mqtt
@@ -33,12 +33,14 @@
securityContext:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
containers:
- env:
--- HelmRelease: default/recyclarr CronJob: default/recyclarr
+++ HelmRelease: default/recyclarr CronJob: default/recyclarr
@@ -33,12 +33,14 @@
securityContext:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
restartPolicy: Never
containers:
--- HelmRelease: default/zwave Deployment: default/zwave
+++ HelmRelease: default/zwave Deployment: default/zwave
@@ -31,13 +31,16 @@
serviceAccountName: default
automountServiceAccountToken: true
securityContext:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 568
+ runAsNonRoot: true
runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
containers:
- env:
--- HelmRelease: system-upgrade/system-upgrade-controller Deployment: system-upgrade/system-upgrade-controller
+++ HelmRelease: system-upgrade/system-upgrade-controller Deployment: system-upgrade/system-upgrade-controller
@@ -31,12 +31,14 @@
serviceAccountName: system-upgrade
automountServiceAccountToken: true
securityContext:
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
affinity:
nodeAffinity: |
Signed-off-by: Devin Buhl <devin@buhl.casa>
Signed-off-by: Devin Buhl <devin@buhl.casa>
--- kubernetes/storage/apps/default/filebrowser/app Kustomization: flux-system/filebrowser HelmRelease: default/filebrowser
+++ kubernetes/storage/apps/default/filebrowser/app Kustomization: flux-system/filebrowser HelmRelease: default/filebrowser
@@ -75,21 +75,23 @@
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
- pod:
- securityContext:
- fsGroup: 568
- fsGroupChangePolicy: OnRootMismatch
- runAsGroup: 568
- runAsNonRoot: true
- runAsUser: 568
- supplementalGroups:
- - 10000
+ defaultPodOptions:
+ securityContext:
+ fsGroup: 568
+ fsGroupChangePolicy: OnRootMismatch
+ runAsGroup: 568
+ runAsNonRoot: true
+ runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
+ supplementalGroups:
+ - 10000
ingress:
app:
className: internal
hosts:
- host: '{{ .Release.Name }}.turbo.ac'
paths:
--- kubernetes/storage/apps/system-upgrade/system-upgrade-controller/app Kustomization: flux-system/system-upgrade-controller HelmRelease: system-upgrade/system-upgrade-controller
+++ kubernetes/storage/apps/system-upgrade/system-upgrade-controller/app Kustomization: flux-system/system-upgrade-controller HelmRelease: system-upgrade/system-upgrade-controller
@@ -56,34 +56,36 @@
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
- pod:
- affinity:
- nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- nodeSelectorTerms:
- - matchExpressions:
- - key: node-role.kubernetes.io/control-plane
- operator: Exists
- securityContext:
- runAsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
- tolerations:
- - key: CriticalAddonsOnly
- operator: Exists
- - effect: NoSchedule
- key: node-role.kubernetes.io/control-plane
- operator: Exists
- - effect: NoSchedule
- key: node-role.kubernetes.io/master
- operator: Exists
strategy: RollingUpdate
+ defaultPodOptions:
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: node-role.kubernetes.io/control-plane
+ operator: Exists
+ securityContext:
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ tolerations:
+ - key: CriticalAddonsOnly
+ operator: Exists
+ - effect: NoSchedule
+ key: node-role.kubernetes.io/control-plane
+ operator: Exists
+ - effect: NoSchedule
+ key: node-role.kubernetes.io/master
+ operator: Exists
persistence:
etc-ca-certificates:
globalMounts:
- readOnly: true
hostPath: /etc/ca-certificates
hostPathType: DirectoryOrCreate |
--- HelmRelease: system-upgrade/system-upgrade-controller Deployment: system-upgrade/system-upgrade-controller
+++ HelmRelease: system-upgrade/system-upgrade-controller Deployment: system-upgrade/system-upgrade-controller
@@ -33,12 +33,14 @@
serviceAccountName: system-upgrade
automountServiceAccountToken: true
securityContext:
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
affinity:
nodeAffinity:
--- HelmRelease: default/filebrowser Deployment: default/filebrowser
+++ HelmRelease: default/filebrowser Deployment: default/filebrowser
@@ -33,12 +33,14 @@
securityContext:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 568
runAsNonRoot: true
runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
supplementalGroups:
- 10000
hostIPC: false
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst |
Signed-off-by: Devin Buhl <devin@buhl.casa>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.